serai/crypto/frost/src/lib.rs

#![cfg_attr(docsrs, feature(doc_auto_cfg))]
#![doc = include_str!("../README.md")]

use core::fmt::Debug;
use std::collections::HashMap;

use thiserror::Error;

/// Distributed key generation protocol.
pub use dkg::{self, Participant, ThresholdParams, ThresholdCore, ThresholdKeys, ThresholdView};

/// Curve trait and provided curves/HRAMs, forming various ciphersuites.
pub mod curve;
use curve::Curve;

/// Algorithm for the signing process.
pub mod algorithm;
mod nonce;
/// Threshold signing protocol.
pub mod sign;

/// Tests for application-provided curves and algorithms.
#[cfg(any(test, feature = "tests"))]
pub mod tests;

/// Various errors possible during signing.
#[derive(Clone, Copy, PartialEq, Eq, Debug, Error)]
pub enum FrostError {
  #[error("invalid participant (0 < participant <= {0}, yet participant is {1})")]
  InvalidParticipant(u16, Participant),
  #[error("invalid signing set ({0})")]
  InvalidSigningSet(&'static str),
  #[error("invalid participant quantity (expected {0}, got {1})")]
  InvalidParticipantQuantity(usize, usize),
  #[error("duplicated participant ({0})")]
  DuplicatedParticipant(Participant),
  #[error("missing participant {0}")]
  MissingParticipant(Participant),

  #[error("invalid preprocess (participant {0})")]
  InvalidPreprocess(Participant),
  #[error("invalid share (participant {0})")]
  InvalidShare(Participant),
}

/// Validate a map of values to have the expected participants.
pub fn validate_map<T>(
  map: &HashMap<Participant, T>,
  included: &[Participant],
  ours: Participant,
) -> Result<(), FrostError> {
  if (map.len() + 1) != included.len() {
    Err(FrostError::InvalidParticipantQuantity(included.len(), map.len() + 1))?;
  }

  for included in included {
    if *included == ours {
      if map.contains_key(included) {
        Err(FrostError::DuplicatedParticipant(*included))?;
      }
      continue;
    }

    if !map.contains_key(included) {
      Err(FrostError::MissingParticipant(*included))?;
    }
  }

  Ok(())
}
Use doc_auto_cfg 2022-09-29 08:47:55 +00:00			`#![cfg_attr(docsrs, feature(doc_auto_cfg))]`
Fully document crypto/ 2023-03-21 00:10:00 +00:00			`#![doc = include_str!("../README.md")]`
Add further FROST documentation 2022-09-29 10:02:43 +00:00
Refine from pedantic, remove erratic consts 2023-07-08 05:26:08 +00:00			`use core::fmt::Debug;`
Create a dedicated crate for the DKG (#141) * Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor 2022-10-29 08:54:42 +00:00			`use std::collections::HashMap;`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00
Refine from pedantic, remove erratic consts 2023-07-08 05:26:08 +00:00			`use thiserror::Error;`

Create a dedicated crate for the DKG (#141) * Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor 2022-10-29 08:54:42 +00:00			`/// Distributed key generation protocol.`
3.3.3 (cont) Add a dedicated Participant type 2023-02-23 11:50:45 +00:00			`pub use dkg::{self, Participant, ThresholdParams, ThresholdCore, ThresholdKeys, ThresholdView};`
Consolidate Schnorr code in FROST 2022-05-25 04:22:00 +00:00
Add further FROST documentation 2022-09-29 10:02:43 +00:00			`/// Curve trait and provided curves/HRAMs, forming various ciphersuites.`
Reorganize FROST's handling of curves 2022-06-24 23:47:19 +00:00			`pub mod curve;`
Move FROST to Read Fixes https://github.com/serai-dex/serai/issues/33 and https://github.com/serai-dex/serai/issues/35. Also fixes a few potential panics/DoS AFAICT. 2022-07-13 06:38:29 +00:00			`use curve::Curve;`
Add FROST key promotion Closes https://github.com/serai-dex/serai/issues/72. Adds a trait, with a commented impl for a semi-unsafe niche feature, which will be used in https://github.com/serai-dex/serai/issues/73. 2022-08-13 12:49:38 +00:00
Add further FROST documentation 2022-09-29 10:02:43 +00:00			`/// Algorithm for the signing process.`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`pub mod algorithm;`
Create dedicated message structures for FROST messages (#140) * Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation 2022-10-26 04:17:25 +00:00			`mod nonce;`
Add further FROST documentation 2022-09-29 10:02:43 +00:00			`/// Threshold signing protocol.`
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG. 2022-04-22 01:36:18 +00:00			`pub mod sign;`

