zecfoundation
/
frost
mirror of https://github.com/ZcashFoundation/frost.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #50 from ZcashFoundation/frost-core 

* frost-core Cargo.toml

* Ciphersuite trait

* Signature trait

* Copy stub ristretto impl for now

* First stab at making signing and verifying generic over frost-core::Ciphersuite

* Update signing

* Nice const generics and stuff for frost-core::Ciphersuite

* Have to implement traits for the pre-parameterized types inside the module

* Ciphersuite::Group::Field

* Make frost/keys generic over Ciphersuite

* frost-core genericization mostly done, modulo batch

* Move tests around

* Remove internal test module

* Lots of tidies, including type refinement of Scalar, Challenge

* More genericization and tidy'ing

* Test vectors working against Ristretto impl in the frost-core integration tests

* clippy fix

* Fix generic params for full frost example integration test using ristretto

* Genericize proptests

* clippy --fix

* Doc comment identifier module

* In-flight batch and multiscalar mul

* Stop using Scalar::from_hash() as it expects impl Digest which sha2 0.10+ isn't doing anymore

* run cargo udeps

* Update frost-core/src/frost/round1.rs

* Update frost-core/src/frost.rs

* Update frost-core/src/frost/keys.rs
This commit is contained in:
Deirdre Connolly 2022-05-16 16:53:17 -04:00 committed by GitHub
parent 2c86646e80
commit e6d5afdfb2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 3287 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
frost-core/Cargo.toml
View File

@ -1,8 +1,40 @@
[package]
name = "frost-core"
version = "0.1.0"
edition = "2021"
# When releasing to crates.io:
# - Update html_root_url
# - Update CHANGELOG.md
# - Create git tag.
version = "0.1.0-alpha.1"
authors = ["Deirdre Connolly <durumcrustulum@gmail.com>", "Chelsea Komlo <me@chelseakomlo.com>"]
readme = "README.md"
license = "MIT OR Apache-2.0"
repository = "https://github.com/ZcashFoundation/frost"
categories = ["cryptography"]
keywords = ["cryptography", "crypto", "ristretto", "threshold", "signature", "schnorr"]
description = "Types and traits to support implementing Flexible Round-Optimized Schnorr Threshold signature schemes (FROST)."
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[package.metadata.docs.rs]
features = ["nightly"]
[dependencies]
byteorder = "1.4"
digest = "0.9"
hex = { version = "0.4.3", features = ["serde"] }
rand_core = "0.6"
serde = { version = "1", optional = true, features = ["derive"] }
thiserror = "1.0"
zeroize = { version = "1.5.4", default-features = false, features = ["derive"] }
[dev-dependencies]
curve25519-dalek = { version = "4.0.0-pre.1", features = ["serde"] }
lazy_static = "1.4"
proptest = "1.0"
rand = "0.8"
rand_chacha = "0.3"
serde_json = "1.0"
sha2 = "0.10.2"
[features]
nightly = []
default = ["serde"]

3
frost-core/README.md
View File

@ -21,9 +21,6 @@ dependency, such as `frost-ristretto255`.
```rust
```

163
frost-core/src/batch.rs Normal file
View File

@ -0,0 +1,163 @@
//! Performs batch Schnorr signature verification.
//!
//! Batch verification asks whether *all* signatures in some set are valid,
//! rather than asking whether *each* of them is valid. This allows sharing
//! computations among all signature verifications, performing less work overall
//! at the cost of higher latency (the entire batch must complete), complexity
//! of caller code (which must assemble a batch of signatures across
//! work-items), and loss of the ability to easily pinpoint failing signatures.
use std::convert::TryFrom;
use rand_core::{CryptoRng, RngCore};
use crate::{
frost::{self, *},
*,
};
/// A batch verification item.
///
/// This struct exists to allow batch processing to be decoupled from the
/// lifetime of the message. This is useful when using the batch verification
/// API in an async context.
#[derive(Clone, Debug)]
pub struct Item<C: Ciphersuite> {
vk: VerifyingKey<C>,
sig: Signature<C>,
c: Challenge<C>,
}
impl<'msg, C, M> From<(VerifyingKey<C>, Signature<C>, &'msg M)> for Item<C>
where
C: Ciphersuite,
M: AsRef<[u8]>,
{
fn from((vk, sig, msg): (VerifyingKey<C>, Signature<C>, &'msg M)) -> Self {
// Compute c now to avoid dependency on the msg lifetime.
let c = crate::challenge(&sig.R, &vk.element, msg.as_ref());
Self { vk, sig, c }
}
}
impl<C> Item<C>
where
C: Ciphersuite,
{
/// Perform non-batched verification of this `Item`.
///
/// This is useful (in combination with `Item::clone`) for implementing
/// fallback logic when batch verification fails. In contrast to
/// [`VerifyingKey::verify`](crate::VerifyingKey::verify), which
/// requires borrowing the message data, the `Item` type is unlinked
/// from the lifetime of the message.
pub fn verify_single(self) -> Result<(), Error> {
VerifyingKey::try_from(self.vk_bytes).and_then(|vk| vk.verify_prehashed(&self.sig, self.c))
}
}
#[derive(Default)]
/// A batch verification context.
pub struct Verifier<C: Ciphersuite> {
/// Signature data queued for verification.
signatures: Vec<Item<C>>,
}
impl<C> Verifier<C>
where
C: Ciphersuite,
{
/// Constructs a new batch verifier.
pub fn new() -> Verifier<C> {
Verifier::default()
}
/// Queues an Item for verification.
pub fn queue<I: Into<Item<C>>>(&mut self, item: I) {
self.signatures.push(item.into());
}
/// Performs batch verification, returning `Ok(())` if all signatures were
/// valid and `Err` otherwise.
///
/// The batch verification equation is:
///
/// h_G * -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i + [z_i * c_i]VK_i) = 0_G
///
/// which we split out into:
///
/// h_G * -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i) + sum([z_i * c_i]VK_i) =
/// 0_G
///
/// so that we can use multiscalar multiplication speedups.
///
/// where for each signature i,
/// - VK_i is the verification key;
/// - R_i is the signature's R value;
/// - s_i is the signature's s value;
/// - c_i is the hash of the message and other data;
/// - z_i is a random 128-bit Scalar;
/// - h_G is the cofactor of the group;
/// - P_G is the generator of the subgroup;
///
/// As follows elliptic curve scalar multiplication convention,
/// scalar variables are lowercase and group point variables
/// are uppercase. This does not exactly match the RedDSA
/// notation in the [protocol specification §B.1][ps].
///
/// [ps]: https://zips.z.cash/protocol/protocol.pdf#reddsabatchverify
pub fn verify<R: RngCore + CryptoRng>(self, mut rng: R) -> Result<(), Error> {
let n = self.signatures.len();
let mut VK_coeffs = Vec::with_capacity(n);
let mut VKs = Vec::with_capacity(n);
let mut R_coeffs = Vec::with_capacity(self.signatures.len());
let mut Rs = Vec::with_capacity(self.signatures.len());
let mut P_coeff_acc = Scalar::zero();
for item in self.signatures.iter() {
let (z_bytes, R_bytes, c) = (item.sig.z_bytes, item.sig.R_bytes, item.c);
let s = Scalar::from_bytes_mod_order(z_bytes);
let R = {
match CompressedRistretto::from_slice(&R_bytes).decompress() {
Some(point) => point,
None => return Err(Error::InvalidSignature),
}
};
let VK = VerifyingKey::try_from(item.vk_bytes.bytes)?.point;
let z = Scalar::random(&mut rng);
let P_coeff = z * s;
P_coeff_acc -= P_coeff;
R_coeffs.push(z);
Rs.push(R);
VK_coeffs.push(Scalar::zero() + (z * c));
VKs.push(VK);
}
use std::iter::once;
let scalars = once(&P_coeff_acc)
.chain(VK_coeffs.iter())
.chain(R_coeffs.iter());
let basepoints = [curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT];
let points = basepoints.iter().chain(VKs.iter()).chain(Rs.iter());
let check = RistrettoPoint::vartime_multiscalar_mul(scalars, points);
if check == RistrettoPoint::identity() {
Ok(())
} else {
Err(Error::InvalidSignature)
}
}
}

33
frost-core/src/error.rs Normal file
View File

@ -0,0 +1,33 @@
//! FROST Error types
use thiserror::Error;
/// An error related to FROST.
#[non_exhaustive]
#[derive(Error, Debug, Copy, Clone, Eq, PartialEq)]
pub enum Error {
/// This identifier is unserializable.
#[error("Malformed identifier is unserializable.")]
MalformedIdentifier,
/// The encoding of a group scalar was malformed.
#[error("Malformed scalar encoding.")]
MalformedScalar,
/// The encoding of a group element was malformed.
#[error("Malformed group element encoding.")]
MalformedElement,
/// The encoding of a signing key was malformed.
#[error("Malformed signing key encoding.")]
MalformedSigningKey,
/// The encoding of a verifying key was malformed.
#[error("Malformed verifying key encoding.")]
MalformedVerifyingKey,
/// The encoding of a signature was malformed.
#[error("Malformed signature encoding.")]
MalformedSignature,
/// Signature verification failed.
#[error("Invalid signature.")]
InvalidSignature,
/// This scalar MUST NOT be zero.
#[error("Invalid for this scalar to be zero.")]
InvalidZeroScalar,
}

