mirror of
https://github.com/serai-dex/serai.git
synced 2025-01-10 12:54:35 +00:00
Generalize out the FROST test for signing/signing with an offset
Moves Schnorr signature tests from test_curve to the new test_schnorr, which is more a test_frost. Relevant to https://github.com/serai-dex/serai/issues/9.
This commit is contained in:
parent
33241a5bb6
commit
9b52cf4d20
7 changed files with 83 additions and 66 deletions
|
@ -3,15 +3,24 @@ use rand::rngs::OsRng;
|
||||||
use sha2::Sha512;
|
use sha2::Sha512;
|
||||||
|
|
||||||
use dalek_ff_group as dfg;
|
use dalek_ff_group as dfg;
|
||||||
use frost::{Curve, algorithm::Hram, tests::{curve::test_curve, vectors::{Vectors, vectors}}};
|
use frost::{
|
||||||
|
Curve,
|
||||||
|
algorithm::Hram,
|
||||||
|
tests::{curve::test_curve, schnorr::test_schnorr, vectors::{Vectors, vectors}}
|
||||||
|
};
|
||||||
|
|
||||||
use crate::frost::{Ed25519, Ed25519Internal};
|
use crate::frost::{Ed25519, Ed25519Internal};
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn frost_ed25519() {
|
fn frost_ed25519_curve() {
|
||||||
test_curve::<_, Ed25519>(&mut OsRng);
|
test_curve::<_, Ed25519>(&mut OsRng);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn frost_ed25519_schnorr() {
|
||||||
|
test_schnorr::<_, Ed25519>(&mut OsRng);
|
||||||
|
}
|
||||||
|
|
||||||
// Not spec-compliant, as this shouldn't use wide reduction
|
// Not spec-compliant, as this shouldn't use wide reduction
|
||||||
// Is vectors compliant, which is why the below tests pass
|
// Is vectors compliant, which is why the below tests pass
|
||||||
// See https://github.com/cfrg/draft-irtf-cfrg-frost/issues/204
|
// See https://github.com/cfrg/draft-irtf-cfrg-frost/issues/204
|
||||||
|
|
|
@ -1,9 +1,6 @@
|
||||||
use rand_core::{RngCore, CryptoRng};
|
use rand_core::{RngCore, CryptoRng};
|
||||||
|
|
||||||
use crate::{
|
use crate::{Curve, MultisigKeys, tests::key_gen};
|
||||||
Curve, MultisigKeys,
|
|
||||||
tests::{schnorr::{sign, verify, batch_verify}, key_gen}
|
|
||||||
};
|
|
||||||
|
|
||||||
// Test generation of FROST keys
|
// Test generation of FROST keys
|
||||||
fn key_generation<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
fn key_generation<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
|
@ -21,13 +18,6 @@ fn keys_serialization<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
pub fn test_curve<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
pub fn test_curve<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
// TODO: Test the Curve functions themselves
|
// TODO: Test the Curve functions themselves
|
||||||
|
|
||||||
// Test Schnorr signatures work as expected
|
|
||||||
// This is a bit unnecessary, as they should for any valid curve, yet this provides tests with
|
|
||||||
// meaning, which the above tests won't have
|
|
||||||
sign::<_, C>(rng);
|
|
||||||
verify::<_, C>(rng);
|
|
||||||
batch_verify::<_, C>(rng);
|
|
||||||
|
|
||||||
// Test FROST key generation and serialization of MultisigKeys works as expected
|
// Test FROST key generation and serialization of MultisigKeys works as expected
|
||||||
key_generation::<_, C>(rng);
|
key_generation::<_, C>(rng);
|
||||||
keys_serialization::<_, C>(rng);
|
keys_serialization::<_, C>(rng);
|
||||||
|
|
|
@ -1,2 +1 @@
|
||||||
mod p256;
|
mod p256;
|
||||||
mod schnorr;
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ use p256::{elliptic_curve::bigint::{Encoding, U384}, Scalar, ProjectivePoint};
|
||||||
use crate::{
|
use crate::{
|
||||||
CurveError, Curve,
|
CurveError, Curve,
|
||||||
algorithm::Hram,
|
algorithm::Hram,
|
||||||
tests::{curve::test_curve, vectors::{Vectors, vectors}}
|
tests::{curve::test_curve, schnorr::test_schnorr, vectors::{Vectors, vectors}}
|
||||||
};
|
};
|
||||||
|
|
||||||
const CONTEXT_STRING: &[u8] = b"FROST-P256-SHA256-v5";
