zecfoundation
/
reddsa
mirror of https://github.com/ZcashFoundation/reddsa.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

tmp

This commit is contained in:
Conrado Gouvea 2022-12-05 14:50:46 -03:00
parent 33fe138797
commit c9602fefff
5 changed files with 31 additions and 251 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Cargo.toml
View File

@ -30,7 +30,9 @@ pasta_curves = { version = "0.4", default-features = false }
rand_core = { version = "0.6", default-features = false }
serde = { version = "1", optional = true, features = ["derive"] }
thiserror = { version = "1.0", optional = true }
frost-core = { git = "https://github.com/ZcashFoundation/frost.git", rev = "554431f012264951f160ff1b190554796c53d695", optional = true, features=["internals"] }
# frost-core = { git = "https://github.com/ZcashFoundation/frost.git", rev = "554431f012264951f160ff1b190554796c53d695", optional = true, features=["internals"] }
# frost-core = { path = "../frost/frost-core", optional = true, features=["internals"] }
frost-rerandomized = { path = "../frost/frost-rerandomized", optional = true, features=["internals"] }
[dependencies.zeroize]
version = "1"
@ -46,7 +48,9 @@ proptest = "1.0"
rand = "0.8"
rand_chacha = "0.3"
serde_json = "1.0"
frost-core = { git = "https://github.com/ZcashFoundation/frost.git", rev = "554431f012264951f160ff1b190554796c53d695", features=["internals", "test-impl"] }
frost-core = { path = "../frost/frost-core", features=["internals", "test-impl"] }
frost-rerandomized = { path = "../frost/frost-rerandomized", features=["internals", "test-impl"] }
# frost-core = { git = "https://github.com/ZcashFoundation/frost.git", rev = "554431f012264951f160ff1b190554796c53d695", features=["internals", "test-impl"] }
# `alloc` is only used in test code
@ -55,7 +59,7 @@ features = ["alloc"]
[features]
std = ["blake2b_simd/std", "thiserror", "zeroize", "alloc",
"serde", "frost-core"] # conditional compilation for serde not complete (issue #9)
"serde", "frost-rerandomized"] # conditional compilation for serde not complete (issue #9)
alloc = []
nightly = []
default = ["std"]

57
src/frost_redpallas.rs
View File

@ -7,21 +7,15 @@ use group::GroupEncoding;
use group::{ff::Field as FFField, ff::PrimeField, Group as FFGroup};
use pasta_curves::pallas;
pub use frost_rerandomized::frost_core::Error;
use frost_rerandomized::{
frost_core::{frost, Ciphersuite, Field, Group},
RandomizedParams,
};
use rand_core::{CryptoRng, RngCore};
use frost_core::{
frost::{self},
Ciphersuite, Field, Group,
};
pub use frost_core::Error;
use crate::{
hash::HStar,
orchard,
private::Sealed,
randomized_frost::{self, RandomizedParams},
};
use crate::{hash::HStar, orchard, private::Sealed};
#[derive(Clone, Copy)]
/// An implementation of the FROST Pallas Blake2b-512 ciphersuite scalar field.
@ -54,19 +48,8 @@ impl Field for PallasScalarField {
Self::Scalar::random(rng)
}
fn random_nonzero<R: RngCore + CryptoRng>(rng: &mut R) -> Self::Scalar {
loop {
let scalar = Self::Scalar::random(&mut *rng);
// This impl of `Eq` calls to `ConstantTimeEq` under the hood
if scalar != Self::Scalar::zero() {
return scalar;
}
}
}
fn serialize(scalar: &Self::Scalar) -> Self::Serialization {
scalar.to_repr().into()
scalar.to_repr()
}
fn little_endian_serialize(scalar: &Self::Scalar) -> Self::Serialization {
@ -81,7 +64,7 @@ impl Field for PallasScalarField {
}
}
#[derive(Clone, Copy, PartialEq)]
#[derive(Clone, Copy, PartialEq, Eq)]
/// An implementation of the FROST P-256 ciphersuite group.
pub struct PallasGroup;
@ -126,7 +109,7 @@ impl Group for PallasGroup {
}
}
#[derive(Clone, Copy, PartialEq)]
#[derive(Clone, Copy, PartialEq, Eq)]
/// An implementation of the FROST ciphersuite FROST(Pallas, BLAKE2b-512).
pub struct PallasBlake2b512;
@ -188,7 +171,7 @@ pub mod keys {
num_signers: u16,
threshold: u16,
mut rng: RNG,
) -> Result<(Vec<SecretShare>, PublicKeyPackage), &'static str> {
) -> Result<(Vec<SecretShare>, PublicKeyPackage), Error> {
frost::keys::keygen_with_dealer(num_signers, threshold, &mut rng)
}
@ -204,7 +187,7 @@ pub mod keys {
///
pub mod round1 {
use frost_core::frost::keys::SigningShare;
use frost_rerandomized::frost_core::frost::keys::SigningShare;
use super::*;
///
@ -231,8 +214,6 @@ pub type SigningPackage = frost::SigningPackage<P>;
///
pub mod round2 {
use crate::randomized_frost;
use super::*;
///
@ -247,8 +228,8 @@ pub mod round2 {
signer_nonces: &round1::SigningNonces,
key_package: &keys::KeyPackage,
randomizer_point: &<<P as Ciphersuite>::Group as Group>::Element,
) -> Result<SignatureShare, &'static str> {
randomized_frost::sign(
) -> Result<SignatureShare, Error> {
frost_rerandomized::sign(
signing_package,
signer_nonces,
key_package,
@ -258,7 +239,7 @@ pub mod round2 {
}
///
pub type Signature = frost_core::Signature<P>;
pub type Signature = frost_rerandomized::frost_core::Signature<P>;
///
pub fn aggregate(
@ -266,8 +247,8 @@ pub fn aggregate(
signature_shares: &[round2::SignatureShare],
pubkeys: &keys::PublicKeyPackage,
randomized_params: &RandomizedParams<P>,
) -> Result<Signature, &'static str> {
randomized_frost::aggregate(
) -> Result<Signature, Error> {
frost_rerandomized::aggregate(
signing_package,
signature_shares,
pubkeys,
@ -276,7 +257,7 @@ pub fn aggregate(
}
///
pub type SigningKey = frost_core::SigningKey<P>;
pub type SigningKey = frost_rerandomized::frost_core::SigningKey<P>;
///
pub type VerifyingKey = frost_core::VerifyingKey<P>;
pub type VerifyingKey = frost_rerandomized::frost_core::VerifyingKey<P>;