343
frost-core/src/frost.rs Normal file
View File

@ -0,0 +1,343 @@
//! An implementation of FROST (Flexible Round-Optimized Schnorr Threshold)
//! signatures.
//!
//! If you are interested in deploying FROST, please do not hesitate to consult the FROST authors.
//!
//! This implementation currently only supports key generation using a central
//! dealer. In the future, we will add support for key generation via a DKG,
//! as specified in the FROST paper.
//!
//! Internally, keygen_with_dealer generates keys using Verifiable Secret
//! Sharing, where shares are generated using Shamir Secret Sharing.
use std::{
collections::HashMap,
convert::TryFrom,
fmt::{self, Debug},
};
use hex::FromHex;
mod identifier;
pub mod keys;
pub mod round1;
pub mod round2;
use crate::{Ciphersuite, Error, Field, Group, Signature};
pub use self::identifier::Identifier;
/// The binding factor, also known as _rho_ (ρ)
///
/// Ensures each signature share is strongly bound to a signing set, specific set
/// of commitments, and a specific message.
///
/// <https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md>
#[derive(Clone, PartialEq)]
pub struct Rho<C: Ciphersuite>(<<C::Group as Group>::Field as Field>::Scalar);
impl<C> Rho<C>
where
C: Ciphersuite,
{
/// Deserializes [`Rho`] from bytes.
pub fn from_bytes(
bytes: <<C::Group as Group>::Field as Field>::Serialization,
) -> Result<Self, Error> {
<<C::Group as Group>::Field as Field>::deserialize(&bytes).map(|scalar| Self(scalar))
}
/// Serializes [`Rho`] to bytes.
pub fn to_bytes(&self) -> <<C::Group as Group>::Field as Field>::Serialization {
<<C::Group as Group>::Field as Field>::serialize(&self.0)
}
}
impl<C> Debug for Rho<C>
where
C: Ciphersuite,
{
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
f.debug_tuple("Rho")
.field(&hex::encode(self.to_bytes()))
.finish()
}
}
impl<C> From<&SigningPackage<C>> for Rho<C>
where
C: Ciphersuite,
{
// [`compute_binding_factor`] in the spec
//
// [`compute_binding_factor`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-03.html#section-4.4
fn from(signing_package: &SigningPackage<C>) -> Rho<C> {
let preimage = signing_package.rho_preimage();
let binding_factor = C::H1(&preimage[..]);
Rho(binding_factor)
}
}
impl<C> FromHex for Rho<C>
where
C: Ciphersuite,
{
type Error = &'static str;
fn from_hex<T: AsRef<[u8]>>(hex: T) -> Result<Self, Self::Error> {
match FromHex::from_hex(hex) {
Ok(bytes) => Self::from_bytes(bytes).map_err(|_| "malformed scalar encoding"),
Err(_) => Err("invalid hex"),
}
}
}
// TODO: pub struct Lagrange<C: Ciphersuite>(Scalar);
/// Generates the lagrange coefficient for the i'th participant.
fn derive_lagrange_coeff<C: Ciphersuite>(
signer_id: u16,
signing_package: &SigningPackage<C>,
) -> Result<<<C::Group as Group>::Field as Field>::Scalar, &'static str> {
// This should fail and panic if signer_id_scalar is 0 in the scalar field.
let signer_id_scalar = Identifier::<C>::try_from(signer_id).unwrap();
let zero = <<C::Group as Group>::Field as Field>::zero();
// TODO: This is redundant
if signer_id_scalar.0 == zero {
return Err("Invalid parameters");
}
if signing_package
.signing_commitments()
.iter()
.any(|commitment| {
let commitment_id_scalar = Identifier::<C>::try_from(commitment.index).unwrap();
*commitment_id_scalar == zero
})
{
return Err("Invalid parameters");
}
let mut num = <<C::Group as Group>::Field as Field>::one();
let mut den = <<C::Group as Group>::Field as Field>::one();
// Ala the sorting of B, just always sort by index in ascending order
//
// https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md#encoding-operations-dep-encoding
for commitment in signing_package.signing_commitments() {
if commitment.index == signer_id {
continue;
}
let commitment_id_scalar = Identifier::<C>::try_from(commitment.index).unwrap();
num = num * *commitment_id_scalar;
den = den * (*commitment_id_scalar - *signer_id_scalar);
}
if den == zero {
return Err("Duplicate shares provided");
}
// TODO(dconnolly): return this error if the inversion result == zero
let lagrange_coeff = num * <<C::Group as Group>::Field as Field>::invert(&den).unwrap();
Ok(lagrange_coeff)
}
/// Generated by the coordinator of the signing operation and distributed to
/// each signing party
pub struct SigningPackage<C: Ciphersuite> {
/// The set of commitments participants published in the first round of the
/// protocol.
signing_commitments: HashMap<u16, round1::SigningCommitments<C>>,
/// Message which each participant will sign.
///
/// Each signer should perform protocol-specific verification on the
/// message.
message: Vec<u8>,
}
impl<C> SigningPackage<C>
where
C: Ciphersuite,
{
/// Create a new `SigingPackage`
///
/// The `signing_commitments` are sorted by participant `index`.
pub fn new(
mut signing_commitments: Vec<round1::SigningCommitments<C>>,
message: Vec<u8>,
) -> SigningPackage<C> {
signing_commitments.sort_by_key(|a| a.index);
SigningPackage {
signing_commitments: signing_commitments
.into_iter()
.map(|s| (s.index, s))
.collect(),
message,
}
}
/// Get a signing commitment by its participant index.
pub fn signing_commitment(&self, index: &u16) -> round1::SigningCommitments<C> {
self.signing_commitments[index]
}
/// Get the signing commitments, sorted by the participant indices
pub fn signing_commitments(&self) -> Vec<round1::SigningCommitments<C>> {
let mut signing_commitments: Vec<round1::SigningCommitments<C>> =
self.signing_commitments.values().cloned().collect();
signing_commitments.sort_by_key(|a| a.index);
signing_commitments
}
/// Get the message to be signed
pub fn message(&self) -> &Vec<u8> {
&self.message
}
/// Compute the preimage to H3 to compute rho
// We separate this out into its own method so it can be tested
pub fn rho_preimage(&self) -> Vec<u8> {
let mut preimage = vec![];
preimage
.extend_from_slice(&round1::encode_group_commitments(self.signing_commitments())[..]);
preimage.extend_from_slice(C::H3(self.message.as_slice()).as_ref());
preimage
}
}
/// The product of all signers' individual commitments, published as part of the
/// final signature.
#[derive(PartialEq)]
pub struct GroupCommitment<C: Ciphersuite>(pub(super) <C::Group as Group>::Element);
// impl<C> Debug for GroupCommitment<C> where C: Ciphersuite {
// fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
// f.debug_tuple("GroupCommitment")
// .field(&hex::encode(self.0.compress().to_bytes()))
// .finish()
// }
// }
impl<C> TryFrom<&SigningPackage<C>> for GroupCommitment<C>
where
C: Ciphersuite,
{
type Error = &'static str;
/// Generates the group commitment which is published as part of the joint
/// Schnorr signature.
///
/// Implements [`compute_group_commitment`] from the spec.
///
/// [`compute_group_commitment`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-03.html#section-4.4
fn try_from(signing_package: &SigningPackage<C>) -> Result<GroupCommitment<C>, &'static str> {
let rho: Rho<C> = signing_package.into();
let identity = <C::Group as Group>::identity();
let mut accumulator = <C::Group as Group>::identity();
// Ala the sorting of B, just always sort by index in ascending order
//
// https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md#encoding-operations-dep-encoding
for commitment in signing_package.signing_commitments() {
// The following check prevents a party from accidentally revealing their share.
// Note that the '&&' operator would be sufficient.
if identity == commitment.binding.0 || identity == commitment.hiding.0 {
return Err("Commitment equals the identity.");
}
accumulator = accumulator + (commitment.hiding.0 + (commitment.binding.0 * rho.0))
}
Ok(GroupCommitment(accumulator))
}
}
////////////////////////////////////////////////////////////////////////////////
// Aggregation
////////////////////////////////////////////////////////////////////////////////
/// Verifies each participant's signature share, and if all are valid,
/// aggregates the shares into a signature to publish.
///
/// Resulting signature is compatible with verification of a plain SpendAuth
/// signature.
///
/// This operation is performed by a coordinator that can communicate with all
/// the signing participants before publishing the final signature. The
/// coordinator can be one of the participants or a semi-trusted third party
/// (who is trusted to not perform denial of service attacks, but does not learn
/// any secret information). Note that because the coordinator is trusted to
/// report misbehaving parties in order to avoid publishing an invalid
/// signature, if the coordinator themselves is a signer and misbehaves, they
/// can avoid that step. However, at worst, this results in a denial of
/// service attack due to publishing an invalid signature.
pub fn aggregate<C>(
signing_package: &SigningPackage<C>,
signature_shares: &[round2::SignatureShare<C>],
pubkeys: &keys::PublicKeyPackage<C>,
) -> Result<Signature<C>, &'static str>
where
C: Ciphersuite,
{
// Encodes the signing commitment list produced in round one as part of generating [`Rho`], the
// binding factor.
let rho: Rho<C> = signing_package.into();
// Compute the group commitment from signing commitments produced in round one.
let group_commitment = GroupCommitment::<C>::try_from(signing_package)?;
// Compute the per-message challenge.
let challenge = crate::challenge::<C>(
&group_commitment.0,
&pubkeys.group_public.element,
signing_package.message().as_slice(),
);
// Verify the signature shares.
for signature_share in signature_shares {
// Look up the public key for this signer, where `signer_pubkey` = _G.ScalarBaseMult(s[i])_,
// and where s[i] is a secret share of the constant term of _f_, the secret polynomial.
let signer_pubkey = pubkeys.signer_pubkeys.get(&signature_share.index).unwrap();
// Compute Lagrange coefficient.
let lambda_i = derive_lagrange_coeff(signature_share.index, signing_package)?;
// Compute the commitment share.
let R_share = signing_package
.signing_commitment(&signature_share.index)
.to_group_commitment_share(&rho);
// Compute relation values to verify this signature share.
signature_share.verify(&R_share, signer_pubkey, lambda_i, &challenge)?;
}
// The aggregation of the signature shares by summing them up, resulting in
// a plain Schnorr signature.
//
// Implements [`frost_aggregate`] from the spec.
//
// [`frost_aggregate`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-03.html#section-5.3-4
let mut z = <<C::Group as Group>::Field as Field>::zero();
for signature_share in signature_shares {
z = z + signature_share.signature.z_share;
}
Ok(Signature {
R: group_commitment.0,
z,
})
}

198
frost-core/src/frost/identifier.rs Normal file
View File

@ -0,0 +1,198 @@
//! FROST participant identifiers
use std::{
fmt::{self, Debug},
hash::{Hash, Hasher},
ops::{Deref, Index},
};
use crate::{Ciphersuite, Error, Field, Group, Scalar};
/// A FROST participant identifier.
///
/// The identifier is a field element in the scalar field that the secret polynomial is defined
/// over, corresponding to some x-coordinate for a polynomial f(x) = y. MUST NOT be zero in the
/// field, as f(0) = the shared secret.
#[derive(Copy, Clone)]
pub struct Identifier<C: Ciphersuite>(pub(crate) Scalar<C>);
impl<C> AsRef<Scalar<C>> for Identifier<C>
where
C: Ciphersuite,
{
fn as_ref(&self) -> &Scalar<C> {
&self.0
}
}
impl<C> Debug for Identifier<C>
where
C: Ciphersuite,
{
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
f.debug_tuple("Identifier")
.field(&usize::from(*self))
.finish()
}
}
impl<C> Deref for Identifier<C>
where
C: Ciphersuite,
{
type Target = Scalar<C>;
fn deref(&self) -> &Self::Target {
&self.0
}
}
// impl<C> Deref for &Identifier<C>
// where
// C: Ciphersuite,
// {
// type Target = Scalar<C>;
// fn deref(&self) -> &Self::Target {
// &self.0
// }
// }
impl<C> Eq for Identifier<C> where C: Ciphersuite {}
impl<C> From<Identifier<C>> for usize
where
C: Ciphersuite,
{
// TODO: this feels janky, are we confident we aren't clamping off the higher byte values?
fn from(id: Identifier<C>) -> usize {
// This is 8 bytes because usize is up to 8 bytes depending on the platform.
//
// https://doc.rust-lang.org/stable/std/primitive.usize.html#method.from_le_bytes
let mut bytes = [0u8; 8];
let serialized = <<C::Group as Group>::Field as Field>::serialize(&id.0);
for i in 0..bytes.len() {
bytes[i] = serialized.as_ref()[i];
}
usize::from_le_bytes(bytes)
}
}
impl<C> Hash for Identifier<C>
where
C: Ciphersuite,
{
fn hash<H: Hasher>(&self, state: &mut H) {
<<C::Group as Group>::Field as Field>::serialize(&self.0)
.as_ref()
.hash(state)
}
}
impl<C, T> Index<Identifier<C>> for Vec<T>
where
C: Ciphersuite,
{
type Output = T;
fn index(&self, id: Identifier<C>) -> &Self::Output {
&self[usize::from(id)]
}
}
// impl<C> std::ops::Mul for Identifier<C>
// where
// C: Ciphersuite,
// {
// type Output = Self;
// fn mul(self, rhs: Identifier<C>) -> Self::Output {
// Self(self.0 * rhs.0)
// }
// }
// impl<C> std::ops::Mul<Scalar<C>> for Identifier<C>
// where
// C: Ciphersuite,
// {
// type Output = Scalar<C>;
// fn mul(self, scalar: Scalar<C>) -> Scalar<C> {
// self.0 * scalar
// }
// }
// impl<'a, 'b, C> std::ops::Mul<&'b Identifier<C>> for &'a Scalar<C>
// where
// C: Ciphersuite,
// {
// type Output = Scalar<C>;
// fn mul(self, id: &'b Identifier<C>) -> Scalar<C> {
// self * id.0
// }
// }
impl<C> PartialEq for Identifier<C>
where
C: Ciphersuite,
{
fn eq(&self, other: &Self) -> bool {
self.0 == other.0
}
}
// impl<C> std::ops::Sub for Identifier<C>
// where
// C: Ciphersuite,
// {
// type Output = Self;
// fn sub(self, rhs: Identifier<C>) -> Self::Output {
// Self(self.0 - rhs.0)
// }
// }
// impl<C> std::ops::Sub<Scalar<C>> for Identifier<C>
// where
// C: Ciphersuite,
// {
// type Output = Scalar<C>;
// fn sub(self, scalar: Scalar<C>) -> Scalar<C> {
// self.0 - scalar
// }
// }
impl<C> TryFrom<u16> for Identifier<C>
where
C: Ciphersuite,
{
type Error = Error;
// TODO: this feels like a cluster. Improve?
fn try_from(n: u16) -> Result<Identifier<C>, Self::Error> {
let mut bytes =
Vec::from(<<C::Group as Group>::Field as Field>::Serialization::default().as_ref());
for (i, byte) in n.to_le_bytes().iter().enumerate() {
bytes[i] = *byte;
}
let serialization = bytes
.try_into()
.map_err(|_| Self::Error::MalformedIdentifier)?;
let scalar = <<C::Group as Group>::Field as Field>::deserialize(&serialization)?;
// Participant identifiers are public, so this comparison doesn't need to be constant-time.
if scalar == <<C::Group as Group>::Field as Field>::zero() {
Err(Self::Error::InvalidZeroScalar)
} else {
Ok(Self(scalar))
}
}
}

