Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9

This commit is contained in:
Luke Parker 2022-05-25 00:28:57 -04:00
parent 1eaf2f897b
commit 868a63a6b2
No known key found for this signature in database
GPG key ID: F9F1386DB1E119B6
7 changed files with 182 additions and 52 deletions

View file

@ -14,6 +14,8 @@ pub mod key_gen;
pub mod algorithm; pub mod algorithm;
pub mod sign; pub mod sign;
pub mod tests;
/// Set of errors for curve-related operations, namely encoding and decoding /// Set of errors for curve-related operations, namely encoding and decoding
#[derive(Error, Debug)] #[derive(Error, Debug)]
pub enum CurveError { pub enum CurveError {

View file

@ -0,0 +1,32 @@
use rand_core::{RngCore, CryptoRng};
use crate::{
Curve, MultisigKeys,
tests::{schnorr::{sign, verify, batch_verify}, key_gen}
};
// Test generation of FROST keys
fn key_generation<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
// This alone verifies the verification shares and group key are agreed upon as expected
key_gen::<_, C>(rng);
}
// Test serialization of generated keys
fn keys_serialization<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
for (_, keys) in key_gen::<_, C>(rng) {
assert_eq!(&MultisigKeys::<C>::deserialize(&keys.serialize()).unwrap(), &*keys);
}
}
pub fn test_curve<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
// TODO: Test the Curve functions themselves
// Test Schnorr signatures work as expected
sign::<_, C>(rng);
verify::<_, C>(rng);
batch_verify::<_, C>(rng);
// Test FROST key generation and serialization of MultisigKeys works as expected
key_generation::<_, C>(rng);
keys_serialization::<_, C>(rng);
}

View file

@ -0,0 +1,2 @@
mod secp256k1;
mod schnorr;

View file

@ -0,0 +1,42 @@
use std::rc::Rc;
use rand::rngs::OsRng;
use crate::{
Curve, schnorr, algorithm::{Hram, Schnorr},
tests::{key_gen, algorithm_machines, sign as sign_test, actual::secp256k1::{Secp256k1, TestHram}}
};
const MESSAGE: &[u8] = b"Hello World";
#[test]
fn sign() {
sign_test(
&mut OsRng,
algorithm_machines(
&mut OsRng,
Schnorr::<Secp256k1, TestHram>::new(),
&key_gen::<_, Secp256k1>(&mut OsRng)
),
MESSAGE
);
}
#[test]
fn sign_with_offset() {
let mut keys = key_gen::<_, Secp256k1>(&mut OsRng);
let group_key = keys[&1].group_key();
let offset = Secp256k1::hash_to_F(b"offset");
for i in 1 ..= u16::try_from(keys.len()).unwrap() {
keys.insert(i, Rc::new(keys[&i].offset(offset)));
}
let offset_key = group_key + (Secp256k1::generator_table() * offset);
let sig = sign_test(
&mut OsRng,
algorithm_machines(&mut OsRng, Schnorr::<Secp256k1, TestHram>::new(), &keys),
MESSAGE
);
assert!(schnorr::verify(offset_key, TestHram::hram(&sig.R, &offset_key, MESSAGE), &sig));
}

View file

@ -1,5 +1,7 @@
use core::convert::TryInto; use core::convert::TryInto;
use rand::rngs::OsRng;
use ff::PrimeField; use ff::PrimeField;
use group::GroupEncoding; use group::GroupEncoding;
@ -11,7 +13,7 @@ use k256::{
ProjectivePoint ProjectivePoint
}; };
use frost::{CurveError, Curve, multiexp_vartime, algorithm::Hram}; use crate::{CurveError, Curve, multiexp_vartime, algorithm::Hram, tests::curve::test_curve};
#[derive(Clone, Copy, PartialEq, Eq, Debug)] #[derive(Clone, Copy, PartialEq, Eq, Debug)]
pub struct Secp256k1; pub struct Secp256k1;
@ -105,3 +107,8 @@ impl Hram<Secp256k1> for TestHram {
) )
} }
} }
#[test]
fn secp256k1_curve() {
test_curve::<_, Secp256k1>(&mut OsRng);
}

