absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-12 14:09:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
55e845fe12353f6ef8027fa1c7955c517956d064
serai/crypto/frost/src/tests/mod.rs

305 lines
9.7 KiB
Rust
Raw Normal View History

Create dedicated message structures for FROST messages (#140) * Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
use std::collections::HashMap;
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG.
2022-04-21 21:36:18 -04:00
Move verify_share to return batch-verifiable statements While the previous construction achieved n/2 average detection, this will run in log2(n). Unfortunately, the need to keep entropy around (or take in an RNG here) remains.
2022-12-13 20:25:32 -05:00
use rand_core::{RngCore, CryptoRng};
Update FROST signing to match the IETF draft Modernizes dependencies
2022-04-23 03:49:30 -04:00
Smash the singular `Ciphersuite` trait into multiple This helps identify where the various functionalities are used, or rather, not used. The `Ciphersuite` trait present in `patches/ciphersuite`, facilitating the entire FCMP++ tree, only requires the markers _and_ canonical point decoding. I've opened a PR to upstream such a trait into `group` (https://github.com/zkcrypto/group/pull/68). `WrappedGroup` is still justified for as long as `Group::generator` exists. Moving `::generator()` to its own trait, on an independent structure (upstream) would be massively appreciated. @tarcieri also wanted to update from `fn generator()` to `const GENERATOR`, which would encourage further discussion on https://github.com/zkcrypto/group/issues/32 and https://github.com/zkcrypto/group/issues/45, which have been stagnant. The `Id` trait is occasionally used yet really should be first off the chopping block. Finally, `WithPreferredHash` is only actually used around a third of the time, which more than justifies it being a separate trait. --- Updates `dalek_ff_group::Scalar` to directly re-export `curve25519_dalek::Scalar`, as without issue. `dalek_ff_group::RistrettoPoint` also could be replaced with an export of `curve25519_dalek::RistrettoPoint`, yet the coordinator relies on how we implemented `Hash` on it for the hell of it so it isn't worth it at this time. `dalek_ff_group::EdwardsPoint` can't be replaced for an re-export of `curve25519_dalek::SubgroupPoint` as it doesn't implement `zeroize`, `subtle` traits within a released, non-yanked version. Relevance to https://github.com/serai-dex/serai/issues/201 and https://github.com/dalek-cryptography/curve25519-dalek/issues/811#issuecomment-3247732746. Also updates the `Ristretto` ciphersuite to prefer `Blake2b-512` over `SHA2-512`. In order to maintain compliance with FROST's IETF standard, `modular-frost` defines its own ciphersuite for Ristretto which still uses `SHA2-512`.
2025-09-03 12:25:37 -04:00
use ciphersuite::{GroupIo, Id};
Have modular-frost compile again
2025-08-18 01:54:52 -04:00
pub use dkg_recovery::recover_key;
Remove Monero's test FROST file in favor of FROST"s exposed test files Moves private key recovery for given keys into FROST.
2022-05-30 16:37:51 -04:00
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
use crate::{
Add dealer key generation crate
2025-08-18 02:13:12 -04:00
Curve, Participant, ThresholdKeys, FrostError,
Make Schnorr modular to its transcript
2023-03-07 05:30:21 -05:00
algorithm::{Algorithm, Hram, IetfSchnorr},
Create dedicated message structures for FROST messages (#140) * Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
sign::{Writable, PreprocessMachine, SignMachine, SignatureMachine, AlgorithmMachine},
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG.
2022-04-21 21:36:18 -04:00
};
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
/// Tests for the nonce handling code.
pub mod nonces;
Remove DLEq proofs from CLSAG multisig 1) Removes the key image DLEq on the Monero side of things, as the produced signature share serves as a DLEq for it. 2) Removes the nonce DLEqs from modular-frost as they're unnecessary for monero-serai. Updates documentation accordingly. Without the proof the nonces are internally consistent, the produced signatures from modular-frost can be argued as a batch-verifiable CP93 DLEq (R0, R1, s), or as a GSP for the CP93 DLEq statement (which naturally produces (R0, R1, s)). The lack of proving the nonces consistent does make the process weaker, yet it's also unnecessary for the class of protocols this is intended to service. To provide DLEqs for the nonces would be to provide PoKs for the nonce commitments (in the traditional Schnorr case).