513
frost-core/src/frost/keys.rs Normal file
View File

@ -0,0 +1,513 @@
//! FROST keys, keygen, key shares
use std::{
collections::HashMap,
convert::TryFrom,
default::Default,
fmt::{self, Debug},
};
use hex::FromHex;
use rand_core::{CryptoRng, RngCore};
use zeroize::{DefaultIsZeroes, Zeroize};
use crate::{frost::Identifier, Ciphersuite, Error, Field, Group, Scalar, VerifyingKey};
/// A secret scalar value representing a signer's secret key.
#[derive(Clone, Copy, PartialEq)]
pub struct Secret<C: Ciphersuite>(pub(crate) Scalar<C>);
impl<C> Secret<C>
where
C: Ciphersuite,
{
/// Deserialize [`Secret`] from bytes
pub fn from_bytes(
bytes: <<C::Group as Group>::Field as Field>::Serialization,
) -> Result<Self, Error> {
<<C::Group as Group>::Field as Field>::deserialize(&bytes).map(|scalar| Self(scalar))
}
/// Serialize [`Secret`] to bytes
pub fn to_bytes(&self) -> <<C::Group as Group>::Field as Field>::Serialization {
<<C::Group as Group>::Field as Field>::serialize(&self.0)
}
/// Generates a new uniformly random secret value using the provided RNG.
// TODO: should this only be behind test?
pub fn random<R>(mut rng: R) -> Self
where
R: CryptoRng + RngCore,
{
Self(<<C::Group as Group>::Field as Field>::random_nonzero(
&mut rng,
))
}
}
impl<C> Debug for Secret<C>
where
C: Ciphersuite,
{
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> std::fmt::Result {
f.debug_tuple("Secret")
.field(&hex::encode(self.to_bytes()))
.finish()
}
}
impl<C> Default for Secret<C>
where
C: Ciphersuite,
{
fn default() -> Self {
Self(<<C::Group as Group>::Field as Field>::zero())
}
}
// Implements [`Zeroize`] by overwriting a value with the [`Default::default()`] value
impl<C> DefaultIsZeroes for Secret<C> where C: Ciphersuite {}
// impl<C> Drop for Secret<C>
// where
// C: Ciphersuite,
// {
// fn drop(&mut self) {
// self.zeroize()
// }
// }
impl<C> From<&Secret<C>> for VerifyingKey<C>
where
C: Ciphersuite,
{
fn from(secret: &Secret<C>) -> Self {
let element = <C::Group as Group>::generator() * secret.0;
VerifyingKey { element }
}
}
impl<C> FromHex for Secret<C>
where
C: Ciphersuite,
{
type Error = &'static str;
fn from_hex<T: AsRef<[u8]>>(hex: T) -> Result<Self, Self::Error> {
match FromHex::from_hex(hex) {
Ok(bytes) => Self::from_bytes(bytes).map_err(|_| "malformed secret encoding"),
Err(_) => Err("invalid hex"),
}
}
}
/// A public group element that represents a single signer's public key.
#[derive(Copy, Clone, PartialEq)]
pub struct Public<C>(pub(super) <C::Group as Group>::Element)
where
C: Ciphersuite;
impl<C> Public<C>
where
C: Ciphersuite,
{
/// Deserialize from bytes
pub fn from_bytes(bytes: <C::Group as Group>::Serialization) -> Result<Self, Error> {
<C::Group as Group>::deserialize(&bytes).map(|element| Self(element))
}
/// Serialize [`Public`] to bytes
pub fn to_bytes(&self) -> <C::Group as Group>::Serialization {
<C::Group as Group>::serialize(&self.0)
}
}
impl<C> Debug for Public<C>
where
C: Ciphersuite,
{
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
f.debug_tuple("Public")
.field(&hex::encode(self.to_bytes()))
.finish()
}
}
impl<C> From<Secret<C>> for Public<C>
where
C: Ciphersuite,
{
fn from(secret: Secret<C>) -> Public<C> {
Public(<C::Group as Group>::generator() * secret.0 as Scalar<C>)
}
}
/// A [`Group::Element`] that is a commitment to one coefficient of our secret polynomial.
///
/// This is a (public) commitment to one coefficient of a secret polynomial used for performing
/// verifiable secret sharing for a Shamir secret share.
#[derive(Clone, Copy, PartialEq)]
pub(super) struct CoefficientCommitment<C: Ciphersuite>(pub(super) <C::Group as Group>::Element);
/// Contains the commitments to the coefficients for our secret polynomial _f_,
/// used to generate participants' key shares.
///
/// [`VerifiableSecretSharingCommitment`] contains a set of commitments to the coefficients (which
/// themselves are scalars) for a secret polynomial f, where f is used to
/// generate each ith participant's key share f(i). Participants use this set of
/// commitments to perform verifiable secret sharing.
///
/// Note that participants MUST be assured that they have the *same*
/// [`VerifiableSecretSharingCommitment`], either by performing pairwise comparison, or by using
/// some agreed-upon public location for publication, where each participant can
/// ensure that they received the correct (and same) value.
#[derive(Clone)]
pub struct VerifiableSecretSharingCommitment<C: Ciphersuite>(
pub(super) Vec<CoefficientCommitment<C>>,
);
/// A secret share generated by performing a (t-out-of-n) secret sharing scheme.
///
/// `n` is the total number of shares and `t` is the threshold required to reconstruct the secret;
/// in this case we use Shamir's secret sharing.
///
/// As a solution to the secret polynomial _f_ (a 'point'), the `index` is the x-coordinate, and the
/// `value` is the y-coordinate.
#[derive(Clone, Zeroize)]
pub struct SecretShare<C: Ciphersuite> {
/// The participant index of this [`SecretShare`].
pub index: u16,
/// Secret Key.
pub value: Secret<C>,
/// The commitments to be distributed among signers.
pub commitment: VerifiableSecretSharingCommitment<C>,
}
impl<C> SecretShare<C>
where
C: Ciphersuite,
{
/// Gets the inner [`Secret`] share value.
pub fn secret(&self) -> &Secret<C> {
&self.value
}
/// Verifies that a secret share is consistent with a verifiable secret sharing commitment.
///
/// This ensures that this participant's share has been generated using the same
/// mechanism as all other signing participants. Note that participants *MUST*
/// ensure that they have the same view as all other participants of the
/// commitment!
///
/// An implementation of `vss_verify()` from the [spec].
///
/// [spec]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#appendix-B.2-4
pub fn verify(&self) -> Result<(), &'static str> {
let f_result = <C::Group as Group>::generator() * self.value.0;
let x = Identifier::<C>::try_from(self.index).unwrap();
let (_, result) = self.commitment.0.iter().fold(
(
<<C::Group as Group>::Field as Field>::one(),
<C::Group as Group>::identity(),
),
|(x_to_the_i, sum_so_far), comm_i| {
(*x * x_to_the_i, sum_so_far + comm_i.0 * x_to_the_i)
},
);
if !(f_result == result) {
return Err("SecretShare is invalid.");
}
Ok(())
}
}
/// Secret and public key material generated by a dealer performing
/// [`keygen_with_dealer`].
///
/// To derive a FROST keypair, the receiver of the [`SharePackage`] *must* call
/// .into(), which under the hood also performs validation.
#[derive(Clone)]
pub struct SharePackage<C: Ciphersuite> {
/// Denotes the participant index each share is owned by.
pub index: u16,
/// This participant's secret share.
pub secret_share: SecretShare<C>,
/// This participant's public key.
pub public: Public<C>,
/// The public signing key that represents the entire group.
pub group_public: VerifyingKey<C>,
}
/// Allows all participants' keys to be generated using a central, trusted
/// dealer.
///
/// Under the hood, this performs verifiable secret sharing, which itself uses
/// Shamir secret sharing, from which each share becomes a participant's secret
/// key. The output from this function is a set of shares along with one single
/// commitment that participants use to verify the integrity of the share. The
/// number of signers is limited to 255.
///
/// Implements [`trusted_dealer_keygen`] from the spec.
///
/// [`trusted_dealer_keygen`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-03.html#appendix-B
pub fn keygen_with_dealer<C: Ciphersuite, R: RngCore + CryptoRng>(
num_signers: u8,
threshold: u8,
mut rng: R,
) -> Result<(Vec<SharePackage<C>>, PublicKeyPackage<C>), &'static str> {
let mut bytes = [0; 64];
rng.fill_bytes(&mut bytes);
let secret = Secret::random(&mut rng);
let group_public = VerifyingKey::from(&secret);
let secret_shares = generate_secret_shares(&secret, num_signers, threshold, rng)?;
let mut share_packages: Vec<SharePackage<C>> = Vec::with_capacity(num_signers as usize);
let mut signer_pubkeys: HashMap<u16, Public<C>> = HashMap::with_capacity(num_signers as usize);
for secret_share in secret_shares {
let signer_public = secret_share.value.into();
share_packages.push(SharePackage {
index: secret_share.index,
secret_share: secret_share.clone(),
public: signer_public,
group_public,
});
signer_pubkeys.insert(secret_share.index, signer_public);
}
Ok((
share_packages,
PublicKeyPackage {
signer_pubkeys,
group_public,
},
))
}
/// A FROST keypair, which can be generated either by a trusted dealer or using
/// a DKG.
///
/// When using a central dealer, [`SharePackage`]s are distributed to
/// participants, who then perform verification, before deriving
/// [`KeyPackage`]s, which they store to later use during signing.
#[derive(Clone)]
pub struct KeyPackage<C: Ciphersuite> {
/// Denotes the participant index each secret share key package is owned by.
pub index: u16,
/// This participant's secret share.
pub secret_share: Secret<C>,
/// This participant's public key.
pub public: Public<C>,
/// The public signing key that represents the entire group.
pub group_public: VerifyingKey<C>,
}
impl<C> KeyPackage<C>
where
C: Ciphersuite,
{
/// Gets the participant index associated with this [`KeyPackage`].
pub fn index(&self) -> &u16 {
&self.index
}
/// Gets the participant's [`Secret`] share associated with this [`KeyPackage`].
pub fn secret_share(&self) -> &Secret<C> {
&self.secret_share
}
/// Gets the participant's [`Public`] key associated with this [`Secret`] share in this [`KeyPackage`].
pub fn public(&self) -> &Public<C> {
&self.public
}
/// Gets the group [`VerifyingKey`] associated with the entire group in this [`KeyPackage`].
pub fn group_public(&self) -> &VerifyingKey<C> {
&self.group_public
}
}
impl<C> TryFrom<SharePackage<C>> for KeyPackage<C>
where
C: Ciphersuite,
{
type Error = &'static str;
/// Tries to verify a share and construct a [`KeyPackage`] from it.
///
/// When participants receive a [`SharePackage`] from the dealer, they
/// *MUST* verify the integrity of the share before continuing on to
/// transform it into a signing/verification keypair. Here, we assume that
/// every participant has the same view of the commitment issued by the
/// dealer, but implementations *MUST* make sure that all participants have
/// a consistent view of this commitment in practice.
fn try_from(share_package: SharePackage<C>) -> Result<Self, &'static str> {
share_package.secret_share.verify()?;
Ok(KeyPackage {
index: share_package.index,
secret_share: share_package.secret_share.value,
public: share_package.public,
group_public: share_package.group_public,
})
}
}
/// Public data that contains all the signers' public keys as well as the
/// group public key.
///
/// Used for verification purposes before publishing a signature.
pub struct PublicKeyPackage<C: Ciphersuite> {
/// When performing signing, the coordinator must ensure that they have the
/// correct view of participants' public keys to perform verification before
/// publishing a signature. `signer_pubkeys` represents all signers for a
/// signing operation.
pub signer_pubkeys: HashMap<u16, Public<C>>,
/// The joint public key for the entire group.
pub group_public: VerifyingKey<C>,
}
/// Creates secret shares for a given secret.
///
/// This function accepts a secret from which shares are generated. While in
/// FROST this secret should always be generated randomly, we allow this secret
/// to be specified for this internal function for testability.
///
/// Internally, [`generate_secret_shares`] performs verifiable secret sharing, which
/// generates shares via Shamir Secret Sharing, and then generates public
/// commitments to those shares.
///
/// More specifically, [`generate_secret_shares`]:
/// - Randomly samples of coefficients [a, b, c], this represents a secret
/// polynomial f
/// - For each participant i, their secret share is f(i)
/// - The commitment to the secret polynomial f is [g^a, g^b, g^c]
///
/// Implements [`secret_key_shard`] from the spec.
///
/// [`secret_key_shard`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-03.html#appendix-B.1
pub fn generate_secret_shares<C: Ciphersuite, R: RngCore + CryptoRng>(
secret: &Secret<C>,
numshares: u8,
threshold: u8,
mut rng: R,
) -> Result<Vec<SecretShare<C>>, &'static str> {
if threshold < 2 {
return Err("Threshold cannot be less than 2");
}
if numshares < 2 {
return Err("Number of shares cannot be less than the minimum threshold 2");
}
if threshold > numshares {
return Err("Threshold cannot exceed numshares");
}
let numcoeffs = threshold - 1;
let mut coefficients: Vec<Scalar<C>> = Vec::with_capacity(threshold as usize);
let mut secret_shares: Vec<SecretShare<C>> = Vec::with_capacity(numshares as usize);
let mut commitment: VerifiableSecretSharingCommitment<C> =
VerifiableSecretSharingCommitment(Vec::with_capacity(threshold as usize));
for _ in 0..numcoeffs {
coefficients.push(<<C::Group as Group>::Field as Field>::random(&mut rng));
}
// Verifiable secret sharing, to make sure that participants can ensure their
// secret is consistent with every other participant's.
commitment.0.push(CoefficientCommitment(
<C::Group as Group>::generator() * secret.0,
));
for c in &coefficients {
commitment
.0
.push(CoefficientCommitment(<C::Group as Group>::generator() * *c));
}
// Evaluate the polynomial with `secret` as the constant term
// and `coeffs` as the other coefficients at the point x=share_index,
// using Horner's method.
for id in (1..=numshares as u16).map_while(|i| Identifier::<C>::try_from(i).ok()) {
let mut value = <<C::Group as Group>::Field as Field>::zero();
// Polynomial evaluation, for this index
//
// We rely only on `Add` and `Mul` here so as to not require `AddAssign` and `MulAssign`
//
// Note that this is from the 'last' coefficient to the 'first'.
for i in (0..numcoeffs).rev() {
value = value + coefficients[i as usize];
value = *id * value;
}
value = value + secret.0;
secret_shares.push(SecretShare {
index: usize::from(id) as u16,
value: Secret(value),
commitment: commitment.clone(),
});
}
Ok(secret_shares)
}
/// Recompute the secret from t-of-n secret shares using Lagrange interpolation.
pub fn reconstruct_secret<C: Ciphersuite>(
secret_shares: Vec<SecretShare<C>>,
) -> Result<Secret<C>, &'static str> {
if secret_shares.is_empty() {
return Err("No secret_shares provided");
}
let secret_share_map: HashMap<Identifier<C>, SecretShare<C>> = secret_shares
.into_iter()
.map(|share| (Identifier::<C>::try_from(share.index).unwrap(), share))
.collect();
let mut secret = <<C::Group as Group>::Field as Field>::zero();
// Compute the Lagrange coefficients
for (i, secret_share) in secret_share_map.clone() {
let mut num = <<C::Group as Group>::Field as Field>::one();
let mut den = <<C::Group as Group>::Field as Field>::one();
for j in secret_share_map.clone().into_keys() {
if j == i {
continue;
}
// numerator *= j
num = num * *j;
// denominator *= j - i
den = den * (*j - *i);
}
// If at this step, the denominator is zero in the scalar field, there must be a duplicate
// secret share.
if den == <<C::Group as Group>::Field as Field>::zero() {
return Err("Duplicate shares provided");
}
// Save numerator * 1/denomintor in the scalar field
let lagrange_coefficient =
num * <<C::Group as Group>::Field as Field>::invert(&den).unwrap();
// Compute y = f(0) via polynomial interpolation of these t-of-n solutions ('points) of f
secret = secret + (lagrange_coefficient * secret_share.value.0);
}
Ok(Secret::from_bytes(<<C::Group as Group>::Field as Field>::serialize(&secret)).unwrap())
}

