2022-09-05 13:34:28 -07:00
|
|
|
//! Ciphersuite-generic test functions.
|
2022-05-16 13:53:17 -07:00
|
|
|
use std::{collections::HashMap, convert::TryFrom};
|
|
|
|
|
2022-10-25 12:47:50 -07:00
|
|
|
use crate::frost;
|
2022-09-05 13:34:28 -07:00
|
|
|
use rand_core::{CryptoRng, RngCore};
|
2022-05-16 13:53:17 -07:00
|
|
|
|
2022-09-05 13:34:28 -07:00
|
|
|
use crate::Ciphersuite;
|
2022-05-16 13:53:17 -07:00
|
|
|
|
2022-09-30 13:11:57 -07:00
|
|
|
pub mod batch;
|
2022-09-05 13:34:28 -07:00
|
|
|
pub mod proptests;
|
|
|
|
pub mod vectors;
|
2022-05-16 13:53:17 -07:00
|
|
|
|
2022-09-05 13:34:28 -07:00
|
|
|
/// Test share generation with a Ciphersuite
|
2022-09-05 13:54:58 -07:00
|
|
|
pub fn check_share_generation<C: Ciphersuite, R: RngCore + CryptoRng>(mut rng: R) {
|
2022-09-15 09:15:53 -07:00
|
|
|
let secret = frost::keys::SharedSecret::<C>::random(&mut rng);
|
2022-05-16 13:53:17 -07:00
|
|
|
|
2022-10-26 21:35:16 -07:00
|
|
|
let max_signers = 5;
|
|
|
|
let min_signers = 3;
|
2022-10-03 11:41:02 -07:00
|
|
|
|
2022-10-26 21:35:16 -07:00
|
|
|
let coefficients =
|
|
|
|
frost::keys::generate_coefficients::<C, _>(min_signers as usize - 1, &mut rng);
|
2022-10-03 11:41:02 -07:00
|
|
|
|
|
|
|
let secret_shares =
|
2022-10-26 21:35:16 -07:00
|
|
|
frost::keys::generate_secret_shares(&secret, max_signers, min_signers, coefficients)
|
|
|
|
.unwrap();
|
2022-09-05 13:34:28 -07:00
|
|
|
|
|
|
|
for secret_share in secret_shares.iter() {
|
2022-07-29 12:57:26 -07:00
|
|
|
assert!(secret_share.verify().is_ok());
|
2022-09-05 13:34:28 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
assert_eq!(
|
|
|
|
frost::keys::reconstruct_secret::<C>(secret_shares).unwrap(),
|
|
|
|
secret
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Test FROST signing with trusted dealer with a Ciphersuite.
|
2022-09-05 13:54:58 -07:00
|
|
|
pub fn check_sign_with_dealer<C: Ciphersuite, R: RngCore + CryptoRng>(mut rng: R) {
|
2022-05-16 13:53:17 -07:00
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
// Key generation
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
2022-10-26 21:35:16 -07:00
|
|
|
let max_signers = 5;
|
|
|
|
let min_signers = 3;
|
2022-05-16 13:53:17 -07:00
|
|
|
let (shares, pubkeys) =
|
2022-10-26 21:35:16 -07:00
|
|
|
frost::keys::keygen_with_dealer(max_signers, min_signers, &mut rng).unwrap();
|
2022-05-16 13:53:17 -07:00
|
|
|
|
|
|
|
// Verifies the secret shares from the dealer
|
2022-09-05 13:34:28 -07:00
|
|
|
let key_packages: HashMap<frost::Identifier<C>, frost::keys::KeyPackage<C>> = shares
|
2022-05-16 13:53:17 -07:00
|
|
|
.into_iter()
|
2022-09-01 13:07:50 -07:00
|
|
|
.map(|share| {
|
|
|
|
(
|
|
|
|
share.identifier,
|
|
|
|
frost::keys::KeyPackage::try_from(share).unwrap(),
|
|
|
|
)
|
|
|
|
})
|
2022-05-16 13:53:17 -07:00
|
|
|
.collect();
|
|
|
|
|
2022-10-26 21:35:16 -07:00
|
|
|
check_sign(min_signers, key_packages, rng, pubkeys);
|
2022-10-18 15:11:05 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
fn check_sign<C: Ciphersuite + PartialEq, R: RngCore + CryptoRng>(
|
2022-10-26 21:35:16 -07:00
|
|
|
min_signers: u16,
|
2022-10-25 12:47:50 -07:00
|
|
|
key_packages: HashMap<frost::Identifier<C>, frost::keys::KeyPackage<C>>,
|
2022-10-18 15:11:05 -07:00
|
|
|
mut rng: R,
|
|
|
|
pubkeys: frost::keys::PublicKeyPackage<C>,
|
|
|
|
) {
|
2022-10-25 12:47:50 -07:00
|
|
|
let mut nonces: HashMap<frost::Identifier<C>, frost::round1::SigningNonces<C>> = HashMap::new();
|
|
|
|
let mut commitments: HashMap<frost::Identifier<C>, frost::round1::SigningCommitments<C>> =
|
2022-09-01 13:07:50 -07:00
|
|
|
HashMap::new();
|
2022-05-16 13:53:17 -07:00
|
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
// Round 1: generating nonces and signing commitments for each participant
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
2022-10-26 21:35:16 -07:00
|
|
|
for participant_index in 1..(min_signers as u16 + 1) {
|
2022-09-01 13:07:50 -07:00
|
|
|
let participant_identifier = participant_index.try_into().expect("should be nonzero");
|
2022-05-16 13:53:17 -07:00
|
|
|
// Generate one (1) nonce and one SigningCommitments instance for each
|
2022-10-26 21:35:16 -07:00
|
|
|
// participant, up to _min_signers_.