|
const CONTEXT_STRING: &[u8] = b"FROST-P256-SHA256-v5";
|
||||||
|
@ -179,8 +179,13 @@ fn p256_curve() {
|
||||||
test_curve::<_, P256>(&mut OsRng);
|
test_curve::<_, P256>(&mut OsRng);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn p256_schnorr() {
|
||||||
|
test_schnorr::<_, P256>(&mut OsRng);
|
||||||
|
}
|
||||||
|
|
||||||
#[derive(Clone)]
|
#[derive(Clone)]
|
||||||
pub struct IetfP256Hram {}
|
pub struct IetfP256Hram;
|
||||||
impl Hram<P256> for IetfP256Hram {
|
impl Hram<P256> for IetfP256Hram {
|
||||||
#[allow(non_snake_case)]
|
#[allow(non_snake_case)]
|
||||||
fn hram(R: &ProjectivePoint, A: &ProjectivePoint, m: &[u8]) -> Scalar {
|
fn hram(R: &ProjectivePoint, A: &ProjectivePoint, m: &[u8]) -> Scalar {
|
||||||
|
|
|
@ -1,42 +0,0 @@
|
||||||
use std::rc::Rc;
|
|
||||||
|
|
||||||
use rand::rngs::OsRng;
|
|
||||||
|
|
||||||
use crate::{
|
|
||||||
Curve, schnorr, algorithm::{Hram, Schnorr},
|
|
||||||
tests::{key_gen, algorithm_machines, sign as sign_test, literal::p256::{P256, IetfP256Hram}}
|
|
||||||
};
|
|
||||||
|
|
||||||
const MESSAGE: &[u8] = b"Hello World";
|
|
||||||
|
|
||||||
#[test]
|
|
||||||
fn sign() {
|
|
||||||
sign_test(
|
|
||||||
&mut OsRng,
|
|
||||||
algorithm_machines(
|
|
||||||
&mut OsRng,
|
|
||||||
Schnorr::<P256, IetfP256Hram>::new(),
|
|
||||||
&key_gen::<_, P256>(&mut OsRng)
|
|
||||||
),
|
|
||||||
MESSAGE
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
#[test]
|
|
||||||
fn sign_with_offset() {
|
|
||||||
let mut keys = key_gen::<_, P256>(&mut OsRng);
|
|
||||||
let group_key = keys[&1].group_key();
|
|
||||||
|
|
||||||
let offset = P256::hash_to_F(b"offset", &[]);
|
|
||||||
for i in 1 ..= u16::try_from(keys.len()).unwrap() {
|
|
||||||
keys.insert(i, Rc::new(keys[&i].offset(offset)));
|
|
||||||
}
|
|
||||||
let offset_key = group_key + (P256::generator_table() * offset);
|
|
||||||
|
|
||||||
let sig = sign_test(
|
|
||||||
&mut OsRng,
|
|
||||||
algorithm_machines(&mut OsRng, Schnorr::<P256, IetfP256Hram>::new(), &keys),
|
|
||||||
MESSAGE
|
|
||||||
);
|
|
||||||
assert!(schnorr::verify(offset_key, IetfP256Hram::hram(&sig.R, &offset_key, MESSAGE), &sig));
|
|
||||||
}
|
|
|
@ -13,11 +13,9 @@ use crate::{
|
||||||
sign::{StateMachine, AlgorithmMachine}
|
sign::{StateMachine, AlgorithmMachine}
|
||||||
};
|
};
|
||||||
|
|
||||||
// Internal tests
|
|
||||||
mod schnorr;
|
|
||||||
|
|
||||||
// Test suites for public usage
|
// Test suites for public usage
|
||||||
pub mod curve;
|
pub mod curve;
|
||||||
|
pub mod schnorr;
|
||||||
pub mod vectors;
|
pub mod vectors;
|
||||||
|
|
||||||
// Literal test definitions to run during `cargo test`
|
// Literal test definitions to run during `cargo test`
|
||||||
|
@ -56,7 +54,7 @@ pub fn key_gen<R: RngCore + CryptoRng, C: Curve>(
|
||||||
i,
|
i,
|
||||||
key_gen::StateMachine::<C>::new(
|
key_gen::StateMachine::<C>::new(
|
||||||
params[&i],
|
params[&i],
|
||||||
"FROST test key_gen".to_string()
|
"FROST Test key_gen".to_string()
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
commitments.insert(
|
commitments.insert(
|
||||||
|
|
|
@ -1,10 +1,15 @@
|
||||||
|
use std::{marker::PhantomData, rc::Rc, collections::HashMap};
|
||||||
|
|
||||||
use rand_core::{RngCore, CryptoRng};
|
use rand_core::{RngCore, CryptoRng};
|
||||||
|
|
||||||
use ff::Field;
|
use ff::Field;
|
||||||
|
|
||||||
use crate::{Curve, schnorr, algorithm::SchnorrSignature};
|
use crate::{
|
||||||
|
Curve, MultisigKeys, schnorr::{self, SchnorrSignature}, algorithm::{Hram, Schnorr},
|
||||||
|
tests::{key_gen, algorithm_machines, sign as sign_test}
|
||||||
|
};
|
||||||
|
|
||||||
pub(crate) fn sign<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
pub(crate) fn core_sign<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
let private_key = C::F::random(&mut *rng);
|