View file

@ -1,21 +1,29 @@
use std::{rc::Rc, collections::HashMap}; use std::{rc::Rc, collections::HashMap};
use rand::rngs::OsRng; use rand_core::{RngCore, CryptoRng};
use frost::{ use crate::{
Curve, Curve,
MultisigParams, MultisigKeys, MultisigParams, MultisigKeys,
key_gen, key_gen,
algorithm::{Algorithm, Schnorr, SchnorrSignature}, algorithm::Algorithm,
sign::{StateMachine, AlgorithmMachine} sign::{StateMachine, AlgorithmMachine}
}; };
mod common; // Internal tests
use common::{Secp256k1, TestHram}; mod schnorr;
const PARTICIPANTS: u16 = 8; // Test suites for public usage
pub mod curve;
fn clone_without<K: Clone + std::cmp::Eq + std::hash::Hash, V: Clone>( // Literal test definitions to run during `cargo test`
#[cfg(test)]
mod literal;
pub const PARTICIPANTS: u16 = 5;
pub const THRESHOLD: u16 = ((PARTICIPANTS / 3) * 2) + 1;
pub fn clone_without<K: Clone + std::cmp::Eq + std::hash::Hash, V: Clone>(
map: &HashMap<K, V>, map: &HashMap<K, V>,
without: &K without: &K
) -> HashMap<K, V> { ) -> HashMap<K, V> {
@ -24,7 +32,9 @@ fn clone_without<K: Clone + std::cmp::Eq + std::hash::Hash, V: Clone>(
res res
} }
fn key_gen<C: Curve>() -> HashMap<u16, Rc<MultisigKeys<C>>> { pub fn key_gen<R: RngCore + CryptoRng, C: Curve>(
rng: &mut R
) -> HashMap<u16, Rc<MultisigKeys<C>>> {
let mut params = HashMap::new(); let mut params = HashMap::new();
let mut machines = HashMap::new(); let mut machines = HashMap::new();
@ -33,7 +43,7 @@ fn key_gen<C: Curve>() -> HashMap<u16, Rc<MultisigKeys<C>>> {
params.insert( params.insert(
i, i,
MultisigParams::new( MultisigParams::new(
((PARTICIPANTS / 3) * 2) + 1, THRESHOLD,
PARTICIPANTS, PARTICIPANTS,
i i
).unwrap() ).unwrap()
@ -47,7 +57,7 @@ fn key_gen<C: Curve>() -> HashMap<u16, Rc<MultisigKeys<C>>> {
); );
commitments.insert( commitments.insert(
i, i,
machines.get_mut(&i).unwrap().generate_coefficients(&mut OsRng).unwrap() machines.get_mut(&i).unwrap().generate_coefficients(rng).unwrap()
); );
} }
@ -55,7 +65,7 @@ fn key_gen<C: Curve>() -> HashMap<u16, Rc<MultisigKeys<C>>> {
for (l, machine) in machines.iter_mut() { for (l, machine) in machines.iter_mut() {
secret_shares.insert( secret_shares.insert(
*l, *l,
machine.generate_secret_shares(&mut OsRng, clone_without(&commitments, l)).unwrap() machine.generate_secret_shares(rng, clone_without(&commitments, l)).unwrap()
); );
} }
@ -72,55 +82,69 @@ fn key_gen<C: Curve>() -> HashMap<u16, Rc<MultisigKeys<C>>> {
} }
let these_keys = machine.complete(our_secret_shares).unwrap(); let these_keys = machine.complete(our_secret_shares).unwrap();
// Test serialization // Verify the verification_shares are agreed upon
assert_eq!(
MultisigKeys::<C>::deserialize(&these_keys.serialize()).unwrap(),
these_keys
);
if verification_shares.is_none() { if verification_shares.is_none() {
verification_shares = Some(these_keys.verification_shares()); verification_shares = Some(these_keys.verification_shares());
} }
assert_eq!(verification_shares.as_ref().unwrap(), &these_keys.verification_shares()); assert_eq!(verification_shares.as_ref().unwrap(), &these_keys.verification_shares());
// Verify the group keys are agreed upon
if group_key.is_none() { if group_key.is_none() {
group_key = Some(these_keys.group_key()); group_key = Some(these_keys.group_key());
} }
assert_eq!(group_key.unwrap(), these_keys.group_key()); assert_eq!(group_key.unwrap(), these_keys.group_key());
keys.insert(*i, Rc::new(these_keys.clone())); keys.insert(*i, Rc::new(these_keys));