2024-04-21 22:50:07 -04:00
use nonces::test_multi_nonce;
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
Add further FROST documentation
2022-09-29 06:02:43 -04:00
/// Vectorized test suite to ensure consistency.
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
pub mod vectors;
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG.
2022-04-21 21:36:18 -04:00
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
// Literal test definitions to run during `cargo test`
#[cfg(test)]
mod literal;
Update to FROST v10 Further expands documentation to near-completion.
2022-09-29 07:08:20 -04:00
/// Constant amount of participants to use when testing.
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
pub const PARTICIPANTS: u16 = 5;
Update to FROST v10 Further expands documentation to near-completion.
2022-09-29 07:08:20 -04:00
/// Constant threshold of participants to use when signing.
Implement MuSig key aggregation into DKG Isn't spec compliant due to the lack of a spec to be compliant too. Slight deviation from the paper by using a unique list instead of a multiset. Closes #186, progresses #277.
2023-05-10 06:25:40 -04:00
pub const THRESHOLD: u16 = ((PARTICIPANTS * 2) / 3) + 1;
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
Have modular-frost compile again
2025-08-18 01:54:52 -04:00
/// Create a key, for testing purposes.
Smash the singular `Ciphersuite` trait into multiple This helps identify where the various functionalities are used, or rather, not used. The `Ciphersuite` trait present in `patches/ciphersuite`, facilitating the entire FCMP++ tree, only requires the markers _and_ canonical point decoding. I've opened a PR to upstream such a trait into `group` (https://github.com/zkcrypto/group/pull/68). `WrappedGroup` is still justified for as long as `Group::generator` exists. Moving `::generator()` to its own trait, on an independent structure (upstream) would be massively appreciated. @tarcieri also wanted to update from `fn generator()` to `const GENERATOR`, which would encourage further discussion on https://github.com/zkcrypto/group/issues/32 and https://github.com/zkcrypto/group/issues/45, which have been stagnant. The `Id` trait is occasionally used yet really should be first off the chopping block. Finally, `WithPreferredHash` is only actually used around a third of the time, which more than justifies it being a separate trait. --- Updates `dalek_ff_group::Scalar` to directly re-export `curve25519_dalek::Scalar`, as without issue. `dalek_ff_group::RistrettoPoint` also could be replaced with an export of `curve25519_dalek::RistrettoPoint`, yet the coordinator relies on how we implemented `Hash` on it for the hell of it so it isn't worth it at this time. `dalek_ff_group::EdwardsPoint` can't be replaced for an re-export of `curve25519_dalek::SubgroupPoint` as it doesn't implement `zeroize`, `subtle` traits within a released, non-yanked version. Relevance to https://github.com/serai-dex/serai/issues/201 and https://github.com/dalek-cryptography/curve25519-dalek/issues/811#issuecomment-3247732746. Also updates the `Ristretto` ciphersuite to prefer `Blake2b-512` over `SHA2-512`. In order to maintain compliance with FROST's IETF standard, `modular-frost` defines its own ciphersuite for Ristretto which still uses `SHA2-512`.
2025-09-03 12:25:37 -04:00
pub fn key_gen<R: RngCore + CryptoRng, C: GroupIo + Id>(
Have modular-frost compile again
2025-08-18 01:54:52 -04:00
rng: &mut R,
) -> HashMap<Participant, ThresholdKeys<C>> {
Add dealer key generation crate
2025-08-18 02:13:12 -04:00
let res = dkg_dealer::key_gen::<R, C>(rng, THRESHOLD, PARTICIPANTS).unwrap();
assert_eq!(
C::generator() * *recover_key(&res.values().cloned().collect::<Vec<_>>()).unwrap(),
res.values().next().unwrap().group_key()
);
Have modular-frost compile again
2025-08-18 01:54:52 -04:00
res
}
Update to FROST v10 Further expands documentation to near-completion.
2022-09-29 07:08:20 -04:00
/// Clone a map without a specific value.
Meaningful changes from aggressive-clippy I do want to enable a few specific lints, yet aggressive-clippy as a whole isn't worthwhile.
2023-07-08 11:29:05 -04:00
pub fn clone_without<K: Clone + core::cmp::Eq + core::hash::Hash, V: Clone>(
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
map: &HashMap<K, V>,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
without: &K,
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
) -> HashMap<K, V> {
let mut res = map.clone();
res.remove(without).unwrap();
res
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG.
2022-04-21 21:36:18 -04:00
}
Update to FROST v10 Further expands documentation to near-completion.
