mirror of
https://github.com/serai-dex/serai.git
synced 2025-01-26 04:25:57 +00:00
Explicitly add an unspendable script path to the processor's generated keys
This commit is contained in:
parent
9e628d217f
commit
e75c4ec6ed
3 changed files with 37 additions and 0 deletions
1
Cargo.lock
generated
1
Cargo.lock
generated
|
@ -8108,6 +8108,7 @@ dependencies = [
|
||||||
"dkg",
|
"dkg",
|
||||||
"flexible-transcript",
|
"flexible-transcript",
|
||||||
"hex",
|
"hex",
|
||||||
|
"k256",
|
||||||
"log",
|
"log",
|
||||||
"modular-frost",
|
"modular-frost",
|
||||||
"parity-scale-codec",
|
"parity-scale-codec",
|
||||||
|
|
|
@ -24,6 +24,7 @@ scale = { package = "parity-scale-codec", version = "3", default-features = fals
|
||||||
borsh = { version = "1", default-features = false, features = ["std", "derive", "de_strict_order"] }
|
borsh = { version = "1", default-features = false, features = ["std", "derive", "de_strict_order"] }
|
||||||
|
|
||||||
transcript = { package = "flexible-transcript", path = "../../crypto/transcript", default-features = false, features = ["std", "recommended"] }
|
transcript = { package = "flexible-transcript", path = "../../crypto/transcript", default-features = false, features = ["std", "recommended"] }
|
||||||
|
k256 = { version = "0.13", default-features = false, features = ["std"] }
|
||||||
ciphersuite = { path = "../../crypto/ciphersuite", default-features = false, features = ["std", "secp256k1"] }
|
ciphersuite = { path = "../../crypto/ciphersuite", default-features = false, features = ["std", "secp256k1"] }
|
||||||
dkg = { path = "../../crypto/dkg", default-features = false, features = ["std", "evrf-secp256k1"] }
|
dkg = { path = "../../crypto/dkg", default-features = false, features = ["std", "evrf-secp256k1"] }
|
||||||
frost = { package = "modular-frost", path = "../../crypto/frost", default-features = false }
|
frost = { package = "modular-frost", path = "../../crypto/frost", default-features = false }
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
use ciphersuite::{group::GroupEncoding, Ciphersuite, Secp256k1};
|
use ciphersuite::{group::GroupEncoding, Ciphersuite, Secp256k1};
|
||||||
use frost::ThresholdKeys;
|
use frost::ThresholdKeys;
|
||||||
|
|
||||||
|
use bitcoin_serai::bitcoin::{hashes::Hash, TapTweakHash};
|
||||||
|
|
||||||
use crate::{primitives::x_coord_to_even_point, scan::scanner};
|
use crate::{primitives::x_coord_to_even_point, scan::scanner};
|
||||||
|
|
||||||
pub(crate) struct KeyGenParams;
|
pub(crate) struct KeyGenParams;
|
||||||
|
@ -10,6 +12,39 @@ impl key_gen::KeyGenParams for KeyGenParams {
|
||||||
type ExternalNetworkCiphersuite = Secp256k1;
|
type ExternalNetworkCiphersuite = Secp256k1;
|
||||||
|
|
||||||
fn tweak_keys(keys: &mut ThresholdKeys<Self::ExternalNetworkCiphersuite>) {
|
fn tweak_keys(keys: &mut ThresholdKeys<Self::ExternalNetworkCiphersuite>) {
|
||||||
|
/*
|
||||||
|
Offset the keys by their hash to prevent a malicious participant from inserting a script
|
||||||
|
path, as specified in
|
||||||
|
https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-23
|
||||||
|
|
||||||
|
This isn't exactly the same, as we then increment the key until it happens to be even, yet
|
||||||
|
the goal is simply that someone who biases the key-gen can't insert their own script path.
|
||||||
|
By adding the hash of the key to the key, anyone who attempts such bias will change the key
|
||||||
|
used (changing the bias necessary).
|
||||||
|
|
||||||
|
This is also potentially unnecessary for Serai, which uses an eVRF-based DKG. While that can
|
||||||
|
be biased (by manipulating who participates as we use it robustly and only require `t`
|
||||||
|
participants), contributions cannot be arbitrarily defined. That presumably requires
|
||||||
|
performing a search of the possible keys for some collision with 2**128 work. It's better to
|
||||||
|
offset regardless and avoid this question however.
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
use k256::elliptic_curve::{
|
||||||
|
bigint::{Encoding, U256},
|
||||||
|
ops::Reduce,
|
||||||
|
};
|
||||||
|
let tweak_hash = TapTweakHash::hash(&keys.group_key().to_bytes().as_slice()[1 ..]);
|
||||||
|
/*
|
||||||
|
https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#cite_ref-13-0 states how the
|
||||||
|
bias is negligible. This reduction shouldn't ever occur, yet if it did, the script path
|
||||||
|
would be unusable due to a check the script path hash is less than the order. That doesn't
|
||||||
|
impact us as we don't want the script path to be usable.
|
||||||
|
*/
|
||||||
|
*keys = keys.offset(<Secp256k1 as Ciphersuite>::F::reduce(U256::from_be_bytes(
|
||||||
|
*tweak_hash.to_raw_hash().as_ref(),
|
||||||
|
)));
|
||||||
|
}
|
||||||
|
|
||||||
*keys = bitcoin_serai::wallet::tweak_keys(keys);
|
*keys = bitcoin_serai::wallet::tweak_keys(keys);
|
||||||
// Also create a scanner to assert these keys, and all expected paths, are usable
|
// Also create a scanner to assert these keys, and all expected paths, are usable
|
||||||
scanner(keys.group_key());
|
scanner(keys.group_key());
|
||||||
|
|
Loading…
Reference in a new issue