Make merkle signer SNARK friendly

[id-ms]

Summary

In this PR we change how the Merkle key store is being hashed.

• The index of the merkle leaf is now part of the signature
• we no longer hash a msgpack representation of the MSS's structs (use of an arbitrary hash input is bad for the SNARK verifier).
• integrate an updated falcon lib which uses two formats of signature
• when committing on falcon signature we commit on the CT format

Test Plan

[codecov-commenter]

Codecov Report

Merging #3263 (70f0dd2) into feature/dilithium-scheme-integration (ca330c6) will decrease coverage by 0.00%.
The diff coverage is 62.27%.

@@                           Coverage Diff                            @@
##           feature/dilithium-scheme-integration    #3263      +/-   ##
========================================================================
- Coverage                                 47.84%   47.83%   -0.01%     
========================================================================
  Files                                       381      382       +1     
  Lines                                     61651    61643       -8     
========================================================================
- Hits                                      29496    29489       -7     
+ Misses                                    28734    28732       -2     
- Partials                                   3421     3422       +1     

Impacted Files	Coverage Δ
crypto/invalidsigner.go	55.55% <0.00%> (-15.88%)	⬇️
crypto/merklearray/merkle.go	87.61% <ø> (ø)
crypto/msgp_gen.go	36.22% <ø> (ø)
crypto/sig_abstractions.go	80.95% <ø> (ø)
data/basics/ccertpart.go	0.00% <0.00%> (ø)
ledger/ledgercore/votersForRound.go	0.00% <0.00%> (ø)
crypto/merklekeystore/keystore.go	59.52% <36.00%> (-15.16%)	⬇️
crypto/compactcert/builder.go	65.51% <50.00%> (+0.68%)	⬆️
crypto/merklekeystore/msgp_gen.go	51.96% <56.52%> (+0.47%)	⬆️
crypto/compactcert/verifier.go	65.00% <60.00%> (-4.24%)	⬇️
... and 18 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ca330c6...70f0dd2. Read the comment docs.

[algonautshant]

TestMessage and it's functions do not need to be exported. Use small case for the first letter.

[id-ms]

I've made TestMessage private as you've recommended.
However, ToBeHash is an interface implmenation function so it can't be chagned.

[algonautshant]

The intend here is to get a fixed sized byte array. However, this function makes no compiler enforced commitment to a fixed size array.
It very difficult to know if GetSerializedSignature will indeed return a fixed size array every time.

[algonautshant]

The problem with implementing this function as an interface is that the caller of GetSerializedSignature will not know what size array it will be receiving.

In some cases, it is important to receive a fixed size array every time. This interface will not permit the compiler to to that enforcement, and in the future someone might change a function implementation which breaks that requirement.

[algonautshant]

Why this change for all uses of ToBeHashed?
Shouldn't this less efficient implementation be restricted only when the target is an SNARK commitment?
If this function is only used in the SNARK context, maybe the name should indicate that this is different, and may not be as efficient to transport as the msgp serialization.

[cpeikert]

Agree; see also my comment above about the naming of GetSerializedSignature. The purpose of that function is much narrower than general serialization.

[algonautshant]

Looks great!
I have some comments, mainly clarifications/comment requests.
Also, I added some comments in #2990 which could be addressed here, since the changes here may be impacted by those.

[algonautshant]

Can you please update the comment above (line 30)?
Will be nice to improve the comment by adding some more explanation on Proof, VerifyingKey and MerkleArrayIndex.

[id-ms]

agree. let me know if it looks better now.

[algonautshant]

In this location, GetVerifier can it return Ed25519Type or it always need to be FalconPublicKey?

[id-ms]

the GetVerifier could use ed25519 crypto type. this module is built to support it.

[algonautshant]

Why the Falcon verification is not made only for the root of the merkle tree?

[id-ms]

The falcon verification is needed to verify that a given signature is valid under this ephemeral pk.

[cpeikert]

The name and documentation do not really match what this function does. It simply converts a byte array from a COMPRESSED-format signature to a CT-format signature; this is orthogonal to serialization. So I would suggest a name like ConvertCompressedToCT. Also, a FalconVerifier is not needed here, and it would be best not to require one.

[cpeikert]

As far as I can tell so far, the logic of this function (which is the most important part) looks sound and SNARKable, assuming that merklearray.Verify is. But I cannot find that function in this PR. Is it somewhere else?

[id-ms]

we will have a different PR for that.

[cpeikert]

The name and documentation ("serialized") are not really descriptive of the intended purpose here. It’s more that this is a "hashable (fixed-length) representation" for the SNARK.

[cpeikert]

Agree; see also my comment above about the naming of GetSerializedSignature. The purpose of that function is much narrower than general serialization.