additional fixes for use of tweaked pubkey

2024-01-10 13:50:55 +02:00 · 2024-01-10 13:50:55 +02:00 · a3071302dd
parent 8204166b93
commit a3071302dd
5 changed files with 52 additions and 16 deletions
--- a/frost-core/src/signing_key.rs
+++ b/frost-core/src/signing_key.rs
@ -59,9 +59,13 @@ where
        // Generate Schnorr challenge
        let c: Challenge<C> = <C>::challenge(&R, &public, msg);

-        let z = k + (c.0 * secret);
-
-        Signature { R, z }
+        if <C>::is_need_tweaking() {
+            let z = <C>::tweaked_z(k, secret, c.0, &public.element);
+            Signature { R, z }
+        } else {
+            let z = k + (c.0 * secret);
+            Signature { R, z }
+        }
    }

    /// Creates a SigningKey from a scalar.
--- a/frost-core/src/traits.rs
+++ b/frost-core/src/traits.rs
@ -272,6 +272,18 @@ pub trait Ciphersuite: Copy + Clone + PartialEq + Debug {
        panic!("Not implemented");
    }

+    /// tweaked z for SigningKey sign
+    #[allow(unused)]
+    fn tweaked_z(
+        k: <<Self::Group as Group>::Field as Field>::Scalar,
+        secret: <<Self::Group as Group>::Field as Field>::Scalar,
+        challenge: <<Self::Group as Group>::Field as Field>::Scalar,
+        verifying_key: &Element<Self>,
+    ) -> <<Self::Group as Group>::Field as Field>::Scalar
+    {
+        panic!("Not implemented");
+    }
+
    /// signature_share tweak
    #[allow(unused)]
    fn compute_tweaked_signature_share(
--- a/frost-secp256k1-tr/src/lib.rs
+++ b/frost-secp256k1-tr/src/lib.rs
@ -245,11 +245,11 @@ pub fn tweaked_secret_key(
    public_key: &<<Secp256K1Sha256 as Ciphersuite>::Group as Group>::Element,
    merkle_root: &[u8],
 ) -> <<<Secp256K1Sha256 as Ciphersuite>::Group as Group>::Field as Field>::Scalar {
-    let mut secret = secret.clone();
    if public_key.to_affine().y_is_odd().into() {
-        secret = -secret
+        -secret + tweak(&public_key, merkle_root)
+    } else {
+        secret + tweak(&public_key, merkle_root)
    }
-    secret + tweak(&public_key, merkle_root)
 }

 impl Ciphersuite for Secp256K1Sha256 {
@ -345,6 +345,21 @@ impl Ciphersuite for Secp256K1Sha256 {
        }
    }

+    /// tweaked z for SigningKey sign
+    fn tweaked_z(
+        k: <<Self::Group as Group>::Field as Field>::Scalar,
+        secret: <<Self::Group as Group>::Field as Field>::Scalar,
+        challenge: <<Self::Group as Group>::Field as Field>::Scalar,
+        verifying_key: &Element<S>,
+    ) -> <<Self::Group as Group>::Field as Field>::Scalar {
+        let tweaked_pubkey = tweaked_public_key(&verifying_key, &[]);
+        if tweaked_pubkey.to_affine().y_is_odd().into() {
+            k - (challenge * secret)
+        } else {
+            k + (challenge * secret)
+        }
+    }
+
    /// compute tweaked signature_share
    fn compute_tweaked_signature_share(
        signer_nonces: &round1::SigningNonces,
@ -361,8 +376,8 @@ impl Ciphersuite for Secp256K1Sha256 {

