Problem: no way for mls member to prove invalid ciphertext (fixes #1797)

[tomtau]

Solution: sketched out core of "NACK" mechanism
which involves revealing shared secrets from invalid
message parts and including DLEQ proofs.

-- currently, needs:

1. latest master of p256 which contains scalar arithmetic (not yet released)
2. for the high-level API, it needs to directly decrypt HPKE ciphertext
   from a shared secret -- this may not ever be released

also needs "verify_node_private_key" from #2018

[tomtau]

this is based on the previous PR #1805 that was opened for some time as a draft for review which @samngmco had a quick look at

[leejw51crypto]

what's arr?

[tomtau]

array

[tomtau]

also, had to change some types / panicing-behavior in tree / commit processing, otherwise it won't be possible to test this.
there's this issue for that #1784

[leejw51crypto]

lgtm

[codecov]

Codecov Report

Merging #2029 into master will increase coverage by 0.27%.
The diff coverage is 88.85%.

@@            Coverage Diff             @@
##           master    #2029      +/-   ##
==========================================
+ Coverage   65.01%   65.28%   +0.27%     
==========================================
  Files         211      213       +2     
  Lines       26728    27040     +312     
==========================================
+ Hits        17376    17653     +277     
- Misses       9352     9387      +35     

Impacted Files	Coverage Δ
chain-tx-enclave-next/mls/src/extras/mod.rs	76.61% <76.61%> (ø)
chain-tx-enclave-next/mls/src/message.rs	67.91% <80.00%> (+0.17%)	⬆️
chain-tx-enclave-next/mls/src/extras/dleq.rs	97.12% <97.12%> (ø)
chain-tx-enclave-next/mls/src/group.rs	84.22% <100.00%> (+0.12%)	⬆️
chain-tx-enclave-next/mls/src/key.rs	72.28% <100.00%> (+1.03%)	⬆️
chain-tx-enclave-next/mls/src/tree.rs	79.25% <100.00%> (ø)

[tomtau]

bors r+

[bors]

Build succeeded:

• continuous-integration/travis-ci/push
• drone-hw/push