Cleanup pyUmbral codebase and resolve various issues

[tuxxy]

What this does:

1. Moves some OpenSSL functions out of BigNum (now CurveBN) and Point to the openssl module and resolves the third TODO in Clean-up the codebase #119.
2. These operations include:
   1. BN init/creation
   2. Getting curve domain parameters (group, order, generator)
   3. Checking if a BN is on a provided curve
   4. Converting a Python int to a BN and checking if the new BN is on a curve
   5. EC_POINT init/creation
   6. EC_POINT creation via affine coordinates
   7. Getting affine coordinates via an EC_POINT.
3. Renames BigNum to CurveBN and resolves the first TODO in Clean-up the codebase #119.
4. Resolves Cache UmbralPublicKey in UmbralPrivateKey.get_pubkey()? #121 by caching the public key on UmbralPrivateKey.
5. Resolves Calculate expected lengths of Capsule and fragment classes #56 by adding get_size classmethods to CurveBN, Point, KFrag, CapsuleFrag, and ChallengeResponse.
6. Resolves BigNum.__hash__ - is this what we want? #116 by changing Capsule._attached_cfrags to a list.

[cygnusv]

Good work, tuxxy :) Just some minor comments, apart from the remaining issue of CurveBN vs BigNum (which we decided to leave it as that for the moment)

[cygnusv]

random_ec_curvebn1 reads strange. The c in ec is already "curve", so perhaps you should drop ec from the name. Apart from that – and I don't want to add fuel to the fire – I have to say I don't see immediately that curvebn1 is a BigNum, since the bn bit doesn't stand out. Perhaps random_curve_bn1?

[tuxxy]

⛽️ 🔥

[tuxxy]

Yeah, I noticed this when I was refactoring it. I can change it now, or when I pull CurveBN out later. Is there a preference?

[tuxxy]

This also refactors the pytest fixtures, if we change it too.

[cygnusv]

There's definitely an issue when CurveBN is all in lowercase...

[tuxxy]

Yeah, this is true.

[cygnusv]

Perhaps we should add here that some operations only work modulo a prime

[tuxxy]

Something like, "Some of these operations only work with a prime modulus, ie: a prime order curve."?

[cygnusv]

Something like that, yes

[cygnusv]

What's a Bignum here? you mean an OpenSSL BIGNUM or just a generic Big Number?

[tuxxy]

Yeah, an OpenSSL BIGNUM.

[cygnusv]

Just great!

[cygnusv]

We should mention that the CapsuleFrag contains a CorrectnessProof object of variable size, which is not considered in this method

[tuxxy]

👍

[cygnusv]

is_zero should be greater_than_zero, right?

[tuxxy]

I think below this line I check that is_zero == 1, right?

[cygnusv]

What I mean is that the name is_zero doesn't make sense. You are not testing if check_bn == 0, but getting a comparison that returns -1, 0 or 1.

[tuxxy]

🤔 I haven't thought about it like that. Given the comment above it, it should be enough to determine, but I think I might prefer bn_is_zero over greater_than_zero. Thoughts?

[cygnusv]

Ah OK, I see what you mean here. You intention is to validate that check_bn is different than 0, but you end up comparing if check_bn > 0. Both are equivalent for BIGNUMs. In any case, the name is_zero doesn't seem very appropriate, because you end up testing if check_bn is greater than 0.

[tuxxy]

Specifically, I am computing whether this statement is true:
0 < check_bn < ec_order

How do you mean that check_bn > 0 and is_zero are both equivalent?

[cygnusv]

Shouldn't the size be +1 for compressed points, in order to account for the 0x02 (or 0x03) byte at the beginning? Apart from that, there is no guarantee that the underlying field order has the same size than keys, although I can't think of a counterexample.

Maybe the comment should say that this is the size of a curve field element (e.g., a coordinate of the point), which is the size of a compressed point without the 0x02 byte

[tuxxy]

Oh, yep. You're absolutely right, good catch.

[cygnusv]

I think it's more common to see this expressed as (curve.key_size + 7) // 8

See e.g., https://github.com/pyca/cryptography/blob/master/src/cryptography/utils.py#L66

[cygnusv]

It also seems to be much faster:

>>> timeit.repeat('for i in range(1024): (i+7)//8', number=10000, repeat=3)
[2.6502825429779477, 2.350924202008173, 2.525679681042675]
>>> timeit.repeat('for i in range(1024): int(math.ceil(i/8.00))', number=10000, setup='import math')
[6.333626834035385, 6.332635344995651, 6.0212114860187285]

[tuxxy]

Very nice, thanks!

[michwill]

Read through, looks great! Of course, keeping in mind what we discussed today

[cygnusv]

I just noticed that this allows the BN to be 0, which we don't want (we want it to be in the interval [1, q-1], for q the order of the curve). A better way would be to call BN_rand_range(new_rand_bn, q_minus_1) and then add 1 to the result. This ensures the resulting BN is in [1, q-1]

[tuxxy]

BN_rand_range generates numbers where 0 <= RAND < Order.

So, it's still possible that a number can be generated as 0, but not as the actual order.