mirror of
https://github.com/serai-dex/serai.git
synced 2024-12-25 13:09:30 +00:00
af86b7a499
* Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
86 lines
2.3 KiB
Rust
86 lines
2.3 KiB
Rust
use ethereum_serai::crypto::*;
|
|
use frost::curve::Secp256k1;
|
|
use k256::{
|
|
elliptic_curve::{bigint::ArrayEncoding, ops::Reduce, sec1::ToEncodedPoint},
|
|
ProjectivePoint, Scalar, U256,
|
|
};
|
|
|
|
#[test]
|
|
fn test_ecrecover() {
|
|
use k256::ecdsa::{
|
|
recoverable::Signature,
|
|
signature::{Signer, Verifier},
|
|
SigningKey, VerifyingKey,
|
|
};
|
|
use rand_core::OsRng;
|
|
|
|
let private = SigningKey::random(&mut OsRng);
|
|
let public = VerifyingKey::from(&private);
|
|
|
|
const MESSAGE: &'static [u8] = b"Hello, World!";
|
|
let sig: Signature = private.sign(MESSAGE);
|
|
public.verify(MESSAGE, &sig).unwrap();
|
|
|
|
assert_eq!(
|
|
ecrecover(hash_to_scalar(MESSAGE), sig.as_ref()[64], *sig.r(), *sig.s()).unwrap(),
|
|
address(&ProjectivePoint::from(public))
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn test_signing() {
|
|
use frost::{
|
|
algorithm::Schnorr,
|
|
tests::{algorithm_machines, key_gen, sign},
|
|
};
|
|
use rand_core::OsRng;
|
|
|
|
let keys = key_gen::<_, Secp256k1>(&mut OsRng);
|
|
let _group_key = keys[&1].group_key();
|
|
|
|
const MESSAGE: &'static [u8] = b"Hello, World!";
|
|
|
|
let algo = Schnorr::<Secp256k1, EthereumHram>::new();
|
|
let _sig = sign(
|
|
&mut OsRng,
|
|
algo.clone(),
|
|
keys.clone(),
|
|
algorithm_machines(&mut OsRng, Schnorr::<Secp256k1, EthereumHram>::new(), &keys),
|
|
MESSAGE,
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn test_ecrecover_hack() {
|
|
use frost::{
|
|
algorithm::Schnorr,
|
|
tests::{algorithm_machines, key_gen, sign},
|
|
};
|
|
use rand_core::OsRng;
|
|
|
|
let keys = key_gen::<_, Secp256k1>(&mut OsRng);
|
|
let group_key = keys[&1].group_key();
|
|
let group_key_encoded = group_key.to_encoded_point(true);
|
|
let group_key_compressed = group_key_encoded.as_ref();
|
|
let group_key_x = Scalar::from_uint_reduced(U256::from_be_slice(&group_key_compressed[1 .. 33]));
|
|
|
|
const MESSAGE: &'static [u8] = b"Hello, World!";
|
|
let hashed_message = keccak256(MESSAGE);
|
|
let chain_id = U256::ONE;
|
|
|
|
let full_message = &[chain_id.to_be_byte_array().as_slice(), &hashed_message].concat();
|
|
|
|
let algo = Schnorr::<Secp256k1, EthereumHram>::new();
|
|
let sig = sign(
|
|
&mut OsRng,
|
|
algo.clone(),
|
|
keys.clone(),
|
|
algorithm_machines(&mut OsRng, algo, &keys),
|
|
full_message,
|
|
);
|
|
|
|
let (sr, er) =
|
|
preprocess_signature_for_ecrecover(hashed_message, &sig.R, sig.s, &group_key, chain_id);
|
|
let q = ecrecover(sr, group_key_compressed[0] - 2, group_key_x, er).unwrap();
|
|
assert_eq!(q, address(&sig.R));
|
|
}
|