3
src/lib.rs
View File

@ -24,12 +24,9 @@ extern crate std;
pub mod batch;
mod constants;
mod error;
#[cfg(feature = "std")]
pub mod frost_redpallas;
mod hash;
pub mod orchard;
#[cfg(feature = "std")]
pub mod randomized_frost;
pub mod sapling;
#[cfg(feature = "alloc")]
mod scalar_mul;

199
src/randomized_frost.rs
View File

@ -1,199 +0,0 @@
//! Randomized FROST support.
//!
#![allow(non_snake_case)]
use frost_core::{frost::keys::PublicKeyPackage, VerifyingKey};
#[cfg(feature = "alloc")]
use frost_core::{
frost::{self},
Ciphersuite, Field, Group,
};
pub use frost_core::Error;
use rand_core::{CryptoRng, RngCore};
/// Performed once by each participant selected for the signing operation.
///
/// Implements [`sign`] from the spec.
///
/// Receives the message to be signed and a set of signing commitments and a set
/// of randomizing commitments to be used in that signing operation, including
/// that for this participant.
///
/// Assumes the participant has already determined which nonce corresponds with
/// the commitment that was assigned by the coordinator in the SigningPackage.
///
/// [`sign`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-10.html#name-round-two-signature-share-g
pub fn sign<C: Ciphersuite>(
signing_package: &frost::SigningPackage<C>,
signer_nonces: &frost::round1::SigningNonces<C>,
key_package: &frost::keys::KeyPackage<C>,
randomizer_point: &<C::Group as Group>::Element,
) -> Result<frost::round2::SignatureShare<C>, &'static str> {
let public_key = key_package.group_public.to_element() + *randomizer_point;
// Encodes the signing commitment list produced in round one as part of generating [`Rho`], the
// binding factor.
let binding_factor_list = frost::compute_binding_factor_list(
signing_package,
<C::Group as Group>::serialize(randomizer_point).as_ref(),
);
let rho: frost::BindingFactor<C> = binding_factor_list[key_package.identifier].clone();
// Compute the group commitment from signing commitments produced in round one.
let group_commitment = frost::compute_group_commitment(signing_package, &binding_factor_list)?;
// Compute Lagrange coefficient.
let lambda_i = frost::derive_lagrange_coeff(key_package.identifier(), signing_package)?;
// Compute the per-message challenge.
let challenge = frost_core::challenge::<C>(
&group_commitment.to_element(),
&public_key,
signing_package.message().as_slice(),
);
// Compute the Schnorr signature share.
let signature_share = frost::round2::compute_signature_share(
signer_nonces,
rho,
lambda_i,
key_package,
challenge,
);
Ok(signature_share)
}
/// Verifies each participant's signature share, and if all are valid,
/// aggregates the shares into a signature to publish.
///
/// Resulting signature is compatible with verification of a plain SpendAuth
/// signature.
///
/// This operation is performed by a coordinator that can communicate with all
/// the signing participants before publishing the final signature. The
/// coordinator can be one of the participants or a semi-trusted third party
/// (who is trusted to not perform denial of service attacks, but does not learn
/// any secret information). Note that because the coordinator is trusted to
/// report misbehaving parties in order to avoid publishing an invalid
/// signature, if the coordinator themselves is a signer and misbehaves, they
/// can avoid that step. However, at worst, this results in a denial of
/// service attack due to publishing an invalid signature.
pub fn aggregate<C>(
signing_package: &frost::SigningPackage<C>,
signature_shares: &[frost::round2::SignatureShare<C>],
pubkeys: &frost::keys::PublicKeyPackage<C>,
randomized_params: &RandomizedParams<C>,
) -> Result<frost_core::Signature<C>, &'static str>
where
C: Ciphersuite,
{
let public_key = pubkeys.group_public.to_element() + *randomized_params.randomizer_point();
// Encodes the signing commitment list produced in round one as part of generating [`Rho`], the
// binding factor.
let binding_factor_list = frost::compute_binding_factor_list(
signing_package,
<C::Group as Group>::serialize(randomized_params.randomizer_point()).as_ref(),
);
// Compute the group commitment from signing commitments produced in round one.
let group_commitment = frost::compute_group_commitment(signing_package, &binding_factor_list)?;
// Compute the per-message challenge.