303
frost-core/src/frost/round1.rs Normal file
View File

@ -0,0 +1,303 @@
//! FROST Round 1 functionality and types
use std::fmt::{self, Debug};
use hex::FromHex;
use rand_core::{CryptoRng, RngCore};
use zeroize::Zeroize;
use crate::{frost, Ciphersuite, Error, Field, Group};
/// A scalar that is a signing nonce.
#[derive(Clone, PartialEq, Zeroize)]
pub struct Nonce<C: Ciphersuite>(pub(super) <<C::Group as Group>::Field as Field>::Scalar);
impl<C> Nonce<C>
where
C: Ciphersuite,
{
/// Generates a new uniformly random signing nonce.
///
/// Each participant generates signing nonces before performing a signing
/// operation.
///
/// An implementation of `RandomNonzeroScalar()` from the [spec].
///
/// [spec]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1-3.4
pub fn random<R>(rng: &mut R) -> Self
where
R: CryptoRng + RngCore,
{
// The values of 'hiding' and 'binding' nonces must be non-zero so that commitments are
// not the identity.
Self(<<C::Group as Group>::Field as Field>::random_nonzero(rng))
}
/// Deserialize [`Nonce`] from bytes
pub fn from_bytes(
bytes: <<C::Group as Group>::Field as Field>::Serialization,
) -> Result<Self, Error> {
<<C::Group as Group>::Field as Field>::deserialize(&bytes).map(|scalar| Self(scalar))
}
/// Serialize [`Nonce`] to bytes
pub fn to_bytes(&self) -> <<C::Group as Group>::Field as Field>::Serialization {
<<C::Group as Group>::Field as Field>::serialize(&self.0)
}
}
// impl<C> Drop for Nonce<C>
// where
// C: Ciphersuite,
// {
// fn drop(&mut self) {
// self.zeroize()
// }
// }
impl<C> FromHex for Nonce<C>
where
C: Ciphersuite,
{
type Error = &'static str;
fn from_hex<T: AsRef<[u8]>>(hex: T) -> Result<Self, Self::Error> {
match FromHex::from_hex(hex) {
Ok(bytes) => Self::from_bytes(bytes).map_err(|_| "malformed nonce encoding"),
Err(_) => Err("invalid hex"),
}
}
}
/// A Ristretto point that is a commitment to a signing nonce share.
#[derive(Clone, Copy, PartialEq)]
pub struct NonceCommitment<C: Ciphersuite>(pub(super) <C::Group as Group>::Element);
impl<C> NonceCommitment<C>
where
C: Ciphersuite,
{
/// Deserialize [`NonceCommitment`] from bytes
pub fn from_bytes(bytes: <C::Group as Group>::Serialization) -> Result<Self, Error> {
<C::Group as Group>::deserialize(&bytes).map(|element| Self(element))
}
/// Serialize [`NonceCommitment`] to bytes
pub fn to_bytes(&self) -> <C::Group as Group>::Serialization {
<C::Group as Group>::serialize(&self.0)
}
}
impl<C> Debug for NonceCommitment<C>
where
C: Ciphersuite,
{
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
f.debug_tuple("NonceCommitment")
.field(&hex::encode(self.to_bytes()))
.finish()
}
}
impl<C> From<Nonce<C>> for NonceCommitment<C>
where
C: Ciphersuite,
{
fn from(nonce: Nonce<C>) -> Self {
From::from(&nonce)
}
}
impl<C> From<&Nonce<C>> for NonceCommitment<C>
where
C: Ciphersuite,
{
fn from(nonce: &Nonce<C>) -> Self {
Self(<C::Group as Group>::generator() * nonce.0)
}
}
impl<C> FromHex for NonceCommitment<C>
where
C: Ciphersuite,
{
type Error = &'static str;
fn from_hex<T: AsRef<[u8]>>(hex: T) -> Result<Self, Self::Error> {
match FromHex::from_hex(hex) {
Ok(bytes) => Self::from_bytes(bytes).map_err(|_| "malformed nonce commitment encoding"),
Err(_) => Err("invalid hex"),
}
}
}
/// Comprised of hiding and binding nonces.
///
/// Note that [`SigningNonces`] must be used *only once* for a signing
/// operation; re-using nonces will result in leakage of a signer's long-lived
/// signing key.
#[derive(Clone, Zeroize)]
pub struct SigningNonces<C: Ciphersuite> {
/// The hiding [`Nonce`].
pub hiding: Nonce<C>,
/// The binding [`Nonce`].
pub binding: Nonce<C>,
}
impl<C> SigningNonces<C>
where
C: Ciphersuite,
{
/// Generates a new signing nonce.
///
/// Each participant generates signing nonces before performing a signing
/// operation.
pub fn new<R>(rng: &mut R) -> Self
where
R: CryptoRng + RngCore,
{
// The values of 'hiding' and 'binding' must be non-zero so that commitments are
// not the identity.
let hiding = Nonce::<C>::random(rng);
let binding = Nonce::<C>::random(rng);
Self { hiding, binding }
}
/// Gets the hiding [`Nonce`]
pub fn hiding(&self) -> &Nonce<C> {
&self.hiding
}
/// Gets the binding [`Nonce`]
pub fn binding(&self) -> &Nonce<C> {
&self.binding
}
}
/// Published by each participant in the first round of the signing protocol.
///
/// This step can be batched if desired by the implementation. Each
/// SigningCommitment can be used for exactly *one* signature.
#[derive(Copy, Clone)]
pub struct SigningCommitments<C: Ciphersuite> {
/// The participant index.
pub index: u16,
/// Commitment to the hiding [`Nonce`].
pub hiding: NonceCommitment<C>,
/// Commitment to the binding [`Nonce`].
pub binding: NonceCommitment<C>,
}
impl<C> SigningCommitments<C>
where
C: Ciphersuite,
{
/// Computes the [signature commitment share] from these round one signing commitments.
///
/// [signature commitment share]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-03.html#name-signature-share-verificatio
pub(super) fn to_group_commitment_share(
self,
binding_factor: &frost::Rho<C>,
) -> GroupCommitmentShare<C> {
GroupCommitmentShare::<C>(self.hiding.0 + (self.binding.0 * binding_factor.0))
}
/// Gets the hiding [`NonceCommitment`].
pub fn hiding(&self) -> &NonceCommitment<C> {
&self.hiding
}
/// Gets the binding [`NonceCommitment`].
pub fn binding(&self) -> &NonceCommitment<C> {
&self.binding
}
}
impl<C> From<(u16, &SigningNonces<C>)> for SigningCommitments<C>
where
C: Ciphersuite,
{
fn from((index, nonces): (u16, &SigningNonces<C>)) -> Self {
Self {
index,
hiding: nonces.hiding.clone().into(),
binding: nonces.binding.clone().into(),
}
}
}
/// One signer's share of the group commitment, derived from their individual signing commitments
/// and the binding factor _rho_.
#[derive(Clone, Copy, PartialEq)]
pub struct GroupCommitmentShare<C: Ciphersuite>(pub(super) <C::Group as Group>::Element);
/// Encode the list of group signing commitments.
///
/// Implements [`encode_group_commitment_list()`] from the spec.
///
/// Inputs:
/// - commitment_list = [(j, D_j, E_j), ...], a list of commitments issued by each signer,
/// where each element in the list indicates the signer index and their
/// two commitment Element values. B MUST be sorted in ascending order
/// by signer index.
///
/// Outputs:
/// - A byte string containing the serialized representation of B.
///
/// [`encode_group_commitment_list()`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-03.html#section-4.3
pub(super) fn encode_group_commitments<C: Ciphersuite>(
signing_commitments: Vec<SigningCommitments<C>>,
) -> Vec<u8> {
// B MUST be sorted in ascending order by signer index.
//
// https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md#encoding-operations-dep-encoding
//
// TODO: AtLeastOne or other explicitly Sorted wrapper types?
let mut sorted_signing_commitments = signing_commitments;
sorted_signing_commitments.sort_by_key(|a| a.index);
let mut bytes = vec![];
for item in sorted_signing_commitments {
bytes.extend_from_slice(&item.index.to_be_bytes()); // TODO: 2-bytes until spec moves off u16
bytes.extend_from_slice(<C::Group as Group>::serialize(&item.hiding.0).as_ref());
bytes.extend_from_slice(<C::Group as Group>::serialize(&item.binding.0).as_ref());
}
bytes
}
/// Done once by each participant, to generate _their_ nonces and commitments
/// that are then used during signing.
///
/// When performing signing using two rounds, num_nonces would equal 1, to
/// perform the first round. Batching entails generating more than one
/// nonce/commitment pair at a time. Nonces should be stored in secret storage
/// for later use, whereas the commitments are published.
///
/// The number of nonces is limited to 255. This limit can be increased if it
/// turns out to be too conservative.
// TODO: Make sure the above is a correct statement, fix if needed in:
// https://github.com/ZcashFoundation/redjubjub/issues/111
pub fn preprocess<C, R>(
num_nonces: u8,
participant_index: u16,
rng: &mut R,
) -> (Vec<SigningNonces<C>>, Vec<SigningCommitments<C>>)
where
C: Ciphersuite,
R: CryptoRng + RngCore,
{
let mut signing_nonces: Vec<SigningNonces<C>> = Vec::with_capacity(num_nonces as usize);
let mut signing_commitments: Vec<SigningCommitments<C>> =
Vec::with_capacity(num_nonces as usize);
for _ in 0..num_nonces {
let nonces = SigningNonces::new(rng);
signing_commitments.push(SigningCommitments::from((participant_index, &nonces)));
signing_nonces.push(nonces);
}
(signing_nonces, signing_commitments)
}

164
frost-core/src/frost/round2.rs Normal file
View File

@ -0,0 +1,164 @@
//! FROST Round 2 functionality and types, for signature share generation
use std::fmt::{self, Debug};
use crate::{
challenge,
frost::{self, round1, *},
Challenge, Ciphersuite, Error, Field, Group,
};
/// A representation of a single signature share used in FROST structures and messages.
#[derive(Clone, Copy)]
pub struct SignatureResponse<C: Ciphersuite> {
/// The [`Scalar`] contribution to the group signature.
pub z_share: <<C::Group as Group>::Field as Field>::Scalar,
}
impl<C> SignatureResponse<C>
where
C: Ciphersuite,
{
/// Deserialize [`SignatureResponse`] from bytes
pub fn from_bytes(
bytes: <<C::Group as Group>::Field as Field>::Serialization,
) -> Result<Self, Error> {
<<C::Group as Group>::Field as Field>::deserialize(&bytes)
.map(|scalar| Self { z_share: scalar })
}
/// Serialize [`SignatureResponse`] to bytes
pub fn to_bytes(&self) -> <<C::Group as Group>::Field as Field>::Serialization {
<<C::Group as Group>::Field as Field>::serialize(&self.z_share)
}
}
impl<C> Debug for SignatureResponse<C>
where
C: Ciphersuite,
{
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
f.debug_struct("SignatureResponse")
.field("z_share", &hex::encode(self.to_bytes()))
.finish()
}
}
impl<C> Eq for SignatureResponse<C> where C: Ciphersuite {}
impl<C> PartialEq for SignatureResponse<C>
where
C: Ciphersuite,
{
// TODO: should this have any constant-time guarantees? I think signature shares are public.
fn eq(&self, other: &Self) -> bool {
self.z_share == other.z_share
}
}
/// A participant's signature share, which the coordinator will aggregate with all other signer's
/// shares into the joint signature.
#[derive(Clone, Copy, Eq, PartialEq)]
pub struct SignatureShare<C: Ciphersuite> {
/// Represents the participant index.
pub index: u16,
/// This participant's signature over the message.
pub signature: SignatureResponse<C>,
}
impl<C> SignatureShare<C>
where
C: Ciphersuite,
{
/// Gets the participant index associated with this [`SignatureShare`].
pub fn index(&self) -> &u16 {
&self.index
}
/// Tests if a signature share issued by a participant is valid before
/// aggregating it into a final joint signature to publish.
///
/// This is the final step of [`verify_signature_share`] from the spec.
///
/// [`verify_signature_share`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-03.html#section-5.3
pub fn verify(
&self,
group_commitment_share: &round1::GroupCommitmentShare<C>,
public_key: &frost::keys::Public<C>,
lambda_i: <<C::Group as Group>::Field as Field>::Scalar,
challenge: &Challenge<C>,
) -> Result<(), &'static str> {
if (<C::Group as Group>::generator() * self.signature.z_share)
!= (group_commitment_share.0 + (public_key.0 * challenge.0 * lambda_i))
{
return Err("Invalid signature share");
}
Ok(())
}
}
impl<C> Debug for SignatureShare<C>
where
C: Ciphersuite,
{
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
f.debug_struct("SignatureShare")
.field("index", &self.index)
.field("signature", &self.signature)
.finish()
}
}
// // Zeroizes `SignatureShare` to be the `Default` value on drop (when it goes out
// // of scope). Luckily the derived `Default` includes the `Default` impl of
// // Scalar, which is four 0u64's under the hood, and u16, which is
// // 0u16.
// impl DefaultIsZeroes for SignatureShare {}
/// Performed once by each participant selected for the signing operation.
///
/// Implements [`sign`] from the spec.
///
/// Receives the message to be signed and a set of signing commitments and a set
/// of randomizing commitments to be used in that signing operation, including
/// that for this participant.
///
/// Assumes the participant has already determined which nonce corresponds with
/// the commitment that was assigned by the coordinator in the SigningPackage.
///
/// [`sign`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-03.html#section-5.2
pub fn sign<C: Ciphersuite>(
signing_package: &SigningPackage<C>,
signer_nonces: &round1::SigningNonces<C>,
key_package: &frost::keys::KeyPackage<C>,
) -> Result<SignatureShare<C>, &'static str> {
// Encodes the signing commitment list produced in round one as part of generating [`Rho`], the
// binding factor.
let rho: frost::Rho<C> = signing_package.into();
// Compute the group commitment from signing commitments produced in round one.
let group_commitment = GroupCommitment::<C>::try_from(signing_package)?;
// Compute Lagrange coefficient.
let lambda_i = frost::derive_lagrange_coeff(*key_package.index(), signing_package)?;
// Compute the per-message challenge.
let challenge = challenge::<C>(
&group_commitment.0,
&key_package.group_public.element,
signing_package.message.as_slice(),
);
// Compute the Schnorr signature share.
let z_share: <<C::Group as Group>::Field as Field>::Scalar = signer_nonces.hiding.0
+ (signer_nonces.binding.0 * rho.0)
+ (lambda_i * key_package.secret_share.0 * challenge.0);
let signature_share = SignatureShare::<C> {
index: *key_package.index(),
signature: SignatureResponse::<C> { z_share },
};
Ok(signature_share)
}