2022-09-29 07:08:20 -04:00
/// Spawn algorithm machines for a random selection of signers, each executing the given algorithm.
Remove Clone from ClsagMultisigMask{Sender, Receiver} This had ill-defined properties on Clone, as a mask could be sent multiple times (unintended) and multiple algorithms may receive the same mask from a singular sender. Requires removing the Clone bound within modular-frost and expanding the test helpers accordingly. This was not raised in the audit yet upon independent review.
2025-07-23 15:13:27 -04:00
pub fn algorithm_machines_without_clone<R: RngCore, C: Curve, A: Algorithm<C>>(
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
rng: &mut R,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
keys: &HashMap<Participant, ThresholdKeys<C>>,
Remove Clone from ClsagMultisigMask{Sender, Receiver} This had ill-defined properties on Clone, as a mask could be sent multiple times (unintended) and multiple algorithms may receive the same mask from a singular sender. Requires removing the Clone bound within modular-frost and expanding the test helpers accordingly. This was not raised in the audit yet upon independent review.
2025-07-23 15:13:27 -04:00
machines: HashMap<Participant, AlgorithmMachine<C, A>>,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
) -> HashMap<Participant, AlgorithmMachine<C, A>> {
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
let mut included = vec![];
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
while included.len() < usize::from(keys[&Participant::new(1).unwrap()].params().t()) {
let n = Participant::new(
u16::try_from((rng.next_u64() % u64::try_from(keys.len()).unwrap()) + 1).unwrap(),
)
.unwrap();
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
if included.contains(&n) {
continue;
}
included.push(n);
}
Remove Clone from ClsagMultisigMask{Sender, Receiver} This had ill-defined properties on Clone, as a mask could be sent multiple times (unintended) and multiple algorithms may receive the same mask from a singular sender. Requires removing the Clone bound within modular-frost and expanding the test helpers accordingly. This was not raised in the audit yet upon independent review.
2025-07-23 15:13:27 -04:00
machines
.into_iter()
.filter_map(|(i, machine)| if included.contains(&i) { Some((i, machine)) } else { None })
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
.collect()
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
}
Remove Clone from ClsagMultisigMask{Sender, Receiver} This had ill-defined properties on Clone, as a mask could be sent multiple times (unintended) and multiple algorithms may receive the same mask from a singular sender. Requires removing the Clone bound within modular-frost and expanding the test helpers accordingly. This was not raised in the audit yet upon independent review.
2025-07-23 15:13:27 -04:00
/// Spawn algorithm machines for a random selection of signers, each executing the given algorithm.
pub fn algorithm_machines<R: RngCore, C: Curve, A: Clone + Algorithm<C>>(
rng: &mut R,
algorithm: &A,
keys: &HashMap<Participant, ThresholdKeys<C>>,
) -> HashMap<Participant, AlgorithmMachine<C, A>> {
algorithm_machines_without_clone(
rng,
keys,
keys
.values()
.map(|keys| (keys.params().i(), AlgorithmMachine::new(algorithm.clone(), keys.clone())))
.collect(),
)
}
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
// Run the preprocess step
pub(crate) fn preprocess<
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
R: RngCore + CryptoRng,
M: PreprocessMachine,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
F: FnMut(&mut R, &mut HashMap<Participant, M::SignMachine>),
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
>(
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
rng: &mut R,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
mut machines: HashMap<Participant, M>,
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
mut cache: F,
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
) -> (HashMap<Participant, M::SignMachine>, HashMap<Participant, M::Preprocess>) {
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
let mut commitments = HashMap::new();
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
let mut machines = machines
.drain()
.map(|(i, machine)| {
let (machine, preprocess) = machine.preprocess(rng);
Create dedicated message structures for FROST messages (#140) * Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
commitments.insert(i, {
let mut buf = vec![];
preprocess.write(&mut buf).unwrap();
machine.read_preprocess::<&[u8]>(&mut buf.as_ref()).unwrap()
});
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
(i, machine)
})
.collect::<HashMap<_, _>>();
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG.