} }
keys keys
} }
fn sign<C: Curve, A: Algorithm<C, Signature = SchnorrSignature<C>>>( pub fn algorithm_machines<R: RngCore, C: Curve, A: Algorithm<C>>(
rng: &mut R,
algorithm: A, algorithm: A,
keys: &HashMap<u16, Rc<MultisigKeys<C>>> keys: &HashMap<u16, Rc<MultisigKeys<C>>>,
) { ) -> HashMap<u16, AlgorithmMachine<C, A>> {
let t = keys[&1].params().t(); let mut included = vec![];
let mut machines = HashMap::new(); while included.len() < usize::from(keys[&1].params().t()) {
let n = u16::try_from((rng.next_u64() % u64::try_from(keys.len()).unwrap()) + 1).unwrap();
if included.contains(&n) {
continue;
}
included.push(n);
}
keys.iter().filter_map(
|(i, keys)| if included.contains(&i) {
Some((
*i,
AlgorithmMachine::new(
algorithm.clone(),
keys.clone(),
&included.clone()
).unwrap()
))
} else {
None
}
).collect()
}
pub fn sign<R: RngCore + CryptoRng, M: StateMachine>(
rng: &mut R,
mut machines: HashMap<u16, M>,
msg: &[u8]
) -> M::Signature {
let mut commitments = HashMap::new(); let mut commitments = HashMap::new();
for i in 1 ..= t { for (i, machine) in machines.iter_mut() {
machines.insert( commitments.insert(*i, machine.preprocess(rng).unwrap());
i,
AlgorithmMachine::new(
algorithm.clone(),
keys[&i].clone(),
&(1 ..= t).collect::<Vec<_>>()
).unwrap()
);
commitments.insert(
i,
machines.get_mut(&i).unwrap().preprocess(&mut OsRng).unwrap()
);
} }
let mut shares = HashMap::new(); let mut shares = HashMap::new();
for (i, machine) in machines.iter_mut() { for (i, machine) in machines.iter_mut() {
shares.insert( shares.insert(
*i, *i,
machine.sign(clone_without(&commitments, i), b"Hello World").unwrap() machine.sign(clone_without(&commitments, i), msg).unwrap()
); );
} }
@ -128,20 +152,9 @@ fn sign<C: Curve, A: Algorithm<C, Signature = SchnorrSignature<C>>>(
for (i, machine) in machines.iter_mut() { for (i, machine) in machines.iter_mut() {
let sig = machine.complete(clone_without(&shares, i)).unwrap(); let sig = machine.complete(clone_without(&shares, i)).unwrap();
if signature.is_none() { if signature.is_none() {
signature = Some(sig); signature = Some(sig.clone());
} }
assert_eq!(sig, signature.unwrap()); assert_eq!(&sig, signature.as_ref().unwrap());
} }
} signature.unwrap()
#[test]
fn key_gen_and_sign() {
let mut keys = key_gen::<Secp256k1>();
sign(Schnorr::<Secp256k1, TestHram>::new(), &keys);
for i in 1 ..= u16::try_from(PARTICIPANTS).unwrap() {
keys.insert(i, Rc::new(keys[&i].offset(Secp256k1::hash_to_F(b"offset"))));
}
sign(Schnorr::<Secp256k1, TestHram>::new(), &keys);
} }

View file

@ -0,0 +1,32 @@
use rand_core::{RngCore, CryptoRng};
use ff::Field;
use crate::{Curve, schnorr, algorithm::SchnorrSignature};
pub(crate) fn sign<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
let private_key = C::F::random(&mut *rng);
let nonce = C::F::random(&mut *rng);
let challenge = C::F::random(rng); // Doesn't bother to craft an HRAM
assert!(
schnorr::verify::<C>(
C::generator_table() * private_key,
challenge,
&schnorr::sign(private_key, nonce, challenge)
)
);
}
// The above sign function verifies signing works
// This verifies invalid signatures don't pass, using zero signatures, which should effectively be
// random
pub(crate) fn verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
assert!(
!schnorr::verify::<C>(
C::generator_table() * C::F::random(&mut *rng),
C::F::random(rng),
&SchnorrSignature { R: C::generator_table() * C::F::zero(), s: C::F::zero() }
)
);
}