Add further FROST documentation 2022-09-29 10:02:43 +00:00			`/// Tests for application-provided curves and algorithms.`
Fill out Cargo.tomls Updated missing fields/sections, even if some won't be used, to standardize. Also made FROST tests feature-gated. 2022-10-16 03:46:22 +00:00			`#[cfg(any(test, feature = "tests"))]`
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9 2022-05-25 04:28:57 +00:00			`pub mod tests;`

Refine from pedantic, remove erratic consts 2023-07-08 05:26:08 +00:00			`/// Various errors possible during signing.`
			`#[derive(Clone, Copy, PartialEq, Eq, Debug, Error)]`
			`pub enum FrostError {`
			`#[error("invalid participant (0 < participant <= {0}, yet participant is {1})")]`
			`InvalidParticipant(u16, Participant),`
			`#[error("invalid signing set ({0})")]`
			`InvalidSigningSet(&'static str),`
			`#[error("invalid participant quantity (expected {0}, got {1})")]`
			`InvalidParticipantQuantity(usize, usize),`
			`#[error("duplicated participant ({0})")]`
			`DuplicatedParticipant(Participant),`
			`#[error("missing participant {0}")]`
			`MissingParticipant(Participant),`
Correct derives on errors 2022-12-09 14:50:00 +00:00
Refine from pedantic, remove erratic consts 2023-07-08 05:26:08 +00:00			`#[error("invalid preprocess (participant {0})")]`
			`InvalidPreprocess(Participant),`
			`#[error("invalid share (participant {0})")]`
			`InvalidShare(Participant),`
Correct derives on errors 2022-12-09 14:50:00 +00:00			`}`

Fully document crypto/ 2023-03-21 00:10:00 +00:00			`/// Validate a map of values to have the expected participants.`
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I could have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor 2022-12-09 00:04:35 +00:00			`pub fn validate_map<T>(`
3.3.3 (cont) Add a dedicated Participant type 2023-02-23 11:50:45 +00:00			`map: &HashMap<Participant, T>,`
			`included: &[Participant],`
			`ours: Participant,`
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests 2022-08-03 08:25:18 +00:00			`) -> Result<(), FrostError> {`
			`if (map.len() + 1) != included.len() {`
			`Err(FrostError::InvalidParticipantQuantity(included.len(), map.len() + 1))?;`
			`}`

			`for included in included {`
			`if *included == ours {`
			`if map.contains_key(included) {`
3.3.3 (cont) Add a dedicated Participant type 2023-02-23 11:50:45 +00:00			`Err(FrostError::DuplicatedParticipant(*included))?;`
Utilize zeroize (#76) * Apply Zeroize to nonces used in Bulletproofs Also makes bit decomposition constant time for a given amount of outputs. * Fix nonce reuse for single-signer CLSAG * Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data * Zeroize private keys and nonces * Merge prepare_outputs and prepare_transactions * Ensure CLSAG is constant time * Pass by borrow where needed, bug fixes The past few commitments have been one in-progress chunk which I've broken up as best read. * Add Zeroize to FROST structs Still needs to zeroize internally, yet next step. Not quite as aggressive as Monero, partially due to the limitations of HashMaps, partially due to less concern about metadata, yet does still delete a few smaller items of metadata (group key, context string...). * Remove Zeroize from most Monero multisig structs These structs largely didn't have private data, just fields with private data, yet those fields implemented ZeroizeOnDrop making them already covered. While there is still traces of the transaction left in RAM, fully purging that was never the intent. * Use Zeroize within dleq bitvec doesn't offer Zeroize, so a manual zeroing has been implemented. * Use Zeroize for random_nonce It isn't perfect, due to the inability to zeroize the digest, and due to kp256 requiring a few transformations. It does the best it can though. Does move the per-curve random_nonce to a provided one, which is allowed as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231. * Use Zeroize on FROST keygen/signing * Zeroize constant time multiexp. * Correct when FROST keygen zeroizes * Move the FROST keys Arc into FrostKeys Reduces amount of instances in memory. * Manually implement Debug for FrostCore to not leak the secret share * Misc bug fixes * clippy + multiexp test bug fixes * Correct FROST key gen share summation It leaked our own share for ourself. * Fix cross-group DLEq tests 2022-08-03 08:25:18 +00:00			`}`
			`continue;`
			`}`

			`if !map.contains_key(included) {`
			`Err(FrostError::MissingParticipant(*included))?;`
			`}`
			`}`

			`Ok(())`
			`}`