|
2022-07-19 13:17:20 -07:00
|
|
|
let (nonce, commitment) = frost::round1::commit(
|
2022-09-01 13:07:50 -07:00
|
|
|
participant_identifier,
|
2022-07-19 13:17:20 -07:00
|
|
|
key_packages
|
2022-09-01 13:07:50 -07:00
|
|
|
.get(&participant_identifier)
|
2022-07-19 13:17:20 -07:00
|
|
|
.unwrap()
|
|
|
|
.secret_share(),
|
|
|
|
&mut rng,
|
|
|
|
);
|
2022-09-01 13:07:50 -07:00
|
|
|
nonces.insert(participant_identifier, nonce);
|
|
|
|
commitments.insert(participant_identifier, commitment);
|
2022-05-16 13:53:17 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
// This is what the signature aggregator / coordinator needs to do:
|
|
|
|
// - decide what message to sign
|
|
|
|
// - take one (unused) commitment per signing participant
|
2022-11-01 08:54:04 -07:00
|
|
|
let mut signature_shares = Vec::new();
|
2022-05-16 13:53:17 -07:00
|
|
|
let message = "message to sign".as_bytes();
|
2022-07-19 13:17:20 -07:00
|
|
|
let comms = commitments.clone().into_values().collect();
|
2022-05-16 13:53:17 -07:00
|
|
|
let signing_package = frost::SigningPackage::new(comms, message.to_vec());
|
|
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
// Round 2: each participant generates their signature share
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
2022-09-01 13:07:50 -07:00
|
|
|
for participant_identifier in nonces.keys() {
|
|
|
|
let key_package = key_packages.get(participant_identifier).unwrap();
|
2022-05-16 13:53:17 -07:00
|
|
|
|
2022-09-01 13:07:50 -07:00
|
|
|
let nonces_to_use = &nonces.get(participant_identifier).unwrap();
|
2022-05-16 13:53:17 -07:00
|
|
|
|
|
|
|
// Each participant generates their signature share.
|
|
|
|
let signature_share =
|
|
|
|
frost::round2::sign(&signing_package, nonces_to_use, key_package).unwrap();
|
|
|
|
signature_shares.push(signature_share);
|
|
|
|
}
|
|
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
// Aggregation: collects the signing shares from all participants,
|
|
|
|
// generates the final signature.
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
// Aggregate (also verifies the signature shares)
|
|
|
|
let group_signature_res = frost::aggregate(&signing_package, &signature_shares[..], &pubkeys);
|
|
|
|
|
|
|
|
assert!(group_signature_res.is_ok());
|
|
|
|
|
|
|
|
let group_signature = group_signature_res.unwrap();
|
|
|
|
|
|
|
|
// Check that the threshold signature can be verified by the group public
|
|
|
|
// key (the verification key).
|
|
|
|
assert!(pubkeys
|
|
|
|
.group_public
|
|
|
|
.verify(message, &group_signature)
|
|
|
|
.is_ok());
|
|
|
|
|
|
|
|
// Check that the threshold signature can be verified by the group public
|
2022-10-04 11:50:47 -07:00
|
|
|
// key (the verification key) from KeyPackage.group_public
|
2022-09-01 13:07:50 -07:00
|
|
|
for (participant_identifier, _) in nonces.clone() {
|
|
|
|
let key_package = key_packages.get(&participant_identifier).unwrap();
|
2022-05-16 13:53:17 -07:00
|
|
|
|
|
|
|
assert!(key_package
|
|
|
|
.group_public
|
|
|
|
.verify(message, &group_signature)
|
|
|
|
.is_ok());
|
|
|
|
}
|
|
|
|
}
|
2022-10-18 15:11:05 -07:00
|
|
|
|
|
|
|
/// Test FROST signing with trusted dealer with a Ciphersuite.