2022-04-21 21:36:18 -04:00
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
cache(rng, &mut machines);
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
(machines, commitments)
}
// Run the preprocess and generate signature shares
#[allow(clippy::type_complexity)]
pub(crate) fn preprocess_and_shares<
R: RngCore + CryptoRng,
M: PreprocessMachine,
F: FnMut(&mut R, &mut HashMap<Participant, M::SignMachine>),
>(
rng: &mut R,
machines: HashMap<Participant, M>,
cache: F,
msg: &[u8],
) -> (
HashMap<Participant, <M::SignMachine as SignMachine<M::Signature>>::SignatureMachine>,
HashMap<Participant, <M::SignMachine as SignMachine<M::Signature>>::SignatureShare>,
) {
let (mut machines, commitments) = preprocess(rng, machines, cache);
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
let mut shares = HashMap::new();
DKG Blame (#196) * Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
let machines = machines
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
.drain()
.map(|(i, machine)| {
let (machine, share) = machine.sign(clone_without(&commitments, &i), msg).unwrap();
Create dedicated message structures for FROST messages (#140) * Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
shares.insert(i, {
let mut buf = vec![];
share.write(&mut buf).unwrap();
machine.read_share::<&[u8]>(&mut buf.as_ref()).unwrap()
});
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
(i, machine)
})
.collect::<HashMap<_, _>>();
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG.
2022-04-21 21:36:18 -04:00
DKG Blame (#196) * Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
(machines, shares)
}
fn sign_internal<
R: RngCore + CryptoRng,
M: PreprocessMachine,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
F: FnMut(&mut R, &mut HashMap<Participant, M::SignMachine>),
DKG Blame (#196) * Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
>(
rng: &mut R,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
machines: HashMap<Participant, M>,
DKG Blame (#196) * Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
cache: F,
msg: &[u8],
) -> M::Signature {
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
let (mut machines, shares) = preprocess_and_shares(rng, machines, cache, msg);
DKG Blame (#196) * Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
let mut signature = None;
Enforce FROST StateMachine progression via the type system A comment on the matter was made in https://github.com/serai-dex/serai/issues/12. While I do believe the API is slightly worse, I appreciate the explicitness.
2022-06-24 08:40:14 -04:00
for (i, machine) in machines.drain() {
let sig = machine.complete(clone_without(&shares, &i)).unwrap();
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
if signature.is_none() {
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
signature = Some(sig.clone());
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
}
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
assert_eq!(&sig, signature.as_ref().unwrap());
Move FROST to HashMaps Honestly, the borrowed keys are frustrating, and this probably reduces performance while no longer offering an order when iterating. That said, they enable full u16 indexing and should mildly improve the API. Cleans the Proof of Knowledge handling present in key gen.
2022-05-24 21:41:14 -04:00
}
Start modularizing FROST tests as per https://github.com/serai-dex/serai/issues/9
2022-05-25 00:28:57 -04:00
signature.unwrap()
Initial commit Combines the existing frost-rs, dalek-ff-group, and monero-rs repos into a monorepo. Makes tweaks necessary as needed. Replaces RedDSA (which was going to be stubbed out into a new folder for now) with an offset system that voids its need and allows stealth addresses with CLSAG.
2022-04-21 21:36:18 -04:00
}
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
/// Execute the signing protocol, without caching any machines. This isn't as comprehensive at
/// testing as sign, and accordingly isn't preferred, yet is usable for machines not supporting
/// caching.
pub fn sign_without_caching<R: RngCore + CryptoRng, M: PreprocessMachine>(
rng: &mut R,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
machines: HashMap<Participant, M>,
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
msg: &[u8],
) -> M::Signature {
sign_internal(rng, machines, |_, _| {}, msg)
}
/// Execute the signing protocol, randomly caching various machines to ensure they can cache
/// successfully.
Remove Clone from ClsagMultisigMask{Sender, Receiver} This had ill-defined properties on Clone, as a mask could be sent multiple times (unintended) and multiple algorithms may receive the same mask from a singular sender. Requires removing the Clone bound within modular-frost and expanding the test helpers accordingly. This was not raised in the audit yet upon independent review.
2025-07-23 15:13:27 -04:00
pub fn sign_without_clone<R: RngCore + CryptoRng, M: PreprocessMachine>(
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
rng: &mut R,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
mut keys: HashMap<Participant, <M::SignMachine as SignMachine<M::Signature>>::Keys>,
Remove Clone from ClsagMultisigMask{Sender, Receiver} This had ill-defined properties on Clone, as a mask could be sent multiple times (unintended) and multiple algorithms may receive the same mask from a singular sender. Requires removing the Clone bound within modular-frost and expanding the test helpers accordingly. This was not raised in the audit yet upon independent review.