let challenge = frost_core::challenge::<C>(
&group_commitment.clone().to_element(),
&public_key,
signing_package.message().as_slice(),
);
// Verify the signature shares.
for signature_share in signature_shares {
// Look up the public key for this signer, where `signer_pubkey` = _G.ScalarBaseMult(s[i])_,
// and where s[i] is a secret share of the constant term of _f_, the secret polynomial.
let signer_pubkey = pubkeys
.signer_pubkeys
.get(&signature_share.identifier)
.unwrap();
// Compute Lagrange coefficient.
let lambda_i = frost::derive_lagrange_coeff(&signature_share.identifier, signing_package)?;
let rho = binding_factor_list[signature_share.identifier].clone();
// Compute the commitment share.
let R_share = signing_package
.signing_commitment(&signature_share.identifier)
.to_group_commitment_share(&rho);
// Compute relation values to verify this signature share.
signature_share.verify(&R_share, signer_pubkey, lambda_i, &challenge)?;
}
// The aggregation of the signature shares by summing them up, resulting in
// a plain Schnorr signature.
//
// Implements [`aggregate`] from the spec.
//
// [`aggregate`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-10.html#section-5.3
let mut z = <<C::Group as Group>::Field as Field>::zero();
for signature_share in signature_shares {
z = z + signature_share.signature.z_share;
}
z = z + challenge.to_scalar() * randomized_params.randomizer;
Ok(frost_core::Signature::new(group_commitment.to_element(), z))
}
/// Randomized params for a signing instance of randomized FROST.
pub struct RandomizedParams<C: Ciphersuite> {
/// The randomizer, also called `alpha`
randomizer: frost_core::Scalar<C>,
/// The generator multiplied by the randomizer.
randomizer_point: <C::Group as Group>::Element,
/// The randomized group public key. The group public key added to the randomizer point.
randomized_group_public_key: frost_core::VerifyingKey<C>,
}
impl<C> RandomizedParams<C>
where
C: Ciphersuite,
{
/// Create a new RandomizedParams for the given [`PublicKeyPackage`]
pub fn new<R: RngCore + CryptoRng>(
public_key_package: &PublicKeyPackage<C>,
mut rng: R,
) -> Self {
let randomizer = <<C::Group as Group>::Field as Field>::random(&mut rng);
let randomizer_point = <C::Group as Group>::generator() * randomizer;
let group_public_point = public_key_package.group_public.to_element();
let randomized_group_public_point = group_public_point + randomizer_point;
let randomized_group_public_key = VerifyingKey::new(randomized_group_public_point);
Self {
randomizer,
randomizer_point,
randomized_group_public_key,
}
}
/// Return the randomizer point.
///
/// It must be sent by the coordinator to each participant when signing.
pub fn randomizer_point(&self) -> &<C::Group as Group>::Element {
&self.randomizer_point
}
/// Return the randomizer point.
///
/// It must be sent by the coordinator to each participant when signing.
pub fn randomized_group_public_key(&self) -> &frost_core::VerifyingKey<C> {
&self.randomized_group_public_key
}
}

13
tests/frost.rs
View File

@ -1,12 +1,9 @@
use std::{collections::HashMap, convert::TryFrom};
use frost_core::{frost, Ciphersuite};
use frost_rerandomized::{self, frost_core::frost, frost_core::Ciphersuite, RandomizedParams};
use rand_core::{CryptoRng, RngCore};
use reddsa::{
frost_redpallas::*,
orchard,
randomized_frost::{self, RandomizedParams},
};
use reddsa::{frost_redpallas::*, orchard};
pub fn check_randomized_sign_with_dealer<C: Ciphersuite, R: RngCore + CryptoRng>(mut rng: R) {
////////////////////////////////////////////////////////////////////////////
@ -72,7 +69,7 @@ pub fn check_randomized_sign_with_dealer<C: Ciphersuite, R: RngCore + CryptoRng>
let nonces_to_use = &nonces.get(participant_identifier).unwrap();
// Each participant generates their signature share.
let signature_share = randomized_frost::sign(
let signature_share = frost_rerandomized::sign(
&signing_package,
nonces_to_use,
key_package,
@ -88,7 +85,7 @@ pub fn check_randomized_sign_with_dealer<C: Ciphersuite, R: RngCore + CryptoRng>
////////////////////////////////////////////////////////////////////////////
// Aggregate (also verifies the signature shares)
let group_signature_res = randomized_frost::aggregate(
let group_signature_res = frost_rerandomized::aggregate(
&signing_package,
&signature_shares[..],
&pubkeys,