Previously we'd attempt to create a combination of zero endorsements
for the everybody-but-me credential, and panic (throw an error). Now
we correctly create an endorsement that represents zero people, which
is better than returning some dummy value because it behaves
reasonably if endorsements from multiple groups are combined wholesale
(not something we plan to do, but something that shouldn't have weird
edge cases if we end up needing to).
This saves work for callers that need both, which includes
GroupSendEndorsement: after receiving and validating the endorsements,
they need to get serialized and sent back up to the app layer to put
in its database (compressed), but we also generate an extra
"everyone-but-me" endorsement from the results (decompressed).
This saves quite a bit of time in the app-layer benchmarks, since they
include the cost of serialization.
Add a new version of the existing auth credential used for groups, but
implemented with the zkcredential crate instead of hand-written proofs. Expose
issuance point for the server, and extend existing client methods to support it
and the existing formats transparently.
This involves a family of new types that will be used for issuing and
verifying these endorsements.
This is a breaking change for zkgroup: it adds a new key to
ServerSecretParams and ServerPublicParams.
This credential is issued by the group server and presented to the
chat server to prove that the holder is a member of *some* group with
a known list of people. This can be used to replace the access key
requirement for multi-recipient sealed sender sends.
Instead, require clients to provide storage to cache this value if
they want to use the default implementation. This noticeably speeds up
KeyPair::inverse_of, and provides a benefit to generating and
verifying presentation proofs as well.
This omits the public key of an encrypted attribute from a
presentation proof, meaning the verifying server will see that the
attribute has been "correctly" encrypted, but cannot verify which key
was used to perform that encryption.
Previously, zkcredential declared traits 'KeyPair' and 'PublicKey',
which could be implemented to provide custom encryption keys for the
homomorphic encryption used in credentials. However, those keys still
had to be consistent with the proofs generated by zkcredential, and
they ended up looking the same for every attribute type...except in
their decryption.
Now, clients like zkgroup implement a 'Domain' trait to provide the
generator points and type safety for a key, and can reuse
zkcredential's KeyPair, PublicKey, and Ciphertext types. The 'decrypt'
operation still has to be provided on a per-type basis, unfortunately.
The code size and performance impact is below the noise threshold.
This commit CHANGES THE SERDE REPRESENTATION for zkgroup KeyPairs,
including those embedded in types like GroupSecretParams.
Serializations using bincode, including Signal's, will not see any
change, but serializing using another serde implementation will result
in different structure in the KeyPair type.
Replace the String values with Cow<'static, str> which lets us hold references
to static strings without copying them onto the heap. Since most added values
are static, this should save on heap usage and runtime cost.