|
|
|
|
pub fn check_sign_with_dkg<C: Ciphersuite + PartialEq, R: RngCore + CryptoRng>(mut rng: R)
|
|
|
|
where
|
2022-10-26 10:56:29 -07:00
|
|
|
C::Group: std::cmp::PartialEq,
|
2022-10-18 15:11:05 -07:00
|
|
|
{
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
// Key generation, Round 1
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
2022-10-26 21:35:16 -07:00
|
|
|
let max_signers = 5;
|
|
|
|
let min_signers = 3;
|
2022-10-18 15:11:05 -07:00
|
|
|
|
|
|
|
// Keep track of each participant's round 1 secret package.
|
|
|
|
// In practice each participant will keep its copy; no one
|
|
|
|
// will have all the participant's packages.
|
|
|
|
let mut round1_secret_packages: HashMap<
|
|
|
|
frost::Identifier<C>,
|
|
|
|
frost::keys::dkg::Round1SecretPackage<C>,
|
|
|
|
> = HashMap::new();
|
|
|
|
|
|
|
|
// Keep track of all round 1 packages sent to the given participant.
|
|
|
|
// This is used to simulate the broadcast; in practice the packages
|
|
|
|
// will be sent through some communication channel.
|
|
|
|
let mut received_round1_packages: HashMap<
|
|
|
|
frost::Identifier<C>,
|
|
|
|
Vec<frost::keys::dkg::Round1Package<C>>,
|
|
|
|
> = HashMap::new();
|
|
|
|
|
|
|
|
// For each participant, perform the first part of the DKG protocol.
|
|
|
|
// In practice, each participant will perform this on their own environments.
|
2022-10-26 21:35:16 -07:00
|
|
|
for participant_index in 1..=max_signers {
|
2022-10-18 15:11:05 -07:00
|
|
|
let participant_identifier = participant_index.try_into().expect("should be nonzero");
|
2022-10-26 21:35:16 -07:00
|
|
|
let (secret_package, round1_package) = frost::keys::dkg::keygen_part1(
|
|
|
|
participant_identifier,
|
|
|
|
max_signers,
|
|
|
|
min_signers,
|
|
|
|
&mut rng,
|
|
|
|
)
|
|
|
|
.unwrap();
|
2022-10-18 15:11:05 -07:00
|
|
|
|
|
|
|
// Store the participant's secret package for later use.
|
|
|
|
// In practice each participant will store it in their own environment.
|
|
|
|
round1_secret_packages.insert(participant_identifier, secret_package);
|
|
|
|
|
2022-11-18 04:54:06 -08:00
|
|
|
// "Send" the round 1 package to all other participants. In this
|
2022-10-18 15:11:05 -07:00
|
|
|
// test this is simulated using a HashMap; in practice this will be
|
|
|
|
// sent through some communication channel.
|
2022-10-26 21:35:16 -07:00
|
|
|
for receiver_participant_index in 1..=max_signers {
|
2022-10-18 15:11:05 -07:00
|
|
|
if receiver_participant_index == participant_index {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
let receiver_participant_identifier = receiver_participant_index
|
|
|
|
.try_into()
|
|
|
|
.expect("should be nonzero");
|
|
|
|
received_round1_packages
|
|
|
|
.entry(receiver_participant_identifier)
|
|
|
|
.or_insert_with(Vec::new)
|
|
|
|
.push(round1_package.clone());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
// Key generation, Round 2
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
// Keep track of each participant's round 2 secret package.
|
|
|
|
// In practice each participant will keep its copy; no one
|
|
|
|
// will have all the participant's packages.
|
|
|
|
let mut round2_secret_packages = HashMap::new();
|
|
|
|
|
|
|
|
// Keep track of all round 2 packages sent to the given participant.
|
|
|
|
// This is used to simulate the broadcast; in practice the packages
|
|
|
|
// will be sent through some communication channel.
|
|
|
|
let mut received_round2_packages = HashMap::new();
|
|
|
|
|
|
|
|
// For each participant, perform the second part of the DKG protocol.
|
|
|
|
// In practice, each participant will perform this on their own environments.
|
2022-10-26 21:35:16 -07:00
|
|
|
for participant_index in 1..=max_signers {
|
2022-10-18 15:11:05 -07:00
|
|
|
let participant_identifier = participant_index.try_into().expect("should be nonzero");
|
|
|
|
let (round2_secret_package, round2_packages) = frost::keys::dkg::keygen_part2(
|
|
|
|
round1_secret_packages
|
|
|
|
.remove(&participant_identifier)
|
|
|
|
.unwrap(),
|
|
|
|
received_round1_packages
|
|
|
|
.get(&participant_identifier)
|
|
|
|
.unwrap(),
|
|
|
|
)
|
|
|
|
.expect("should work");
|
|
|
|
|
|
|
|
// Store the participant's secret package for later use.