2025-07-23 15:13:27 -04:00
mut params: HashMap<Participant, <M::SignMachine as SignMachine<M::Signature>>::Params>,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
machines: HashMap<Participant, M>,
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
msg: &[u8],
) -> M::Signature {
sign_internal(
rng,
machines,
|rng, machines| {
// Cache and rebuild half of the machines
Add workspace lints
2023-12-16 20:54:24 -05:00
let included = machines.keys().copied().collect::<Vec<_>>();
Meaningful changes from aggressive-clippy I do want to enable a few specific lints, yet aggressive-clippy as a whole isn't worthwhile.
2023-07-08 11:29:05 -04:00
for i in included {
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
if (rng.next_u64() % 2) == 0 {
let cache = machines.remove(&i).unwrap().cache();
machines.insert(
i,
Remove Clone from ClsagMultisigMask{Sender, Receiver} This had ill-defined properties on Clone, as a mask could be sent multiple times (unintended) and multiple algorithms may receive the same mask from a singular sender. Requires removing the Clone bound within modular-frost and expanding the test helpers accordingly. This was not raised in the audit yet upon independent review.
2025-07-23 15:13:27 -04:00
M::SignMachine::from_cache(params.remove(&i).unwrap(), keys.remove(&i).unwrap(), cache)
.0,
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
);
}
}
},
msg,
)
}
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
Remove Clone from ClsagMultisigMask{Sender, Receiver} This had ill-defined properties on Clone, as a mask could be sent multiple times (unintended) and multiple algorithms may receive the same mask from a singular sender. Requires removing the Clone bound within modular-frost and expanding the test helpers accordingly. This was not raised in the audit yet upon independent review.
2025-07-23 15:13:27 -04:00
/// Execute the signing protocol, randomly caching various machines to ensure they can cache
/// successfully.
pub fn sign<
R: RngCore + CryptoRng,
M: PreprocessMachine<SignMachine: SignMachine<M::Signature, Params: Clone>>,
>(
rng: &mut R,
params: &<M::SignMachine as SignMachine<M::Signature>>::Params,
keys: HashMap<Participant, <M::SignMachine as SignMachine<M::Signature>>::Keys>,
machines: HashMap<Participant, M>,
msg: &[u8],
) -> M::Signature {
let params = keys.keys().map(|i| (*i, params.clone())).collect();
sign_without_clone(rng, keys, params, machines, msg)
}
Implement MuSig key aggregation into DKG Isn't spec compliant due to the lack of a spec to be compliant too. Slight deviation from the paper by using a unique list instead of a multiset. Closes #186, progresses #277.
2023-05-10 06:25:40 -04:00
/// Test a basic Schnorr signature with the provided keys.
pub fn test_schnorr_with_keys<R: RngCore + CryptoRng, C: Curve, H: Hram<C>>(
rng: &mut R,
Further expand clippy workspace lints Achieves a notable amount of reduced async and clones.
2023-12-17 00:01:41 -05:00
keys: &HashMap<Participant, ThresholdKeys<C>>,
Implement MuSig key aggregation into DKG Isn't spec compliant due to the lack of a spec to be compliant too. Slight deviation from the paper by using a unique list instead of a multiset. Closes #186, progresses #277.
2023-05-10 06:25:40 -04:00
) {
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
const MSG: &[u8] = b"Hello, World!";
Further expand clippy workspace lints Achieves a notable amount of reduced async and clones.
2023-12-17 00:01:41 -05:00
let machines = algorithm_machines(&mut *rng, &IetfSchnorr::<C, H>::ietf(), keys);
let sig = sign(&mut *rng, &IetfSchnorr::<C, H>::ietf(), keys.clone(), machines, MSG);
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
let group_key = keys[&Participant::new(1).unwrap()].group_key();
assert!(sig.verify(group_key, H::hram(&sig.R, &group_key, MSG)));
}
Implement MuSig key aggregation into DKG Isn't spec compliant due to the lack of a spec to be compliant too. Slight deviation from the paper by using a unique list instead of a multiset. Closes #186, progresses #277.
2023-05-10 06:25:40 -04:00
/// Test a basic Schnorr signature.
pub fn test_schnorr<R: RngCore + CryptoRng, C: Curve, H: Hram<C>>(rng: &mut R) {
let keys = key_gen(&mut *rng);
Further expand clippy workspace lints Achieves a notable amount of reduced async and clones.