244
frost-core/src/lib.rs
View File

@ -1,8 +1,240 @@
#[cfg(test)]
mod tests {
#[test]
fn it_works() {
let result = 2 + 2;
assert_eq!(result, 4);
#![allow(non_snake_case)]
#![deny(missing_docs)]
#![doc = include_str!("../README.md")]
#![forbid(unsafe_code)]
use std::{
default::Default,
fmt::Debug,
ops::{Add, Mul, Sub},
};
use hex::FromHex;
use rand_core::{CryptoRng, RngCore};
// pub mod batch;
mod error;
pub mod frost;
// mod scalar_mul;
mod signature;
mod signing_key;
mod verifying_key;
pub use error::Error;
pub use signature::Signature;
pub use signing_key::SigningKey;
pub use verifying_key::VerifyingKey;
/// A prime order finite field GF(q) over which all scalar values for our prime order group can be
/// multiplied are defined.
///
/// This trait does not have to be implemented for a finite field scalar itself, it can be a
/// pass-through, implemented for a type just for the ciphersuite, and calls through to another
/// implementation underneath, so that this trait does not have to be implemented for types you
/// don't own.
pub trait Field: Copy + Clone {
/// An element of the scalar field GF(p).
type Scalar: Add<Output = Self::Scalar>
+ Copy
+ Clone
+ Eq
+ Mul<Output = Self::Scalar>
+ PartialEq
+ Sub<Output = Self::Scalar>;
/// A unique byte array buf of fixed length N.
///
/// Little-endian!
type Serialization: AsRef<[u8]> + AsMut<[u8]> + Debug + Default + FromHex + TryFrom<Vec<u8>>;
/// Returns the zero element of the field, the additive identity.
fn zero() -> Self::Scalar;
/// Returns the one element of the field, the multiplicative identity.
fn one() -> Self::Scalar;
/// Computes the multiplicative inverse of an element of the scalar field, failing if the
/// element is zero.
fn invert(scalar: &Self::Scalar) -> Result<Self::Scalar, Error>;
/// Generate a random scalar from the entire space [0, l-1]
///
/// <https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1-3.3>
fn random<R: RngCore + CryptoRng>(rng: &mut R) -> Self::Scalar;
/// Generate a random scalar from the entire space [1, l-1]
///
/// <https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1-3.4>
fn random_nonzero<R: RngCore + CryptoRng>(rng: &mut R) -> Self::Scalar;
/// A member function of a group _G_ that maps an [`Element`] to a unique byte array buf of
/// fixed length Ne.
///
/// <https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1-3.5>
fn serialize(scalar: &Self::Scalar) -> Self::Serialization;
/// A member function of a [`Group`] that attempts to map a byte array `buf` to an [`Element`].
///
/// Fails if the input is not a valid byte representation of an [`Element`] of the
/// [`Group`]. This function can raise a [`DeserializeError`] if deserialization fails or if the
/// resulting [`Element`] is the identity element of the group
///
/// <https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1-3.6>
fn deserialize(buf: &Self::Serialization) -> Result<Self::Scalar, Error>;
}
/// An element of the [`Ciphersuite`] `C`'s [`Group`]'s scalar [`Field`].
pub type Scalar<C> = <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar;
/// A prime-order group (or subgroup) that provides everything we need to create and verify Schnorr
/// signatures.
///
/// This trait does not have to be implemented for the curve/element/point itself, it can be a
/// pass-through, implemented for a type just for the ciphersuite, and calls through to another
/// implementation underneath, so that this trait does not have to be implemented for types you
/// don't own.
pub trait Group: Copy + Clone {
/// A prime order finite field GF(q) over which all scalar values for our prime order group can
/// be multiplied are defined.
type Field: Field;
/// An element of our group that we will be computing over.
type Element: Add<Output = Self::Element>
+ Copy
+ Clone
+ Eq
+ Mul<<Self::Field as Field>::Scalar, Output = Self::Element>
+ PartialEq
+ Sub<Output = Self::Element>;
/// A unique byte array buf of fixed length N.
///
/// Little-endian!
type Serialization: AsRef<[u8]> + AsMut<[u8]> + Default + FromHex + TryFrom<Vec<u8>>;
/// Outputs the order of G (i.e. p)
///
/// <https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1-3.1>
fn order() -> <Self::Field as Field>::Scalar;
/// The order of the the quotient group when the prime order subgroup divides the order of the
/// full curve group.
///
/// If using a prime order elliptic curve, the cofactor should be 1 in the scalar field.
///
/// <https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-4.1-3>
fn cofactor() -> <Self::Field as Field>::Scalar;
/// Additive [identity] of the prime order group.
///
/// [identity]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1-3.2
fn identity() -> Self::Element;
/// The fixed generator element of the prime order group.
///
/// The 'base' of [`ScalarBaseMult()`] from the spec.
/// [`ScalarBaseMult()`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1
fn generator() -> Self::Element;
/// A member function of a group _G_ that maps an [`Element`] to a unique byte array buf of
/// fixed length Ne.
///
/// <https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1-3.5>
fn serialize(element: &Self::Element) -> Self::Serialization;
/// A member function of a [`Group`] that attempts to map a byte array `buf` to an [`Element`].
///
/// Fails if the input is not a valid byte representation of an [`Element`] of the
/// [`Group`]. This function can raise a [`DeserializeError`] if deserialization fails or if the
/// resulting [`Element`] is the identity element of the group
///
/// <https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.1-3.6>
fn deserialize(buf: &Self::Serialization) -> Result<Self::Element, Error>;
}
/// An element of the [`Ciphersuite`] `C`'s [`Group`].
pub type Element<C> = <<C as Ciphersuite>::Group as Group>::Element;
/// A [FROST ciphersuite] specifies the underlying prime-order group details and cryptographic hash
/// function.
///
/// [FROST ciphersuite]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#name-ciphersuites
pub trait Ciphersuite: Copy + Clone {
/// The prime order group (or subgroup) that this ciphersuite operates over.
type Group: Group;
/// A unique byte array of fixed length.
type HashOutput: AsRef<[u8]>;
/// A unique byte array of fixed length that is the `Group::ElementSerialization` +
/// `Group::ScalarSerialization`
type SignatureSerialization: AsRef<[u8]> + FromHex + TryFrom<Vec<u8>>;
/// [H1] for a FROST ciphersuite.
///
/// Maps arbitrary inputs to non-zero `Self::Scalar` elements of the prime-order group scalar field.
///
/// [H1]: https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md#cryptographic-hash
fn H1(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar;
/// [H2] for a FROST ciphersuite.
///
/// Maps arbitrary inputs to non-zero `Self::Scalar` elements of the prime-order group scalar field.
///
/// [H2]: https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md#cryptographic-hash
fn H2(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar;
/// H3 for a FROST ciphersuite.
///
/// Usually an an alias for the ciphersuite hash function _H_ with domain separation applied.
///
/// [spec]: https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md#cryptographic-hash
fn H3(m: &[u8]) -> Self::HashOutput;
}
/// A type refinement for the scalar field element representing the per-message _[challenge]_.
///
/// [challenge]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#name-signature-challenge-computa
#[derive(Clone)]
pub struct Challenge<C: Ciphersuite>(
pub(crate) <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
);
impl<C> Debug for Challenge<C>
where
C: Ciphersuite,
{
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.debug_tuple("Secret")
.field(&hex::encode(
<<<C as Ciphersuite>::Group as Group>::Field as Field>::serialize(&self.0),
))
.finish()
}
}
/// Generates the challenge as is required for Schnorr signatures.
///
/// Deals in bytes, so that [FROST] and singleton signing and verification can use it with different
/// types.
///
/// This is the only invocation of the H2 hash function from the [RFC].
///
/// [FROST]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-4.6
/// [RFC]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.html#section-3.2
fn challenge<C>(
R: &<C::Group as Group>::Element,
verifying_key: &<C::Group as Group>::Element,
msg: &[u8],
) -> Challenge<C>
where
C: Ciphersuite,
{
let mut preimage = vec![];
preimage.extend_from_slice(<C::Group as Group>::serialize(R).as_ref());
preimage.extend_from_slice(<C::Group as Group>::serialize(verifying_key).as_ref());
preimage.extend_from_slice(msg);
Challenge(C::H2(&preimage[..]))
}

190
frost-core/src/scalar_mul.rs Normal file
View File

@ -0,0 +1,190 @@
use std::{
borrow::Borrow,
fmt::{Debug, Result},
};
pub trait NonAdjacentForm {
fn non_adjacent_form(&self, w: usize) -> [i8; 256];
}
impl<C> NonAdjacentForm for Scalar<C>
where
C: Ciphersuite,
{
/// Computes a width-\\(w\\) "Non-Adjacent Form" of this scalar.
///
/// Thanks to curve25519-dalek for the original implementation that informed this one.
///
/// The full scalar field MUST fit in 256 bits in this implementation.
fn non_adjacent_form(&self, w: usize) -> [i8; 256] {
// required by the NAF definition
debug_assert!(w >= 2);
// required so that the NAF digits fit in i8
debug_assert!(w <= 8);
use byteorder::{ByteOrder, LittleEndian};
// NB: Assumes a scalar that fits in 256 bits.
let mut naf = [0i8; 256];
let mut x_u64 = [0u64; 5];
LittleEndian::read_u64_into(&self.to_bytes(), &mut x_u64[0..4]);
let width = 1 << w;
let window_mask = width - 1;
let mut pos = 0;
let mut carry = 0;
while pos < 256 {
// Construct a buffer of bits of the scalar, starting at bit `pos`
let u64_idx = pos / 64;
let bit_idx = pos % 64;
let bit_buf: u64;
if bit_idx < 64 - w {
// This window's bits are contained in a single u64
bit_buf = x_u64[u64_idx] >> bit_idx;
} else {
// Combine the current u64's bits with the bits from the next u64
bit_buf = (x_u64[u64_idx] >> bit_idx) | (x_u64[1 + u64_idx] << (64 - bit_idx));
}
// Add the carry into the current window
let window = carry + (bit_buf & window_mask);
if window & 1 == 0 {
// If the window value is even, preserve the carry and continue.
// Why is the carry preserved?
// If carry == 0 and window & 1 == 0, then the next carry should be 0
// If carry == 1 and window & 1 == 0, then bit_buf & 1 == 1 so the next carry should be 1
pos += 1;
continue;
}
if window < width / 2 {
carry = 0;
naf[pos] = window as i8;
} else {
carry = 1;
naf[pos] = (window as i8).wrapping_sub(width as i8);
}
pos += w;
}
naf
}
}
/// A trait for variable-time multiscalar multiplication without precomputation.
///
/// Implement for a group element.
pub trait VartimeMultiscalarMul: Clone {
/// Given an iterator of public scalars and an iterator of
/// `Option`s of group elements, compute either `Some(Q)`, where
/// $$
/// Q = c\_1 E\_1 + \cdots + c\_n E\_n,
/// $$
/// if all points were `Some(E_i)`, or else return `None`.
fn optional_multiscalar_mul<I, J>(scalars: I, elements: J) -> Option<Self>
where
I: IntoIterator,
I::Item: Borrow<Scalar>,
J: IntoIterator<Item = Option<Self>>;
/// Given an iterator of public scalars and an iterator of
/// public group elements, compute
/// $$
/// Q = c\_1 E\_1 + \cdots + c\_n E\_n,
/// $$
/// using variable-time operations.
///
/// It is an error to call this function with two iterators of different lengths.
fn vartime_multiscalar_mul<I, J>(scalars: I, elements: J) -> Self
where
I: IntoIterator,
I::Item: Borrow<Scalar>,
J: IntoIterator,
J::Item: Borrow<Self>,
{
Self::optional_multiscalar_mul(
scalars,
elements.into_iter().map(|e| Some(e.borrow().clone())),
)
.unwrap()
}
}
impl<C> VartimeMultiscalarMul for Element<C>
where
C: Ciphersuite,
{
fn optional_multiscalar_mul<I, J>(scalars: I, elements: J) -> Option<Element<C>>
where
I: IntoIterator,
I::Item: Borrow<Scalar>,
J: IntoIterator<Item = Option<Element<C>>>,
{
let nafs: Vec<_> = scalars
.into_iter()
.map(|c| c.borrow().non_adjacent_form(5))
.collect();
let lookup_tables = elements
.into_iter()
.map(|P_opt| P_opt.map(|P| LookupTable5::<Element<C>>::from(&P)))
.collect::<Option<Vec<_>>>()?;
let mut r = <C::Group as Group>::identity();
for i in (0..256).rev() {
let mut t = r + r.clone();
for (naf, lookup_table) in nafs.iter().zip(lookup_tables.iter()) {
if naf[i] > 0 {
t = &t + &lookup_table.select(naf[i] as usize);
} else if naf[i] < 0 {
t = &t - &lookup_table.select(-naf[i] as usize);
}
}
r = t;
}
Some(r)
}
}
/// Holds odd multiples 1A, 3A, ..., 15A of a point A.
#[derive(Copy, Clone)]
pub(crate) struct LookupTable5<T>(pub(crate) [T; 8]);
impl<T: Copy> LookupTable5<T> {
/// Given public, odd \\( x \\) with \\( 0 < x < 2^4 \\), return \\(xA\\).
pub fn select(&self, x: usize) -> T {
debug_assert_eq!(x & 1, 1);
debug_assert!(x < 16);
self.0[x / 2]
}
}
impl<T: Debug> Debug for LookupTable5<T> {
fn fmt(&self, f: &mut std::fmt::Formatter) -> Result {
write!(f, "LookupTable5({:?})", self.0)
}
}
impl<'a, C> From<&'a <C::Group·as·Group>::Element> for LookupTable5<<C::Group·as·Group>::Element>
where
C: Ciphersuite,
{
fn from(A: &'a <C::Group·as·Group>::Element) -> Self {
let mut Ai = [A; 8];
let A2 = A * A.clone();
for i in 0..7 {
Ai[i + 1] = (&A2 + &Ai[i]);
}
// Now Ai = [A, 3A, 5A, 7A, 9A, 11A, 13A, 15A]
LookupTable5(Ai)
}
}

