[seraphis] seraphis_crypto: add seraphis transcript utility

[UkoeHB]

Summary

This is a PR in my 'upstreaming seraphis_lib project', it is not used anywhere yet.

• Adds src/seraphis_crypto directory. Includes a dummy cpp file so cmake won't complain (will remove it once I have a cpp file to add).
• Adds sp_transcript.h to seraphis_crypto.

Explanation

In the current codebase, transcripting of crypto protocols is done manually which is verbose and inflexible. I wrote a transcripting utility that is quite ergonomic and has served me well in the seraphis library.

There are two modes

• SpFSTranscript: Fiat-Shamir transcript, includes labels, type flags, and type lengths. Suited for variable-length transcripts. Should be used for Fiat-Shamir challenges.
• SpKDFTranscript: KDF transcript, does not include labels, type flags, or type lengths. Suited for short fixed-length transcripts (e.g. key derivations). In my seraphis library all uses of KDF transcripts are less than 128 bytes (or 256 bytes at least, can't remember).

Example use:

// my_proof.h
struct MyProof
{
    rct::key A;
};
inline const boost::string_ref container_name(const MyProof&) { return "MyProof"; }
void append_to_transcript(const MyProof &container, SpTranscriptBuilder &transcript_inout);

// my_proof.cpp
void append_to_transcript(const MyProof &container, SpTranscriptBuilder &transcript_inout)
{
    transcript_inout.append("A", container.A);
}

// build a transcript and consume it
rct::key make_challenge(const proof &P)
{
    // hash data
    SpFSTranscript transcript{config::HASH_KEY_MY_CHALLENGE, sizeof(rct::key)};
    transcript.append("proof", proof);

    // challenge
    rct::key challenge;
    sp_hash_to_scalar(transcript.data(), transcript.size(), challenge.bytes);

    return challenge;
}

[vtnerd]

Looks good, but there is one thing that definitely needs to be changed (the signed integer code).

[vtnerd]

static_assert(std::numeric_limits<std::size_t>::max() <= std::numeric_limits<std::uint64_t>::max()`, "")

is probably the most accurate. Although, I'm not sure of any scenarios where your check fails.

[UkoeHB]

I expect a LOT of old C/C++ code would break if these checks ever became invalid.

[vtnerd]

This can overflow if std::numeric_limits<T>::min() and the platform is using 2s complement (the most common). I think this works on all platforms though:

using unsigned_type = std::make_unsigned<T>::type;
static_assert(sizeof(unsigned_type) <= sizeof(std::uint64_t), "");
this->append_uint(static_cast<unsigned_type>(signed_integer));

This stack overflow might be helpful.

[UkoeHB]

Ah nice catch. Technically my approach is sound because it will only wrap to zero, which is treated as a positive integer normally so there is no malleability. However better to be absolutely correct here.

[vtnerd]

Oh I didn't think of that. You'd have a positive and negative zero.

[vtnerd]

Oops, I thought this wasn't submitted.

[selsta]

@vtnerd could you re-review and potentially approve?

[vtnerd]

I can't find this header, is this new? The checks still pass, so I must be missing something.

[UkoeHB]

Oh yeah x25519 is not PRd yet, I will remove that code from here and re-add it with the x25519 PR.