|
|
|
|
// In practice each participant will store it in their own environment.
|
|
|
|
round2_secret_packages.insert(participant_identifier, round2_secret_package);
|
|
|
|
|
|
|
|
// "Send" the round 2 package to all other participants. In this
|
|
|
|
// test this is simulated using a HashMap; in practice this will be
|
|
|
|
// sent through some communication channel.
|
|
|
|
// Note that, in contrast to the previous part, here each other participant
|
|
|
|
// gets its own specific package.
|
|
|
|
for round2_package in round2_packages {
|
|
|
|
received_round2_packages
|
|
|
|
.entry(round2_package.receiver_identifier)
|
|
|
|
.or_insert_with(Vec::new)
|
|
|
|
.push(round2_package);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
// Key generation, final computation
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
// Keep track of each participant's long-lived key package.
|
|
|
|
// In practice each participant will keep its copy; no one
|
|
|
|
// will have all the participant's packages.
|
|
|
|
let mut key_packages = HashMap::new();
|
|
|
|
|
|
|
|
// Map of the verifying key of each participant.
|
|
|
|
// Used by the signing test that follows.
|
|
|
|
let mut verifying_keys = HashMap::new();
|
|
|
|
// The group public key, used by the signing test that follows.
|
|
|
|
let mut group_public = None;
|
2022-11-18 04:54:06 -08:00
|
|
|
// For each participant, store the set of verifying keys they have computed.
|
|
|
|
// This is used to check if the set is correct (the same) for all participants.
|
2022-10-18 15:11:05 -07:00
|
|
|
// In practice, if there is a Coordinator, only they need to store the set.
|
|
|
|
// If there is not, then all candidates must store their own sets.
|
|
|
|
// The verifying keys are used to verify the signature shares produced
|
|
|
|
// for each signature before being aggregated.
|
2022-11-18 04:54:06 -08:00
|
|
|
let mut pubkey_packages_by_participant = HashMap::new();
|
2022-10-18 15:11:05 -07:00
|
|
|
|
|
|
|
// For each participant, perform the third part of the DKG protocol.
|
|
|
|
// In practice, each participant will perform this on their own environments.
|
2022-10-26 21:35:16 -07:00
|
|
|
for participant_index in 1..=max_signers {
|
2022-10-18 15:11:05 -07:00
|
|
|
let participant_identifier = participant_index.try_into().expect("should be nonzero");
|
2022-11-18 04:54:06 -08:00
|
|
|
let (key_package, pubkey_package_for_participant) = frost::keys::dkg::keygen_part3(
|
2022-10-18 15:11:05 -07:00
|
|
|
&round2_secret_packages[&participant_identifier],
|
|
|
|
&received_round1_packages[&participant_identifier],
|
|
|
|
&received_round2_packages[&participant_identifier],
|
|
|
|
)
|
|
|
|
.unwrap();
|
|
|
|
verifying_keys.insert(participant_identifier, key_package.public);
|
|
|
|
// Test if all group_public are equal
|
|
|
|
if let Some(previous_group_public) = group_public {
|
|
|
|
assert_eq!(previous_group_public, key_package.group_public)
|
|
|
|
}
|
|
|
|
group_public = Some(key_package.group_public);
|
|
|
|
key_packages.insert(participant_identifier, key_package);
|
2022-11-18 04:54:06 -08:00
|
|
|
pubkey_packages_by_participant
|
|
|
|
.insert(participant_identifier, pubkey_package_for_participant);
|
2022-10-18 15:11:05 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
// Test if the set of verifying keys is correct for all participants.
|
2022-11-18 04:54:06 -08:00
|
|
|
for verifying_keys_for_participant in pubkey_packages_by_participant.values() {
|
|
|
|
assert!(verifying_keys_for_participant.signer_pubkeys == verifying_keys);
|
2022-10-18 15:11:05 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
let pubkeys = frost::keys::PublicKeyPackage {
|
|
|
|
signer_pubkeys: verifying_keys,
|
|
|
|
group_public: group_public.unwrap(),
|
|
|
|
};
|
|
|
|
|
|
|
|
// Proceed with the signing test.
|
2022-10-26 21:35:16 -07:00
|
|
|
check_sign(min_signers, key_packages, rng, pubkeys);
|
2022-10-18 15:11:05 -07:00
|
|
|
}
|