99
frost-core/src/signature.rs Normal file
View File

@ -0,0 +1,99 @@
//! Schnorr signatures over prime order groups (or subgroups)
use std::fmt::Debug;
// use hex::FromHex;
use crate::{Ciphersuite, Error, Field, Group};
/// A Schnorr signature over some prime order group (or subgroup).
#[derive(Copy, Clone, Eq, PartialEq)]
pub struct Signature<C: Ciphersuite> {
/// The commitment `R` to the signature nonce.
pub(crate) R: <C::Group as Group>::Element,
/// The response `z` to the challenge computed from the commitment `R`, the verifying key, and
/// the message.
pub(crate) z: <<C::Group as Group>::Field as Field>::Scalar,
}
impl<C> Signature<C>
where
C: Ciphersuite,
C::Group: Group,
<C::Group as Group>::Field: Field,
{
/// Converts bytes as [`C::SignatureSerialization`] into a `Signature<C>`.
pub fn from_bytes(bytes: C::SignatureSerialization) -> Result<Self, Error>
where
<<C::Group as Group>::Serialization as TryFrom<Vec<u8>>>::Error: Debug,
<<<C::Group as Group>::Field as Field>::Serialization as TryFrom<Vec<u8>>>::Error: Debug,
{
let mut R_bytes = Vec::from(<C::Group as Group>::Serialization::default().as_ref());
let R_bytes_len = R_bytes.len();
R_bytes[..].copy_from_slice(&bytes.as_ref()[0..R_bytes_len]);
println!("{:?}", R_bytes);
let R_serialization = &R_bytes.try_into().map_err(|_| Error::MalformedSignature)?;
let mut z_bytes =
Vec::from(<<C::Group as Group>::Field as Field>::Serialization::default().as_ref());
let z_bytes_len = z_bytes.len();
z_bytes[..].copy_from_slice(&bytes.as_ref()[R_bytes_len..z_bytes_len]);
println!("{:?}", z_bytes);
let z_serialization = &z_bytes.try_into().map_err(|_| Error::MalformedSignature)?;
Ok(Self {
R: <C::Group as Group>::deserialize(R_serialization)?,
z: <<C::Group as Group>::Field as Field>::deserialize(z_serialization)?,
})
}
/// Converts this signature to its [`C::SignatureSerialization`] in bytes.
pub fn to_bytes(&self) -> C::SignatureSerialization
where
<<C as Ciphersuite>::SignatureSerialization as TryFrom<Vec<u8>>>::Error: Debug,
{
let mut bytes = vec![];
bytes.extend(<C::Group as Group>::serialize(&self.R).as_ref());
bytes.extend(<<C::Group as Group>::Field as Field>::serialize(&self.z).as_ref());
bytes.try_into().unwrap()
}
}
impl<C: Ciphersuite> std::fmt::Debug for Signature<C> {
fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
f.debug_struct("Signature")
.field(
"R",
&hex::encode(<C::Group as Group>::serialize(&self.R).as_ref()),
)
.field(
"z",
&hex::encode(<<C::Group as Group>::Field as Field>::serialize(&self.z).as_ref()),
)
.finish()
}
}
// impl<C> FromHex for Signature<C>
// where
// C: Ciphersuite,
// {
// type Error = &'static str;
// fn from_hex<T: AsRef<[u8]>>(hex: T) -> Result<Self, Self::Error> {
// match FromHex::from_hex(hex) {
// Ok(bytes) => Self::from_bytes(bytes).map_err(|_| "malformed signature encoding"),
// Err(_) => Err("invalid hex"),
// }
// }
// }

73
frost-core/src/signing_key.rs Normal file
View File

@ -0,0 +1,73 @@
//! Schnorr signature signing keys
use rand_core::{CryptoRng, RngCore};
use crate::{Ciphersuite, Error, Field, Group, Signature, VerifyingKey};
/// A signing key for a Schnorr signature on a FROST [`Ciphersuite::Group`].
#[derive(Copy, Clone)]
pub struct SigningKey<C>
where
C: Ciphersuite,
{
scalar: <<C::Group as Group>::Field as Field>::Scalar,
}
impl<C> SigningKey<C>
where
C: Ciphersuite,
{
/// Generate a new signing key.
pub fn new<R: RngCore + CryptoRng>(mut rng: R) -> SigningKey<C> {
let scalar = <<C::Group as Group>::Field as Field>::random_nonzero(&mut rng);
SigningKey { scalar }
}
/// Deserialize from bytes
pub fn from_bytes(
bytes: <<C::Group as Group>::Field as Field>::Serialization,
) -> Result<SigningKey<C>, Error> {
<<C::Group as Group>::Field as Field>::deserialize(&bytes)
.map(|scalar| SigningKey { scalar })
}
/// Serialize `SigningKey` to bytes
pub fn to_bytes(&self) -> <<C::Group as Group>::Field as Field>::Serialization {
<<C::Group as Group>::Field as Field>::serialize(&self.scalar)
}
/// Create a signature `msg` using this `SigningKey`.
pub fn sign<R: RngCore + CryptoRng>(&self, mut rng: R, msg: &[u8]) -> Signature<C> {
let k = <<C::Group as Group>::Field as Field>::random_nonzero(&mut rng);
let R = <C::Group as Group>::generator() * k;
// Generate Schnorr challenge
let c = crate::challenge::<C>(&R, &VerifyingKey::<C>::from(*self).element, msg);
let z = k + (c.0 * self.scalar);
Signature { R, z }
}
}
impl<C> From<&SigningKey<C>> for VerifyingKey<C>
where
C: Ciphersuite,
{
fn from(signing_key: &SigningKey<C>) -> Self {
VerifyingKey {
element: C::Group::generator() * signing_key.scalar,
}
}
}
impl<C> From<SigningKey<C>> for VerifyingKey<C>
where
C: Ciphersuite,
{
fn from(signing_key: SigningKey<C>) -> Self {
VerifyingKey::<C>::from(&signing_key)
}
}

93
frost-core/src/verifying_key.rs Normal file
View File

@ -0,0 +1,93 @@
use std::fmt::{self, Debug};
use hex::FromHex;
use crate::{Ciphersuite, Error, Group, Signature};
/// A valid verifying key for Schnorr signatures over a FROST [`Ciphersuite::Group`].
#[derive(Copy, Clone, PartialEq)]
pub struct VerifyingKey<C>
where
C: Ciphersuite,
{
pub(crate) element: <C::Group as Group>::Element,
}
impl<C> VerifyingKey<C>
where
C: Ciphersuite,
{
// pub(crate) fn from(scalar: &<<C::Group as Group>::Field as Field>::Scalar) -> Self {
// let element = <C::Group as Group>::generator() * *scalar;
// VerifyingKey { element }
// }
/// Deserialize from bytes
pub fn from_bytes(bytes: <C::Group as Group>::Serialization) -> Result<VerifyingKey<C>, Error> {
<C::Group as Group>::deserialize(&bytes).map(|element| VerifyingKey { element })
}
/// Serialize `VerifyingKey` to bytes
pub fn to_bytes(&self) -> <C::Group as Group>::Serialization {
<C::Group as Group>::serialize(&self.element)
}
/// Verify a purported `signature` over `msg` made by this verification key.
pub fn verify(&self, msg: &[u8], signature: &Signature<C>) -> Result<(), Error> {
let c = crate::challenge::<C>(&signature.R, &self.element, msg);
// Verify check is h * ( - z * B + R + c * A) == 0
// h * ( z * B - c * A - R) == 0
//
// where h is the cofactor
let zB = C::Group::generator() * signature.z;
let cA = self.element * c.0;
let check = (zB - cA - signature.R) * C::Group::cofactor();
if check == C::Group::identity() {
Ok(())
} else {
Err(Error::InvalidSignature)
}
}
}
impl<C> Debug for VerifyingKey<C>
where
C: Ciphersuite,
{
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
f.debug_tuple("VerifyingKey")
.field(&hex::encode(self.to_bytes()))
.finish()
}
}
impl<C> FromHex for VerifyingKey<C>
where
C: Ciphersuite,
{
type Error = &'static str;
fn from_hex<T: AsRef<[u8]>>(hex: T) -> Result<Self, Self::Error> {
match FromHex::from_hex(hex) {
Ok(bytes) => Self::from_bytes(bytes).map_err(|_| "malformed verifying key encoding"),
Err(_) => Err("invalid hex"),
}
}
}
// impl<C: Ciphersuite> From<VerifyingKey<C>> for <C::Group as Group>::ElementSerialization {
// fn from(pk: VerifyingKey<C>) -> <C::Group as Group>::ElementSerialization {
// pk.bytes.bytes
// }
// }
// impl<C: Ciphersuite> TryFrom<<C::Group as Group>::ElementSerialization> for VerifyingKey<C> {
// type Error = Error;
// fn try_from(bytes: [u8; 32]) -> Result<Self, Self::Error> {
// VerifyingKeyBytes::from(bytes).try_into()
// }
// }

62
frost-core/tests/batch.rs.bck Normal file
View File

@ -0,0 +1,62 @@
use rand::thread_rng;
use frost_core::*;
mod common;
use common::ciphersuite::Ristretto255Sha512 as R;
#[test]
fn batch_verify() {
let mut rng = thread_rng();
let mut batch = batch::Verifier::<R>::new();
for _ in 0..32 {
let sk = SigningKey::new(&mut rng);
let vk = VerifyingKey::<R>::from(&sk);
let msg = b"BatchVerifyTest";
let sig = sk.sign(&mut rng, &msg[..]);
batch.queue((vk.into(), sig, msg));
}
assert!(batch.verify(rng).is_ok());
}
#[test]
fn bad_batch_verify() {
let mut rng = thread_rng();
let bad_index = 4; // must be even
let mut batch = batch::Verifier::<R>::new();
let mut items = Vec::new();
for i in 0..32 {
let item: batch::Item<R> = match i % 2 {
0 => {
let sk = SigningKey::new(&mut rng);
let vk = VerifyingKey::<R>::from(&sk);
let msg = b"BatchVerifyTest";
let sig = if i != bad_index {
sk.sign(&mut rng, &msg[..])
} else {
sk.sign(&mut rng, b"bad")
};
(vk.into(), sig, msg).into()
}
1 => {
let sk = SigningKey::new(&mut rng);
let vk = VerifyingKey::<R>::from(&sk);
let msg = b"BatchVerifyTest";
let sig = sk.sign(&mut rng, &msg[..]);
(vk.into(), sig, msg).into()
}
_ => unreachable!(),
};
items.push(item.clone());
batch.queue(item);
}
assert!(batch.verify(rng).is_err());
for (i, item) in items.drain(..).enumerate() {
if i != bad_index {
assert!(item.verify_single().is_ok());
} else {
assert!(item.verify_single().is_err());
}
}
}