let private_key = C::F::random(&mut *rng);
|
||||||
let nonce = C::F::random(&mut *rng);
|
let nonce = C::F::random(&mut *rng);
|
||||||
let challenge = C::F::random(rng); // Doesn't bother to craft an HRAM
|
let challenge = C::F::random(rng); // Doesn't bother to craft an HRAM
|
||||||
|
@ -20,7 +25,7 @@ pub(crate) fn sign<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
// The above sign function verifies signing works
|
// The above sign function verifies signing works
|
||||||
// This verifies invalid signatures don't pass, using zero signatures, which should effectively be
|
// This verifies invalid signatures don't pass, using zero signatures, which should effectively be
|
||||||
// random
|
// random
|
||||||
pub(crate) fn verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
pub(crate) fn core_verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
assert!(
|
assert!(
|
||||||
!schnorr::verify::<C>(
|
!schnorr::verify::<C>(
|
||||||
C::generator_table() * C::F::random(&mut *rng),
|
C::generator_table() * C::F::random(&mut *rng),
|
||||||
|
@ -30,7 +35,7 @@ pub(crate) fn verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(crate) fn batch_verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
pub(crate) fn core_batch_verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
// Create 5 signatures
|
// Create 5 signatures
|
||||||
let mut keys = vec![];
|
let mut keys = vec![];
|
||||||
let mut challenges = vec![];
|
let mut challenges = vec![];
|
||||||
|
@ -71,3 +76,56 @@ pub(crate) fn batch_verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn sign_core<R: RngCore + CryptoRng, C: Curve>(
|
||||||
|
rng: &mut R,
|
||||||
|
group_key: C::G,
|
||||||
|
keys: &HashMap<u16, Rc<MultisigKeys<C>>>
|
||||||
|
) {
|
||||||
|
const MESSAGE: &'static [u8] = b"Hello, World!";
|
||||||
|
|
||||||
|
let machines = algorithm_machines(rng, Schnorr::<C, TestHram<C>>::new(), keys);
|
||||||
|
let sig = sign_test(&mut *rng, machines, MESSAGE);
|
||||||
|
assert!(schnorr::verify(group_key, TestHram::<C>::hram(&sig.R, &group_key, MESSAGE), &sig));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[derive(Clone)]
|
||||||
|
pub struct TestHram<C: Curve> {
|
||||||
|
_curve: PhantomData<C>
|
||||||
|
}
|
||||||
|
impl<C: Curve> Hram<C> for TestHram<C> {
|
||||||
|
#[allow(non_snake_case)]
|
||||||
|
fn hram(R: &C::G, A: &C::G, m: &[u8]) -> C::F {
|
||||||
|
C::hash_to_F(b"challenge", &[&C::G_to_bytes(R), &C::G_to_bytes(A), m].concat())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn sign<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
|
let keys = key_gen::<_, C>(&mut *rng);
|
||||||
|
sign_core(rng, keys[&1].group_key(), &keys);
|
||||||
|
}
|
||||||
|
|
||||||
|
fn sign_with_offset<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
|
let mut keys = key_gen::<_, C>(&mut *rng);
|
||||||
|
let group_key = keys[&1].group_key();
|
||||||
|
|
||||||
|
let offset = C::hash_to_F(b"FROST Test sign_with_offset", b"offset");
|
||||||
|
for i in 1 ..= u16::try_from(keys.len()).unwrap() {
|
||||||
|
keys.insert(i, Rc::new(keys[&i].offset(offset)));
|
||||||
|
}
|
||||||
|
let offset_key = group_key + (C::generator_table() * offset);
|
||||||
|
|
||||||
|
sign_core(rng, offset_key, &keys);
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn test_schnorr<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
|
||||||
|
// Test Schnorr signatures work as expected
|
||||||
|
// This is a bit unnecessary, as they should for any valid curve, yet this establishes sanity
|
||||||
|
core_sign::<_, C>(rng);
|
||||||
|
core_verify::<_, C>(rng);
|
||||||
|
core_batch_verify::<_, C>(rng);
|
||||||
|
|
||||||
|
// Test Schnorr signatures under FROST
|
||||||
|
sign::<_, C>(rng);
|
||||||
|
sign_with_offset::<_, C>(rng);
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue