2022-04-22 01:36:18 +00:00
|
|
|
use core::{marker::PhantomData, fmt::Debug};
|
2022-10-26 04:17:25 +00:00
|
|
|
use std::io::{self, Read, Write};
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-11-11 03:35:09 +00:00
|
|
|
use zeroize::Zeroizing;
|
2022-04-22 01:36:18 +00:00
|
|
|
use rand_core::{RngCore, CryptoRng};
|
|
|
|
|
2022-05-06 11:33:08 +00:00
|
|
|
use transcript::Transcript;
|
2022-05-03 11:20:24 +00:00
|
|
|
|
2022-10-29 08:54:42 +00:00
|
|
|
use crate::{Curve, FrostError, ThresholdView};
|
2022-05-25 04:22:00 +00:00
|
|
|
pub use schnorr::SchnorrSignature;
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-10-29 08:54:42 +00:00
|
|
|
/// Write an addendum to a writer.
|
|
|
|
pub trait WriteAddendum {
|
2022-10-26 04:17:25 +00:00
|
|
|
fn write<W: Write>(&self, writer: &mut W) -> io::Result<()>;
|
|
|
|
}
|
|
|
|
|
2022-10-29 08:54:42 +00:00
|
|
|
impl WriteAddendum for () {
|
2022-10-26 04:17:25 +00:00
|
|
|
fn write<W: Write>(&self, _: &mut W) -> io::Result<()> {
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Trait alias for the requirements to be used as an addendum.
|
2022-10-29 08:54:42 +00:00
|
|
|
pub trait Addendum: Clone + PartialEq + Debug + WriteAddendum {}
|
|
|
|
impl<A: Clone + PartialEq + Debug + WriteAddendum> Addendum for A {}
|
2022-10-26 04:17:25 +00:00
|
|
|
|
2022-09-29 11:08:20 +00:00
|
|
|
/// Algorithm trait usable by the FROST signing machine to produce signatures..
|
2022-04-23 07:49:30 +00:00
|
|
|
pub trait Algorithm<C: Curve>: Clone {
|
2022-09-29 11:08:20 +00:00
|
|
|
/// The transcript format this algorithm uses. This likely should NOT be the IETF-compatible
|
|
|
|
/// transcript included in this crate.
|
2022-10-26 04:17:25 +00:00
|
|
|
type Transcript: Clone + Debug + Transcript;
|
|
|
|
/// Serializable addendum, used in algorithms requiring more data than just the nonces.
|
|
|
|
type Addendum: Addendum;
|
2022-09-29 09:25:29 +00:00
|
|
|
/// The resulting type of the signatures this algorithm will produce.
|
2022-05-25 04:21:01 +00:00
|
|
|
type Signature: Clone + PartialEq + Debug;
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-09-29 09:25:29 +00:00
|
|
|
/// Obtain a mutable borrow of the underlying transcript.
|
2022-05-06 11:33:08 +00:00
|
|
|
fn transcript(&mut self) -> &mut Self::Transcript;
|
|
|
|
|
2022-10-26 04:17:25 +00:00
|
|
|
/// Obtain the list of nonces to generate, as specified by the generators to create commitments
|
|
|
|
/// against per-nonce
|
2022-07-12 05:28:01 +00:00
|
|
|
fn nonces(&self) -> Vec<Vec<C::G>>;
|
|
|
|
|
2022-09-29 09:25:29 +00:00
|
|
|
/// Generate an addendum to FROST"s preprocessing stage.
|
2022-04-22 01:36:18 +00:00
|
|
|
fn preprocess_addendum<R: RngCore + CryptoRng>(
|
2022-05-17 23:15:53 +00:00
|
|
|
&mut self,
|
2022-04-22 01:36:18 +00:00
|
|
|
rng: &mut R,
|
2022-10-29 08:54:42 +00:00
|
|
|
params: &ThresholdView<C>,
|
2022-10-26 04:17:25 +00:00
|
|
|
) -> Self::Addendum;
|
|
|
|
|
|
|
|
/// Read an addendum from a reader.
|
|
|
|
fn read_addendum<R: Read>(&self, reader: &mut R) -> io::Result<Self::Addendum>;
|
2022-04-22 01:36:18 +00:00
|
|
|
|
2022-10-26 04:17:25 +00:00
|
|
|
/// Proccess the addendum for the specified participant. Guaranteed to be called in order.
|
|
|
|
fn process_addendum(
|
2022-04-22 01:36:18 +00:00
|
|
|
&mut self,
|
2022-10-29 08:54:42 +00:00
|
|
|
params: &ThresholdView<C>,
|
2022-05-25 01:41:14 +00:00
|
|
|
l: u16,
|
2022-10-26 04:17:25 +00:00
|
|
|
reader: Self::Addendum,
|
2022-04-22 01:36:18 +00:00
|
|
|
) -> Result<(), FrostError>;
|
|
|
|
|
2022-09-29 09:25:29 +00:00
|
|
|
/// Sign a share with the given secret/nonce.
|
2022-04-22 01:36:18 +00:00
|
|
|
/// The secret will already have been its lagrange coefficient applied so it is the necessary
|
2022-09-29 09:25:29 +00:00
|
|
|
/// key share.
|
|
|
|
/// The nonce will already have been processed into the combined form d + (e * p).
|
2022-04-22 01:36:18 +00:00
|
|
|
fn sign_share(
|
|
|
|
&mut self,
|
2022-10-29 08:54:42 +00:00
|
|
|
params: &ThresholdView<C>,
|
2022-07-12 05:28:01 +00:00
|
|
|
nonce_sums: &[Vec<C::G>],
|
2022-11-11 03:35:09 +00:00
|
|
|
nonces: Vec<Zeroizing<C::F>>,
|
2022-04-22 01:36:18 +00:00
|
|
|
msg: &[u8],
|
|
|
|
) -> C::F;
|
|
|
|
|
2022-09-29 09:25:29 +00:00
|
|
|
/// Verify a signature.
|
2022-07-07 18:28:42 +00:00
|
|
|
#[must_use]
|
2022-07-12 05:28:01 +00:00
|
|
|
fn verify(&self, group_key: C::G, nonces: &[Vec<C::G>], sum: C::F) -> Option<Self::Signature>;
|
2022-04-22 01:36:18 +00:00
|
|
|
|
|
|
|
/// Verify a specific share given as a response. Used to determine blame if signature
|
2022-09-29 09:25:29 +00:00
|
|
|
/// verification fails.
|
2022-07-07 18:28:42 +00:00
|
|
|
#[must_use]
|
2022-07-15 05:26:07 +00:00
|
|
|
fn verify_share(&self, verification_share: C::G, nonces: &[Vec<C::G>], share: C::F) -> bool;
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
2022-09-29 11:08:20 +00:00
|
|
|
/// IETF-compliant transcript. This is incredibly naive and should not be used within larger
|
|
|
|
/// protocols.
|
2022-05-06 11:33:08 +00:00
|
|
|
#[derive(Clone, Debug)]
|
|
|
|
pub struct IetfTranscript(Vec<u8>);
|
|
|
|
impl Transcript for IetfTranscript {
|
2022-06-28 08:02:56 +00:00
|
|
|
type Challenge = Vec<u8>;
|
|
|
|
|
2022-07-12 05:28:01 +00:00
|
|
|
fn new(_: &'static [u8]) -> IetfTranscript {
|
2022-07-12 06:45:18 +00:00
|
|
|
IetfTranscript(vec![])
|
2022-07-12 05:28:01 +00:00
|
|
|
}
|
|
|
|
|
2022-05-06 11:33:08 +00:00
|
|
|
fn domain_separate(&mut self, _: &[u8]) {}
|
|
|
|
|
2022-11-05 22:43:36 +00:00
|
|
|
fn append_message<M: AsRef<[u8]>>(&mut self, _: &'static [u8], message: M) {
|
|
|
|
self.0.extend(message.as_ref());
|
2022-05-06 11:33:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
fn challenge(&mut self, _: &'static [u8]) -> Vec<u8> {
|
|
|
|
self.0.clone()
|
|
|
|
}
|
|
|
|
|
2022-05-31 06:12:14 +00:00
|
|
|
fn rng_seed(&mut self, _: &'static [u8]) -> [u8; 32] {
|
2022-05-06 11:33:08 +00:00
|
|
|
unimplemented!()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-29 11:08:20 +00:00
|
|
|
/// HRAm usable by the included Schnorr signature algorithm to generate challenges.
|
2022-04-23 07:49:30 +00:00
|
|
|
pub trait Hram<C: Curve>: Clone {
|
2022-09-29 11:08:20 +00:00
|
|
|
/// HRAm function to generate a challenge.
|
2022-09-29 09:25:29 +00:00
|
|
|
/// H2 from the IETF draft, despite having a different argument set (not being pre-formatted).
|
2022-04-22 01:36:18 +00:00
|
|
|
#[allow(non_snake_case)]
|
2022-04-23 07:49:30 +00:00
|
|
|
fn hram(R: &C::G, A: &C::G, m: &[u8]) -> C::F;
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
2022-09-29 11:08:20 +00:00
|
|
|
/// IETF-compliant Schnorr signature algorithm ((R, s) where s = r + cx).
|
2022-04-23 07:49:30 +00:00
|
|
|
#[derive(Clone)]
|
|
|
|
pub struct Schnorr<C: Curve, H: Hram<C>> {
|
2022-05-06 11:33:08 +00:00
|
|
|
transcript: IetfTranscript,
|
2022-04-22 01:36:18 +00:00
|
|
|
c: Option<C::F>,
|
2022-04-23 07:49:30 +00:00
|
|
|
_hram: PhantomData<H>,
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
2022-07-22 06:34:36 +00:00
|
|
|
impl<C: Curve, H: Hram<C>> Default for Schnorr<C, H> {
|
|
|
|
fn default() -> Self {
|
|
|
|
Self::new()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-23 07:49:30 +00:00
|
|
|
impl<C: Curve, H: Hram<C>> Schnorr<C, H> {
|
2022-04-22 01:36:18 +00:00
|
|
|
pub fn new() -> Schnorr<C, H> {
|
2022-07-15 05:26:07 +00:00
|
|
|
Schnorr { transcript: IetfTranscript(vec![]), c: None, _hram: PhantomData }
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-23 07:49:30 +00:00
|
|
|
impl<C: Curve, H: Hram<C>> Algorithm<C> for Schnorr<C, H> {
|
2022-05-06 11:33:08 +00:00
|
|
|
type Transcript = IetfTranscript;
|
2022-10-26 04:17:25 +00:00
|
|
|
type Addendum = ();
|
2022-04-22 01:36:18 +00:00
|
|
|
type Signature = SchnorrSignature<C>;
|
|
|
|
|
2022-05-06 11:33:08 +00:00
|
|
|
fn transcript(&mut self) -> &mut Self::Transcript {
|
|
|
|
&mut self.transcript
|
|
|
|
}
|
|
|
|
|
2022-07-12 05:28:01 +00:00
|
|
|
fn nonces(&self) -> Vec<Vec<C::G>> {
|
2022-08-13 09:07:07 +00:00
|
|
|
vec![vec![C::generator()]]
|
2022-07-12 05:28:01 +00:00
|
|
|
}
|
|
|
|
|
2022-10-29 08:54:42 +00:00
|
|
|
fn preprocess_addendum<R: RngCore + CryptoRng>(&mut self, _: &mut R, _: &ThresholdView<C>) {}
|
2022-10-26 04:17:25 +00:00
|
|
|
|
|
|
|
fn read_addendum<R: Read>(&self, _: &mut R) -> io::Result<Self::Addendum> {
|
|
|
|
Ok(())
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
2022-10-29 08:54:42 +00:00
|
|
|
fn process_addendum(&mut self, _: &ThresholdView<C>, _: u16, _: ()) -> Result<(), FrostError> {
|
2022-04-22 01:36:18 +00:00
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
fn sign_share(
|
|
|
|
&mut self,
|
2022-10-29 08:54:42 +00:00
|
|
|
params: &ThresholdView<C>,
|
2022-07-12 05:28:01 +00:00
|
|
|
nonce_sums: &[Vec<C::G>],
|
2022-11-11 03:35:09 +00:00
|
|
|
mut nonces: Vec<Zeroizing<C::F>>,
|
2022-04-22 01:36:18 +00:00
|
|
|
msg: &[u8],
|
|
|
|
) -> C::F {
|
2022-07-12 05:28:01 +00:00
|
|
|
let c = H::hram(&nonce_sums[0][0], ¶ms.group_key(), msg);
|
2022-04-22 01:36:18 +00:00
|
|
|
self.c = Some(c);
|
2022-11-11 03:35:09 +00:00
|
|
|
SchnorrSignature::<C>::sign(params.secret_share(), nonces.swap_remove(0), c).s
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
2022-07-07 18:28:42 +00:00
|
|
|
#[must_use]
|
2022-07-12 05:28:01 +00:00
|
|
|
fn verify(&self, group_key: C::G, nonces: &[Vec<C::G>], sum: C::F) -> Option<Self::Signature> {
|
|
|
|
let sig = SchnorrSignature { R: nonces[0][0], s: sum };
|
2022-10-29 08:54:42 +00:00
|
|
|
Some(sig).filter(|sig| sig.verify(group_key, self.c.unwrap()))
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
|
2022-07-07 18:28:42 +00:00
|
|
|
#[must_use]
|
2022-07-15 05:26:07 +00:00
|
|
|
fn verify_share(&self, verification_share: C::G, nonces: &[Vec<C::G>], share: C::F) -> bool {
|
2022-10-29 08:54:42 +00:00
|
|
|
SchnorrSignature::<C> { R: nonces[0][0], s: share }.verify(verification_share, self.c.unwrap())
|
2022-04-22 01:36:18 +00:00
|
|
|
}
|
|
|
|
}
|