2023-12-17 00:01:41 -05:00
test_schnorr_with_keys::<_, _, H>(&mut *rng, &keys)
Implement MuSig key aggregation into DKG Isn't spec compliant due to the lack of a spec to be compliant too. Slight deviation from the paper by using a unique list instead of a multiset. Closes #186, progresses #277.
2023-05-10 06:25:40 -04:00
}
Fully document crypto/
2023-03-20 20:10:00 -04:00
/// Test an offset Schnorr signature.
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
pub fn test_offset_schnorr<R: RngCore + CryptoRng, C: Curve, H: Hram<C>>(rng: &mut R) {
const MSG: &[u8] = b"Hello, World!";
let mut keys = key_gen(&mut *rng);
let group_key = keys[&Participant::new(1).unwrap()].group_key();
Extend modular-frost to test with scaled and offset keys The transcript transcripted the group key _plus_ the offset, when it should've only transcripted the group key as the declared group key already had the offset applied. This has been fixed.
2025-08-15 21:16:23 -04:00
let scalar = C::F::from(3);
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
let offset = C::F::from(5);
Extend modular-frost to test with scaled and offset keys The transcript transcripted the group key _plus_ the offset, when it should've only transcripted the group key as the declared group key already had the offset applied. This has been fixed.
2025-08-15 21:16:23 -04:00
let offset_key = (group_key * scalar) + (C::generator() * offset);
Meaningful changes from aggressive-clippy I do want to enable a few specific lints, yet aggressive-clippy as a whole isn't worthwhile.
2023-07-08 11:29:05 -04:00
for keys in keys.values_mut() {
Extend modular-frost to test with scaled and offset keys The transcript transcripted the group key _plus_ the offset, when it should've only transcripted the group key as the declared group key already had the offset applied. This has been fixed.
2025-08-15 21:16:23 -04:00
*keys = keys.clone().scale(scalar).unwrap().offset(offset);
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
assert_eq!(keys.group_key(), offset_key);
}
Further expand clippy workspace lints Achieves a notable amount of reduced async and clones.
2023-12-17 00:01:41 -05:00
let machines = algorithm_machines(&mut *rng, &IetfSchnorr::<C, H>::ietf(), &keys);
let sig = sign(&mut *rng, &IetfSchnorr::<C, H>::ietf(), keys.clone(), machines, MSG);
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
let group_key = keys[&Participant::new(1).unwrap()].group_key();
assert!(sig.verify(offset_key, H::hram(&sig.R, &group_key, MSG)));
}
Fully document crypto/
2023-03-20 20:10:00 -04:00
/// Test blame for an invalid Schnorr signature share.
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
pub fn test_schnorr_blame<R: RngCore + CryptoRng, C: Curve, H: Hram<C>>(rng: &mut R) {
const MSG: &[u8] = b"Hello, World!";
let keys = key_gen(&mut *rng);
Further expand clippy workspace lints Achieves a notable amount of reduced async and clones.
2023-12-17 00:01:41 -05:00
let machines = algorithm_machines(&mut *rng, &IetfSchnorr::<C, H>::ietf(), &keys);
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
let (mut machines, shares) = preprocess_and_shares(&mut *rng, machines, |_, _| {}, MSG);
for (i, machine) in machines.drain() {
let mut shares = clone_without(&shares, &i);
// Select a random participant to give an invalid share
let participants = shares.keys().collect::<Vec<_>>();
let faulty = *participants
[usize::try_from(rng.next_u64() % u64::try_from(participants.len()).unwrap()).unwrap()];
shares.get_mut(&faulty).unwrap().invalidate();
assert_eq!(machine.complete(shares).err(), Some(FrostError::InvalidShare(faulty)));
}
}
Fully document crypto/
2023-03-20 20:10:00 -04:00
/// Run a variety of tests against a ciphersuite.
3.6.9 Add several tests to the FROST library Offset signing is now tested. Multi-nonce algorithms are now tested. Multi-generator nonce algorithms are now tested. More fault cases are now tested as well.
2023-03-01 08:02:45 -05:00
pub fn test_ciphersuite<R: RngCore + CryptoRng, C: Curve, H: Hram<C>>(rng: &mut R) {
test_schnorr::<R, C, H>(rng);
test_offset_schnorr::<R, C, H>(rng);
test_schnorr_blame::<R, C, H>(rng);
test_multi_nonce::<R, C>(rng);
}
Reference in New Issue Copy Permalink