168
frost-core/tests/common/ciphersuite.rs Normal file
View File

@ -0,0 +1,168 @@
#![allow(non_snake_case)]
use curve25519_dalek::{
constants::{BASEPOINT_ORDER, RISTRETTO_BASEPOINT_POINT},
ristretto::{CompressedRistretto, RistrettoPoint},
scalar::Scalar,
traits::Identity,
};
use rand_core::{CryptoRng, RngCore};
use sha2::{digest::Update, Digest, Sha512};
use frost_core::{Ciphersuite, Error, Field, Group};
#[derive(Clone, Copy)]
pub struct RistrettoScalarField;
impl Field for RistrettoScalarField {
type Scalar = Scalar;
type Serialization = [u8; 32];
fn zero() -> Self::Scalar {
Scalar::zero()
}
fn one() -> Self::Scalar {
Scalar::one()
}
fn invert(scalar: &Self::Scalar) -> Result<Self::Scalar, Error> {
// [`curve25519_dalek::scalar::Scalar`]'s Eq/PartialEq does a constant-time comparison using
// `ConstantTimeEq`
if *scalar == <Self as Field>::zero() {
Err(Error::InvalidZeroScalar)
} else {
Ok(scalar.invert())
}
}
fn random<R: RngCore + CryptoRng>(rng: &mut R) -> Self::Scalar {
Scalar::random(rng)
}
fn random_nonzero<R: RngCore + CryptoRng>(rng: &mut R) -> Self::Scalar {
loop {
let scalar = Scalar::random(rng);
// This impl of `Eq` calls to `ConstantTimeEq` under the hood
if scalar != Scalar::zero() {
return scalar;
}
}
}
fn serialize(scalar: &Self::Scalar) -> Self::Serialization {
scalar.to_bytes()
}
fn deserialize(buf: &Self::Serialization) -> Result<Self::Scalar, Error> {
match Scalar::from_canonical_bytes(*buf) {
Some(s) => Ok(s),
None => Err(Error::MalformedScalar),
}
}
}
#[derive(Clone, Copy, PartialEq)]
pub struct RistrettoGroup;
impl Group for RistrettoGroup {
type Field = RistrettoScalarField;
type Element = RistrettoPoint;
type Serialization = [u8; 32];
fn order() -> <Self::Field as Field>::Scalar {
BASEPOINT_ORDER
}
fn cofactor() -> <Self::Field as Field>::Scalar {
Scalar::one()
}
fn identity() -> Self::Element {
RistrettoPoint::identity()
}
fn generator() -> Self::Element {
RISTRETTO_BASEPOINT_POINT
}
fn serialize(element: &Self::Element) -> Self::Serialization {
element.compress().to_bytes()
}
fn deserialize(buf: &Self::Serialization) -> Result<Self::Element, Error> {
match CompressedRistretto::from_slice(buf.as_ref()).decompress() {
Some(point) => Ok(point),
None => Err(Error::MalformedElement),
}
}
}
/// Context string 'FROST-RISTRETTO255-SHA512' from the ciphersuite in the [spec]
///
/// [spec]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-04.txt
const CONTEXT_STRING: &str = "FROST-RISTRETTO255-SHA512";
#[derive(Clone, Copy, PartialEq)]
pub struct Ristretto255Sha512;
impl Ciphersuite for Ristretto255Sha512 {
type Group = RistrettoGroup;
type HashOutput = [u8; 64];
type SignatureSerialization = [u8; 64];
/// H1 for FROST(ristretto255, SHA-512)
///
/// [spec]: https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md#cryptographic-hash
fn H1(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar {
let h = Sha512::new()
.chain(CONTEXT_STRING.as_bytes())
.chain("rho")
.chain(m);
let mut output = [0u8; 64];
output.copy_from_slice(h.finalize().as_slice());
<<Self::Group as Group>::Field as Field>::Scalar::from_bytes_mod_order_wide(&output)
}
/// H2 for FROST(ristretto255, SHA-512)
///
/// [spec]: https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md#cryptographic-hash-function-dep-hash
fn H2(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar {
let h = Sha512::new()
.chain(CONTEXT_STRING.as_bytes())
.chain("chal")
.chain(m);
let mut output = [0u8; 64];
output.copy_from_slice(h.finalize().as_slice());
<<Self::Group as Group>::Field as Field>::Scalar::from_bytes_mod_order_wide(&output)
}
/// H3 for FROST(ristretto255, SHA-512)
///
/// [spec]: https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md#cryptographic-hash-function-dep-hash
fn H3(m: &[u8]) -> Self::HashOutput {
let h = Sha512::new()
.chain(CONTEXT_STRING.as_bytes())
.chain("digest")
.chain(m);
let mut output = [0u8; 64];
output.copy_from_slice(h.finalize().as_slice());
output
}
}
#[test]
fn use_parameterized_types() {
let h3_image = Ristretto255Sha512::H3(b"test_message");
println!("h3_image: {:?}", h3_image);
}

13
frost-core/tests/common/mod.rs Normal file
View File

@ -0,0 +1,13 @@
//! Shared code for `frost-ristretto255` integration tests.
//!
//! # Warning
//!
//! Test functions in this file and its submodules will not be run.
//! This file is only for test library code.
//!
//! This module uses the legacy directory structure,
//! to avoid compiling an empty "common" test binary:
//! <https://doc.rust-lang.org/book/ch11-03-test-organization.html#submodules-in-integration-tests>
pub mod ciphersuite;
pub mod vectors;

59
frost-core/tests/common/vectors.json Normal file
View File

@ -0,0 +1,59 @@
{
"config": {
"MAX_SIGNERS": "3",
"NUM_SIGNERS": "2",
"THRESHOLD_LIMIT": "2",
"name": "FROST(ristretto255, SHA-512)",
"group": "ristretto255",
"hash": "SHA-512"
},
"inputs": {
"group_secret_key": "b120be204b5e758960458ca9c4675b56b12a8faff2be9c94891d5e1cd75c880e",
"group_public_key": "563b80013f337deaa2a282af7b281bd70d2f501928a89c1aa48b379a5ac4202b",
"message": "74657374",
"signers": {
"1": {
"signer_share": "94ae65bb90030a89507fa00fff08dfed841cf996de5a0c574f1f4693ddcb6705"
},
"2": {
"signer_share": "641003b3f00bb1e01656ac1818a4419a580e637ecaf67b1915212e0ae43a470c"
},
"3": {
"signer_share": "479eaa4d36b145e00690c07e5245c5312c00cd65b692ebdbda221681eaa92603"
}
}
},
"round_one_outputs": {
"participants": "1,2",
"group_binding_factor_input": "0001824e9eddddf02b2a9caf5859825e999d791ca094f65b814a8bca6013d9cc312774c7e1271d2939a84a9a867e3a06579b4d25659b427439ccf0d745b43f75b76600028013834ff4d48e7d6b76c2e732bc611f54720ef8933c4ca4de7eaaa77ff5cd125e056ecc4f7c4657d3a742354430d768f945db229c335d258e9622ad99f3e7582d07b35bd9849ce4af6ad403090d69a7d0eb88bba669a9f985175d70cd15ad5f1ef5b734c98a32b4aab7b43a57e93fc09281f2e7a207076b31e416ba63f53d9d",
"group_binding_factor": "f00ae6007f2d74a1507c962cf30006be77596106db28f2d5443fd66d755e780c",
"signers": {
"1": {
"hiding_nonce": "349b3bb8464a1d87f7d6b56f4559a3f9a6335261a3266089a9b12d9d6f6ce209",
"binding_nonce": "ce7406016a854be4291f03e7d24fe30e77994c3465de031515a4c116f22ca901",
"hiding_nonce_commitment": "824e9eddddf02b2a9caf5859825e999d791ca094f65b814a8bca6013d9cc3127",
"binding_nonce_commitment": "74c7e1271d2939a84a9a867e3a06579b4d25659b427439ccf0d745b43f75b766"
},
"2": {
"hiding_nonce": "4d66d319f20a728ec3d491cbf260cc6be687bd87cc2b5fdb4d5f528f65fd650d",
"binding_nonce": "278b9b1e04632e6af3f1a3c144d07922ffcf5efd3a341b47abc19c43f48ce306",
"hiding_nonce_commitment": "8013834ff4d48e7d6b76c2e732bc611f54720ef8933c4ca4de7eaaa77ff5cd12",
"binding_nonce_commitment": "5e056ecc4f7c4657d3a742354430d768f945db229c335d258e9622ad99f3e758"
}
}
},
"round_two_outputs": {
"participants": "1,2",
"signers": {
"1": {
"sig_share": "ec6b075f17c5670e80b1fda8f6de1cfe3c79db06a852f8d5650fb71eaad69501"
},
"2": {
"sig_share": "87ceccc477069aa9b751b307f25955daaf943a3abc51f214a114781de0f58e03"
}
}
},
"final_output": {
"sig": "7e92309bf40993141acd5f2c7680a302cc5aa5dd291a833906da8e35bc39b03e733ad4238fcb01b83703b1b0e83872d8ec0d164164a4eaea06242f3c8acc2405"
}
}

147
frost-core/tests/common/vectors.rs Normal file
View File

@ -0,0 +1,147 @@
use std::{collections::HashMap, str::FromStr};
use curve25519_dalek::scalar::Scalar;
use hex::{self, FromHex};
use lazy_static::lazy_static;
use serde_json::Value;
use frost_core::{
frost::{keys::*, round1::*, round2::*, *},
VerifyingKey,
};
use super::ciphersuite::Ristretto255Sha512;
lazy_static! {
pub static ref RISTRETTO255_SHA512: Value =
serde_json::from_str(include_str!("vectors.json").trim())
.expect("Test vector is valid JSON");
}
#[allow(clippy::type_complexity)]
#[allow(dead_code)]
pub(crate) fn parse_test_vectors() -> (
VerifyingKey<Ristretto255Sha512>,
HashMap<u16, KeyPackage<Ristretto255Sha512>>,
&'static str,
Vec<u8>,
HashMap<u16, SigningNonces<Ristretto255Sha512>>,
HashMap<u16, SigningCommitments<Ristretto255Sha512>>,
Vec<u8>,
Rho<Ristretto255Sha512>,
HashMap<u16, SignatureShare<Ristretto255Sha512>>,
Vec<u8>, // Signature<Ristretto255Sha512>,
) {
type R = Ristretto255Sha512;
let inputs = &RISTRETTO255_SHA512["inputs"];
let message = inputs["message"].as_str().unwrap();
let message_bytes = hex::decode(message).unwrap();
let mut key_packages: HashMap<u16, KeyPackage<R>> = HashMap::new();
let possible_signers = RISTRETTO255_SHA512["inputs"]["signers"]
.as_object()
.unwrap()
.iter();
let group_public =
VerifyingKey::<R>::from_hex(inputs["group_public_key"].as_str().unwrap()).unwrap();
for (i, secret_share) in possible_signers {
let secret = Secret::<R>::from_hex(secret_share["signer_share"].as_str().unwrap()).unwrap();
let signer_public = secret.into();
let key_package = KeyPackage::<R> {
index: u16::from_str(i).unwrap(),
secret_share: secret,
public: signer_public,
group_public,
};
key_packages.insert(*key_package.index(), key_package);
}
// Round one outputs
let round_one_outputs = &RISTRETTO255_SHA512["round_one_outputs"];
let group_binding_factor_input = Vec::<u8>::from_hex(
round_one_outputs["group_binding_factor_input"]
.as_str()
.unwrap(),
)
.unwrap();
let group_binding_factor =
Rho::<R>::from_hex(round_one_outputs["group_binding_factor"].as_str().unwrap()).unwrap();
let mut signer_nonces: HashMap<u16, SigningNonces<R>> = HashMap::new();
let mut signer_commitments: HashMap<u16, SigningCommitments<R>> = HashMap::new();
for (i, signer) in round_one_outputs["signers"].as_object().unwrap().iter() {
let index = u16::from_str(i).unwrap();
let signing_nonces = SigningNonces::<R> {
hiding: Nonce::<R>::from_hex(signer["hiding_nonce"].as_str().unwrap()).unwrap(),
binding: Nonce::<R>::from_hex(signer["binding_nonce"].as_str().unwrap()).unwrap(),
};
signer_nonces.insert(index, signing_nonces);
let signing_commitments = SigningCommitments::<R> {
index,
hiding: NonceCommitment::from_hex(signer["hiding_nonce_commitment"].as_str().unwrap())
.unwrap(),
binding: NonceCommitment::from_hex(
signer["binding_nonce_commitment"].as_str().unwrap(),
)
.unwrap(),
};
signer_commitments.insert(index, signing_commitments);
}
// Round two outputs
let round_two_outputs = &RISTRETTO255_SHA512["round_two_outputs"];
let mut signature_shares: HashMap<u16, SignatureShare<R>> = HashMap::new();
for (i, signer) in round_two_outputs["signers"].as_object().unwrap().iter() {
let signature_share = SignatureShare::<R> {
index: u16::from_str(i).unwrap(),
signature: SignatureResponse {
z_share: Scalar::from_canonical_bytes(
hex::decode(signer["sig_share"].as_str().unwrap())
.unwrap()
.try_into()
.unwrap(),
)
.unwrap(),
},
};
signature_shares.insert(u16::from_str(i).unwrap(), signature_share);
}
// Final output
let final_output = &RISTRETTO255_SHA512["final_output"];
let signature_bytes = FromHex::from_hex(final_output["sig"].as_str().unwrap()).unwrap();
(
group_public,
key_packages,
message,
message_bytes,
signer_nonces,
signer_commitments,
group_binding_factor_input,
group_binding_factor,
signature_shares,
signature_bytes,
)
}

