derive verification share and group public key from commitments

frost-core/src/frost/keys.rs

@@ -248,7 +248,9 @@ where
         &self.value
     }
 
-    /// Verifies that a secret share is consistent with a verifiable secret sharing commitment.
+    /// Verifies that a secret share is consistent with a verifiable secret sharing commitment,
+    /// and returns the derived group info for the participant (their public verification share,
+    /// and the group public key) if successful.
     ///
     /// This ensures that this participant's share has been generated using the same
     /// mechanism as all other signing participants. Note that participants *MUST*
@@ -256,9 +258,11 @@ where
     /// commitment!
     ///
     /// An implementation of `vss_verify()` from the [spec].
+    /// This also implements `derive_group_info()` from the [spec] (which is very similar),
+    /// but only for this participant.
     ///
     /// [spec]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-05.html#appendix-B.2-5
-    pub fn verify(&self) -> Result<(), &'static str> {
+    pub fn verify(&self) -> Result<(VerifyingShare<C>, VerifyingKey<C>), &'static str> {
         let f_result = <C::Group as Group>::generator() * self.value.0;
 
         let x = self.identifier.to_scalar()?;
@@ -275,7 +279,11 @@ where
             return Err("SecretShare is invalid.");
         }
 
-        Ok(())
+        let group_public = VerifyingKey {
+            element: self.commitment.0[0].0,
+        };
+
+        Ok((VerifyingShare(result), group_public))
     }
 }
 
@@ -290,10 +298,6 @@ pub struct SharePackage<C: Ciphersuite> {
     pub identifier: Identifier<C>,
     /// This participant's secret share.
     pub secret_share: SecretShare<C>,
-    /// This participant's public key.
-    pub public: VerifyingShare<C>,
-    /// The public verifying key that represents the entire group.
-    pub group_public: VerifyingKey<C>,
 }
 
 /// Allows all participants' keys to be generated using a central, trusted
@@ -329,8 +333,6 @@ pub fn keygen_with_dealer<C: Ciphersuite, R: RngCore + CryptoRng>(
         share_packages.push(SharePackage {
             identifier: secret_share.identifier,
             secret_share: secret_share.clone(),
-            public: signer_public,
-            group_public,
         });
 
         signer_pubkeys.insert(secret_share.identifier, signer_public);
@@ -403,13 +405,13 @@ where
     /// dealer, but implementations *MUST* make sure that all participants have
     /// a consistent view of this commitment in practice.
     fn try_from(share_package: SharePackage<C>) -> Result<Self, &'static str> {
-        share_package.secret_share.verify()?;
+        let (public, group_public) = share_package.secret_share.verify()?;
 
         Ok(KeyPackage {
             identifier: share_package.identifier,
             secret_share: share_package.secret_share.value,
-            public: share_package.public,
-            group_public: share_package.group_public,
+            public,
+            group_public,
         })
     }
 }

frost-core/src/tests.rs

@@ -16,7 +16,7 @@ pub fn check_share_generation<C: Ciphersuite, R: RngCore + CryptoRng>(mut rng: R
     let secret_shares = frost::keys::generate_secret_shares(&secret, 5, 3, rng).unwrap();
 
     for secret_share in secret_shares.iter() {
-        assert_eq!(secret_share.verify(), Ok(()));
+        assert!(secret_share.verify().is_ok());
     }
 
     assert_eq!(