fix!: improve zeroizing support (#209)

This adds `Zeroize` and `ZeroizeOnDrop` to `ExtendedMask` and
`ExtendedWitness` for improved memory handling functionality. It
restricts the visibility of an internal commitment constructor and adds
zeroizing to temporary secret values. It updates secret key
deserialization to add zeroizing to a temporary byte array. Finally, it
removes a secret key constructor.

Supersedes #204.

BREAKING CHANGE: Changes the commitment and secret key APIs.

src/extended_range_proof.rs

@@ -5,6 +5,8 @@
 
 use std::{string::ToString, vec::Vec};
 
+use zeroize::{Zeroize, ZeroizeOnDrop};
+
 use crate::{
     commitment::{ExtensionDegree, HomomorphicCommitment},
     errors::RangeProofError,
@@ -99,7 +101,7 @@ pub trait ExtendedRangeProofService {
 
 /// Extended blinding factor vector used as part of the witness to construct an extended proof, or rewind data
 /// extracted from a range proof containing the mask (e.g. blinding factor vector).
-#[derive(Debug, Clone, PartialEq, Eq)]
+#[derive(Debug, Clone, PartialEq, Eq, Zeroize, ZeroizeOnDrop)]
 pub struct ExtendedMask<K>
 where K: SecretKey
 {
@@ -200,7 +202,7 @@ where PK: PublicKey
 
 /// The extended witness contains the extended mask (blinding factor vector), value and a minimum value
 /// promise; this will be used to construct the extended range proof
-#[derive(Clone)]
+#[derive(Clone, Zeroize, ZeroizeOnDrop)]
 pub struct ExtendedWitness<K>
 where K: SecretKey
 {

src/ristretto/pedersen/extended_commitment_factory.rs

@@ -11,6 +11,7 @@ use curve25519_dalek::{
     scalar::Scalar,
     traits::{Identity, MultiscalarMul},
 };
+use zeroize::Zeroizing;
 
 #[cfg(feature = "precomputed_tables")]
 use crate::ristretto::pedersen::scalar_mul_with_pre_computation_tables;
@@ -84,14 +85,8 @@ impl ExtendedPedersenCommitmentFactory {
     }
 
     /// Creates a Pedersen commitment using the value scalar and a blinding factor vector
-    pub fn commit_scalars(
-        &self,
-        value: &Scalar,
-        blinding_factors: &[Scalar],
-    ) -> Result<RistrettoPoint, CommitmentError>
-    where
-        for<'a> &'a Scalar: Borrow<Scalar>,
-    {
+    fn commit_scalars(&self, value: &Scalar, blinding_factors: &[Scalar]) -> Result<RistrettoPoint, CommitmentError>
+    where for<'a> &'a Scalar: Borrow<Scalar> {
         if blinding_factors.is_empty() || blinding_factors.len() > self.extension_degree as usize {
             Err(CommitmentError::CommitmentExtensionDegree {
                 reason: "blinding vector".to_string(),
@@ -166,7 +161,7 @@ impl ExtendedHomomorphicCommitmentFactory for ExtendedPedersenCommitmentFactory
         k_vec: &[RistrettoSecretKey],
         v: &RistrettoSecretKey,
     ) -> Result<PedersenCommitment, CommitmentError> {
-        let blinding_factors: Vec<Scalar> = k_vec.iter().map(|k| k.0).collect();
+        let blinding_factors: Zeroizing<Vec<Scalar>> = Zeroizing::new(k_vec.iter().map(|k| k.0).collect());
         let c = self.commit_scalars(&v.0, &blinding_factors)?;
         Ok(HomomorphicCommitment(RistrettoPublicKey::new_from_pk(c)))
     }

src/ristretto/ristretto_keys.rs

@@ -65,7 +65,7 @@ impl borsh::BorshSerialize for RistrettoSecretKey {
 impl borsh::BorshDeserialize for RistrettoSecretKey {
     fn deserialize_reader<R>(reader: &mut R) -> Result<Self, borsh::maybestd::io::Error>
     where R: borsh::maybestd::io::Read {
-        let bytes: Vec<u8> = borsh::BorshDeserialize::deserialize_reader(reader)?;
+        let bytes: Zeroizing<Vec<u8>> = Zeroizing::new(borsh::BorshDeserialize::deserialize_reader(reader)?);
         Self::from_canonical_bytes(bytes.as_slice())
             .map_err(|e| borsh::maybestd::io::Error::new(borsh::maybestd::io::ErrorKind::InvalidInput, e.to_string()))
     }
@@ -234,12 +234,6 @@ impl From<u64> for RistrettoSecretKey {
     }
 }
 
-impl From<Scalar> for RistrettoSecretKey {
-    fn from(s: Scalar) -> Self {
-        RistrettoSecretKey(s)
-    }
-}
-
 //---------------------------------------------      Borrow impl     -------------------------------------------------//
 
 impl<'a> Borrow<Scalar> for &'a RistrettoSecretKey {