99
frost-core/tests/frost.rs Normal file
View File

@ -0,0 +1,99 @@
use std::{collections::HashMap, convert::TryFrom};
use frost_core::frost;
use rand::thread_rng;
mod common;
use common::ciphersuite::Ristretto255Sha512 as R;
#[test]
fn check_sign_with_dealer() {
let mut rng = thread_rng();
////////////////////////////////////////////////////////////////////////////
// Key generation
////////////////////////////////////////////////////////////////////////////
let numsigners = 5;
let threshold = 3;
let (shares, pubkeys) =
frost::keys::keygen_with_dealer(numsigners, threshold, &mut rng).unwrap();
// Verifies the secret shares from the dealer
let key_packages: Vec<frost::keys::KeyPackage<R>> = shares
.into_iter()
.map(|share| frost::keys::KeyPackage::try_from(share).unwrap())
.collect();
let mut nonces: HashMap<u16, Vec<frost::round1::SigningNonces<R>>> = HashMap::new();
let mut commitments: HashMap<u16, Vec<frost::round1::SigningCommitments<R>>> = HashMap::new();
////////////////////////////////////////////////////////////////////////////
// Round 1: generating nonces and signing commitments for each participant
////////////////////////////////////////////////////////////////////////////
for participant_index in 1..(threshold + 1) {
// Generate one (1) nonce and one SigningCommitments instance for each
// participant, up to _threshold_.
let (nonce, commitment) = frost::round1::preprocess(1, participant_index as u16, &mut rng);
nonces.insert(participant_index as u16, nonce);
commitments.insert(participant_index as u16, commitment);
}
// This is what the signature aggregator / coordinator needs to do:
// - decide what message to sign
// - take one (unused) commitment per signing participant
let mut signature_shares: Vec<frost::round2::SignatureShare<R>> = Vec::new();
let message = "message to sign".as_bytes();
let comms = commitments.clone().into_values().flatten().collect();
let signing_package = frost::SigningPackage::new(comms, message.to_vec());
////////////////////////////////////////////////////////////////////////////
// Round 2: each participant generates their signature share
////////////////////////////////////////////////////////////////////////////
for participant_index in nonces.keys() {
let key_package = key_packages
.iter()
.find(|key_package| *participant_index == key_package.index)
.unwrap();
let nonces_to_use = &nonces.get(participant_index).unwrap()[0];
// Each participant generates their signature share.
let signature_share =
frost::round2::sign(&signing_package, nonces_to_use, key_package).unwrap();
signature_shares.push(signature_share);
}
////////////////////////////////////////////////////////////////////////////
// Aggregation: collects the signing shares from all participants,
// generates the final signature.
////////////////////////////////////////////////////////////////////////////
// Aggregate (also verifies the signature shares)
let group_signature_res = frost::aggregate(&signing_package, &signature_shares[..], &pubkeys);
assert!(group_signature_res.is_ok());
let group_signature = group_signature_res.unwrap();
// Check that the threshold signature can be verified by the group public
// key (the verification key).
assert!(pubkeys
.group_public
.verify(message, &group_signature)
.is_ok());
// Check that the threshold signature can be verified by the group public
// key (the verification key) from SharePackage.group_public
for (participant_index, _) in nonces.clone() {
let key_package = key_packages.get(participant_index as usize).unwrap();
assert!(key_package
.group_public
.verify(message, &group_signature)
.is_ok());
}
}

129
frost-core/tests/proptests.rs Normal file
View File

@ -0,0 +1,129 @@
use frost_core::*;
use proptest::prelude::*;
use rand_core::{CryptoRng, RngCore};
mod common;
use common::ciphersuite::Ristretto255Sha512 as R;
/// A signature test-case, containing signature data and expected validity.
#[derive(Clone, Debug)]
struct SignatureCase<C: Ciphersuite> {
msg: Vec<u8>,
sig: Signature<C>,
vk: VerifyingKey<C>,
invalid_vk: VerifyingKey<C>,
is_valid: bool,
}
/// A modification to a test-case.
#[derive(Copy, Clone, Debug)]
enum Tweak {
/// No-op, used to check that unchanged cases verify.
None,
/// Change the message the signature is defined for, invalidating the signature.
ChangeMessage,
/// Change the public key the signature is defined for, invalidating the signature.
ChangePubkey,
/* XXX implement this -- needs to regenerate a custom signature because the
nonce commitment is fed into the hash, so it has to have torsion at signing
time.
/// Change the case to have a torsion component in the signature's `r` value.
AddTorsion,
*/
/* XXX implement this -- needs custom handling of field arithmetic.
/// Change the signature's `s` scalar to be unreduced (mod L), invalidating the signature.
UnreducedScalar,
*/
}
impl<C> SignatureCase<C>
where
C: Ciphersuite,
{
fn new<R: RngCore + CryptoRng>(mut rng: R, msg: Vec<u8>) -> Self {
let sk = SigningKey::<C>::new(&mut rng);
let sig = sk.sign(&mut rng, &msg);
let vk = VerifyingKey::<C>::from(&sk);
let invalid_vk = VerifyingKey::<C>::from(&SigningKey::new(&mut rng));
Self {
msg,
sig,
vk,
invalid_vk,
is_valid: true,
}
}
// Check that signature verification succeeds or fails, as expected.
fn check(&self) -> bool {
// // The signature data is stored in (refined) byte types, but do a round trip
// // conversion to raw bytes to exercise those code paths.
// let sig = {
// let bytes: [u8; 64] = self.sig.into();
// Signature::<C>::from_bytes(bytes)
// };
// // Check that the verification key is a valid key.
// let pub_key = VerifyingKey::<C>::from_bytes(pk_bytes)
// .expect("The test verification key to be well-formed.");
// Check that signature validation has the expected result.
self.is_valid == self.vk.verify(&self.msg, &self.sig).is_ok()
}
fn apply_tweak(&mut self, tweak: &Tweak) {
match tweak {
Tweak::None => {}
Tweak::ChangeMessage => {
// Changing the message makes the signature invalid.
self.msg.push(90);
self.is_valid = false;
}
Tweak::ChangePubkey => {
// Changing the public key makes the signature invalid.
self.vk = self.invalid_vk;
self.is_valid = false;
}
}
}
}
fn tweak_strategy() -> impl Strategy<Value = Tweak> {
prop_oneof![
10 => Just(Tweak::None),
1 => Just(Tweak::ChangeMessage),
1 => Just(Tweak::ChangePubkey),
]
}
use rand_chacha::ChaChaRng;
use rand_core::SeedableRng;
proptest! {
#[test]
fn tweak_signature(
tweaks in prop::collection::vec(tweak_strategy(), (0,5)),
rng_seed in prop::array::uniform32(any::<u8>()),
) {
// Use a deterministic RNG so that test failures can be reproduced.
// Seeding with 64 bits of entropy is INSECURE and this code should
// not be copied outside of this test!
let mut rng = ChaChaRng::from_seed(rng_seed);
// Create a test case for each signature type.
let msg = b"test message for proptests";
let mut sig = SignatureCase::<R>::new(&mut rng, msg.to_vec());
// Apply tweaks to each case.
for t in &tweaks {
sig.apply_tweak(t);
}
assert!(sig.check());
}
}

152
frost-core/tests/tests.rs Normal file
View File

@ -0,0 +1,152 @@
use frost_core::frost;
use rand::thread_rng;
mod common;
use common::{ciphersuite::*, vectors::*};
/// This is testing that Shamir's secret sharing to compute and arbitrary
/// value is working.
#[test]
fn check_share_generation_ristretto255_sha512() {
let mut rng = thread_rng();
let secret = frost::keys::Secret::<Ristretto255Sha512>::random(&mut rng);
let secret_shares = frost::keys::generate_secret_shares(&secret, 5, 3, rng).unwrap();
for secret_share in secret_shares.iter() {
assert_eq!(secret_share.verify(), Ok(()));
}
assert_eq!(
frost::keys::reconstruct_secret::<Ristretto255Sha512>(secret_shares).unwrap(),
secret
)
}
#[test]
fn check_sign_with_test_vectors() {
let (
group_public,
key_packages,
_message,
message_bytes,
signer_nonces,
signer_commitments,
group_binding_factor_input,
group_binding_factor,
signature_shares,
signature_bytes,
) = parse_test_vectors();
type R = Ristretto255Sha512;
////////////////////////////////////////////////////////////////////////////
// Key generation
////////////////////////////////////////////////////////////////////////////
for key_package in key_packages.values() {
assert_eq!(
*key_package.public(),
frost::keys::Public::from(*key_package.secret_share())
);
}
/////////////////////////////////////////////////////////////////////////////
// Round 1: generating nonces and signing commitments for each participant
/////////////////////////////////////////////////////////////////////////////
for (i, _) in signer_commitments.clone() {
// compute nonce commitments from nonces
let nonces = signer_nonces.get(&i).unwrap();
let nonce_commitments = signer_commitments.get(&i).unwrap();
assert_eq!(
&frost::round1::NonceCommitment::from(nonces.hiding()),
nonce_commitments.hiding()
);
assert_eq!(
&frost::round1::NonceCommitment::from(nonces.binding()),
nonce_commitments.binding()
);
}
/////////////////////////////////////////////////////////////////////////////
// Round 2: each participant generates their signature share
/////////////////////////////////////////////////////////////////////////////
let signer_commitments_vec = signer_commitments
.into_iter()
.map(|(_, signing_commitments)| signing_commitments)
.collect();
let signing_package = frost::SigningPackage::new(signer_commitments_vec, message_bytes);
assert_eq!(signing_package.rho_preimage(), group_binding_factor_input);
let rho: frost::Rho<R> = (&signing_package).into();
assert_eq!(rho, group_binding_factor);
let mut our_signature_shares: Vec<frost::round2::SignatureShare<R>> = Vec::new();
// Each participant generates their signature share
for index in signer_nonces.keys() {
let key_package = &key_packages[index];
let nonces = &signer_nonces[index];
// Each participant generates their signature share.
let signature_share = frost::round2::sign(&signing_package, nonces, key_package).unwrap();
our_signature_shares.push(signature_share);
}
for sig_share in our_signature_shares.clone() {
assert_eq!(sig_share, signature_shares[sig_share.index()]);
}
let signer_pubkeys = key_packages
.into_iter()
.map(|(i, key_package)| (i, *key_package.public()))
.collect();
let pubkey_package = frost::keys::PublicKeyPackage {
signer_pubkeys,
group_public,
};
////////////////////////////////////////////////////////////////////////////
// Aggregation: collects the signing shares from all participants,
// generates the final signature.
////////////////////////////////////////////////////////////////////////////
// Aggregate the FROST signature from test vector sig shares
let group_signature_result = frost::aggregate(
&signing_package,
&signature_shares
.values()
.cloned()
.collect::<Vec<frost::round2::SignatureShare<R>>>(),
&pubkey_package,
);
// Check that the aggregation passed signature share verification and generation
assert!(group_signature_result.is_ok());
// Check that the generated signature matches the test vector signature
let group_signature = group_signature_result.unwrap();
assert_eq!(group_signature.to_bytes().to_vec(), signature_bytes);
// Aggregate the FROST signature from our signature shares
let group_signature_result =
frost::aggregate(&signing_package, &our_signature_shares, &pubkey_package);
// Check that the aggregation passed signature share verification and generation
assert!(group_signature_result.is_ok());
// Check that the generated signature matches the test vector signature
let group_signature = group_signature_result.unwrap();
assert_eq!(group_signature.to_bytes().to_vec(), signature_bytes);
}

4
frost-ristretto255/Cargo.toml
View File

@ -6,7 +6,7 @@ edition = "2021"
# - Update CHANGELOG.md
# - Create git tag.
version = "0.1.0"
authors = ["Henry de Valence <hdevalence@hdevalence.ca>", "Deirdre Connolly <durumcrustulum@gmail.com>", "Chelsea Komlo <me@chelseakomlo.com>"]
authors = [ "Deirdre Connolly <durumcrustulum@gmail.com>", "Chelsea Komlo <me@chelseakomlo.com>", "Henry de Valence <hdevalence@hdevalence.ca>"]
readme = "README.md"
license = "MIT OR Apache-2.0"
repository = "https://github.com/ZcashFoundation/frost"
@ -20,7 +20,7 @@ features = ["nightly"]
[dependencies]
byteorder = "1.4"
curve25519-dalek = { version = "4.0.0-pre.1", features = ["serde"] }
digest = "0.9"
# digest = "0.9"
hex = { version = "0.4.3", features = ["serde"] }
rand_core = "0.6"
serde = { version = "1", optional = true, features = ["derive"] }

4
frost-ristretto255/src/lib.rs
View File

@ -12,8 +12,8 @@
#![deny(missing_docs)]
#![doc = include_str!("../README.md")]
use curve25519_dalek::{digest::Update, scalar::Scalar};
use sha2::{Digest, Sha512};
use curve25519_dalek::scalar::Scalar;
use sha2::{digest::Update, Digest, Sha512};
pub mod batch;
mod error;

17
frost-ristretto255/src/signing_key.rs
View File

@ -10,7 +10,7 @@
use std::convert::{TryFrom, TryInto};
use curve25519_dalek::{constants::RISTRETTO_BASEPOINT_POINT, digest::Update, scalar::Scalar};
use curve25519_dalek::{constants::RISTRETTO_BASEPOINT_POINT, scalar::Scalar};
use rand_core::{CryptoRng, RngCore};
use sha2::{Digest, Sha512};
@ -92,12 +92,15 @@ impl SigningKey {
bytes
};
let nonce = Scalar::from_hash(
Sha512::new()
.chain(&random_bytes[..])
.chain(&self.pk.bytes.bytes[..]) // XXX ugly
.chain(msg),
);
let mut hasher = Sha512::new();
hasher.update(&random_bytes[..]);
hasher.update(&self.pk.bytes.bytes[..]);
hasher.update(msg);
let mut hash_bytes = [0u8; 64];
hash_bytes.copy_from_slice(hasher.finalize().as_slice());
let nonce = Scalar::from_bytes_mod_order_wide(&hash_bytes);
// XXX: does this need `RistrettoPoint::from_uniform_bytes()` ?
let R_bytes = (RISTRETTO_BASEPOINT_POINT * nonce).compress().to_bytes();