        let mut kp = key_package.clone();
        let public_key = key_package.verifying_key();
-        let pubkey_is_odd = public_key.y_is_odd();
-        let tweaked_pubkey_is_odd = tweaked_public_key(public_key.element(), &[])
+        let pubkey_is_odd: bool = public_key.y_is_odd();
+        let tweaked_pubkey_is_odd: bool = tweaked_public_key(public_key.element(), &[])
            .to_affine()
            .y_is_odd()
            .into();
@ -421,7 +436,12 @@ impl Ciphersuite for Secp256K1Sha256 {
        verifying_key: &<Self::Group as Group>::Element,
    ) -> <Self::Group as Group>::Element {
        let mut vs = verifying_share.clone();
-        if verifying_key.to_affine().y_is_odd().into() {
+        let pubkey_is_odd: bool = verifying_key.to_affine().y_is_odd().into();
+        let tweaked_pubkey_is_odd: bool = tweaked_public_key(verifying_key, &[])
+            .to_affine()
+            .y_is_odd()
+            .into();
+        if pubkey_is_odd != tweaked_pubkey_is_odd {
            vs = -vs;
        }
        vs
--- a/frost-secp256k1-tr/tests/helpers/vectors-big-identifier.json
+++ b/frost-secp256k1-tr/tests/helpers/vectors-big-identifier.json
@ -1091,19 +1091,19 @@
    "outputs": [
      {
        "identifier": 129,
-        "sig_share": "f01e946f27156b55a714d8872a31c860a379e10e305a20bbd39e4f509b78a7ab"
+        "sig_share": "8ec041c83e92c21d349ee6335434d284d33bbe1dfddc9d0a40972d6bb7d2e539"
      },
      {
        "identifier": 256,
-        "sig_share": "f4ca85e6e1bf8bd0d16cb3bab9a9b223e97fdcff73ecc650706a4b54b4573368"
+        "sig_share": "5fa76c4dc2cded6680d660dc1fc7a705c467d612ddf20f9ef1f41461fa99c765"
      },
      {
        "identifier": 257,
-        "sig_share": "0b9b540faed82f39a9cee154dc998297865f1b9096f89e87c5cd3163997b1165"
+        "sig_share": "87533d65930f6daafac1b08089a2fc2044b193c552fd9151affd014613458b0d"
      }
    ]
  },
  "final_output": {
-    "sig": "0354997f922511dba38d16973092a331f4039477bf4a2d77b438a317862795b267afb5d03fef0520d7b6ef541cbf9c252e51c11b989950ff64f750cb65ac9d1277"
+    "sig": "0354997f922511dba38d16973092a331f4039477bf4a2d77b438a317862795b267b68989a15d1822b71b981109fe784d9b288f2c2e722983b27568869d61f38f2a"
  }
 }
--- a/frost-secp256k1-tr/tests/helpers/vectors.json
+++ b/frost-secp256k1-tr/tests/helpers/vectors.json
@ -63,15 +63,15 @@
    "outputs": [
      {
        "identifier": 1,
-        "sig_share": "d6641c4136ee5bf7135272c2cae2ffc1170f9ee44562cf1a1f0ab65c14cfcc4e"
+        "sig_share": "971bbcb0383c0fc47a710a8cae41a123cb44808328ce30880a8b66f1f15766fb"
      },
      {
        "identifier": 3,
-        "sig_share": "e79e49ff66968247cb345da0f43d9ca83522e455478612602ac69e004b93e476"
+        "sig_share": "33d0471177d384d3ec22731abbdd942851c78fbdbed0fb54149d657820228b55"
      }
    ]
  },
  "final_output": {
-    "sig": "030c776a9516a77808b70a31e74f1464814a6fcf897fb3a6bd84c7a9a9a7a5bcb8c0828f771deb8b8ab07fbfc2138ddbda6ff32bd9f7a673459538bc96d1f72e70"
+    "sig": "030c776a9516a77808b70a31e74f1464814a6fcf897fb3a6bd84c7a9a9a7a5bcb8c86bda8b2fa8e74c949a8e4915b1f5dc3e9c8ab9cd98f9d513ef05a2cfb03363"
  }
 }