absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-08 12:19:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6a15b21949e7ca7a177d7c06a7ae65ddda2429c1
serai/crypto/frost/src/tests/vectors.rs

398 lines
13 KiB
Rust
Raw Normal View History

Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
use core::ops::Deref;
Create dedicated message structures for FROST messages (#140) * Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
use std::collections::HashMap;
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
#[cfg(test)]
use std::str::FromStr;
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
use zeroize::Zeroizing;
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
use rand_core::{RngCore, CryptoRng, SeedableRng};
use rand_chacha::ChaCha20Rng;
Add support for Ristretto Replaces P-256 as the curve used for testing FROST.
2022-06-06 04:22:49 -04:00
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup.
2022-06-28 01:25:26 -04:00
use group::{ff::PrimeField, GroupEncoding};
Re-organize testing strategy and document Ciphersuite::hash_to_F.
2022-12-24 17:08:22 -05:00
use dkg::tests::key_gen;
Create a dedicated crate for the DKG (#141) * Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor
2022-10-29 03:54:42 -05:00
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
use crate::{
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
curve::Curve,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
Participant, ThresholdCore, ThresholdKeys, FrostError,
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
algorithm::{IetfTranscript, Schnorr, Hram},
Create dedicated message structures for FROST messages (#140) * Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
sign::{
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
Writable, Nonce, GeneratorCommitments, NonceCommitments, Commitments, Preprocess,
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
PreprocessMachine, SignMachine, SignatureMachine, AlgorithmMachine,
Create dedicated message structures for FROST messages (#140) * Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
},
DKG Blame (#196) * Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
tests::{clone_without, recover_key, algorithm_machines, commit_and_shares, sign},
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
};
pub struct Vectors {
pub threshold: u16,
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
pub group_secret: String,
pub group_key: String,
pub shares: Vec<String>,
pub msg: String,
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
pub included: Vec<Participant>,
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
pub nonce_randomness: Vec<[String; 2]>,
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
pub nonces: Vec<[String; 2]>,
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
pub commitments: Vec<[String; 2]>,
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
pub sig_shares: Vec<String>,
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
pub sig: String,
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
}
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
#[cfg(test)]
impl From<serde_json::Value> for Vectors {
fn from(value: serde_json::Value) -> Vectors {
Fill out Cargo.tomls Updated missing fields/sections, even if some won't be used, to standardize. Also made FROST tests feature-gated.
2022-10-15 23:46:22 -04:00
let to_str = |value: &serde_json::Value| value.as_str().unwrap().to_string();
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
Vectors {
threshold: u16::from_str(value["config"]["NUM_PARTICIPANTS"].as_str().unwrap()).unwrap(),
group_secret: to_str(&value["inputs"]["group_secret_key"]),
group_key: to_str(&value["inputs"]["group_public_key"]),
shares: value["inputs"]["participants"]
.as_object()
.unwrap()
.values()
.map(|share| to_str(&share["participant_share"]))
.collect(),
msg: to_str(&value["inputs"]["message"]),
included: to_str(&value["round_one_outputs"]["participant_list"])
Run latest nightly clippy Also runs clippy on the tests and updates the CI accordingly
2023-01-01 04:18:23 -05:00
.split(',')
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
.map(u16::from_str)
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
.collect::<Result<Vec<_>, _>>()
.unwrap()
.iter()
.map(|i| Participant::new(*i).unwrap())
.collect(),
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
nonce_randomness: value["round_one_outputs"]["participants"]
.as_object()
.unwrap()
.values()
.map(|value| {
[to_str(&value["hiding_nonce_randomness"]), to_str(&value["binding_nonce_randomness"])]
})
.collect(),
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
nonces: value["round_one_outputs"]["participants"]
.as_object()
.unwrap()
.values()
.map(|value| [to_str(&value["hiding_nonce"]), to_str(&value["binding_nonce"])])
.collect(),
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
commitments: value["round_one_outputs"]["participants"]
.as_object()
.unwrap()
.values()
.map(|value| {
[to_str(&value["hiding_nonce_commitment"]), to_str(&value["binding_nonce_commitment"])]
})
.collect(),
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
sig_shares: value["round_two_outputs"]["participants"]
.as_object()
.unwrap()
.values()
.map(|value| to_str(&value["sig_share"]))
.collect(),
sig: to_str(&value["final_output"]["sig"]),
}
}
}
Create a dedicated crate for the DKG (#141) * Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor
2022-10-29 03:54:42 -05:00
// Load these vectors into ThresholdKeys using a custom serialization it'll deserialize
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
fn vectors_to_multisig_keys<C: Curve>(vectors: &Vectors) -> HashMap<Participant, ThresholdKeys<C>> {
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
let shares = vectors
.shares
.iter()
Create dedicated message structures for FROST messages (#140) * Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation
2022-10-25 23:17:25 -05:00
.map(|secret| C::read_F::<&[u8]>(&mut hex::decode(secret).unwrap().as_ref()).unwrap())
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
.collect::<Vec<_>>();
Use a non-constant generator in FROST
2022-08-13 05:07:07 -04:00
let verification_shares = shares.iter().map(|secret| C::generator() * secret).collect::<Vec<_>>();
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
let mut keys = HashMap::new();
for i in 1 ..= u16::try_from(shares.len()).unwrap() {
Create a dedicated crate for the DKG (#141) * Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor
2022-10-29 03:54:42 -05:00
// Manually re-implement the serialization for ThresholdCore to import this data
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
let mut serialized = vec![];
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
serialized.extend(u32::try_from(C::ID.len()).unwrap().to_le_bytes());
Use const values for our traits where we can
2022-06-03 23:22:08 -04:00
serialized.extend(C::ID);
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
serialized.extend(vectors.threshold.to_le_bytes());
serialized.extend(u16::try_from(shares.len()).unwrap().to_le_bytes());
serialized.extend(i.to_le_bytes());
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup.
2022-06-28 01:25:26 -04:00
serialized.extend(shares[usize::from(i) - 1].to_repr().as_ref());
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
for share in &verification_shares {
Use GroupEncoding instead of Curve's from_slice/to_bytes Increases usage of standardization while expanding dalek_ff_group. Closes https://github.com/serai-dex/serai/issues/26 by moving dfg::EdwardsPoint to only be for the prime subgroup.
2022-06-28 01:25:26 -04:00
serialized.extend(share.to_bytes().as_ref());
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
}
Create a dedicated crate for the DKG (#141) * Add dkg crate * Remove F_len and G_len They're generally no longer used. * Replace hash_to_vec with a provided method around associated type H: Digest Part of trying to minimize this trait so it can be moved elsewhere. Vec, which isn't std, may have been a blocker. * Encrypt secret shares within the FROST library Reduces requirements on callers in order to be correct. * Update usage of Zeroize within FROST * Inline functions in key_gen There was no reason to have them separated as they were. sign probably has the same statement available, yet that isn't the focus right now. * Add a ciphersuite package which provides hash_to_F * Set the Ciphersuite version to something valid * Have ed448 export Scalar/FieldElement/Point at the top level * Move FROST over to Ciphersuite * Correct usage of ff in ciphersuite * Correct documentation handling * Move Schnorr signatures to their own crate * Remove unused feature from schnorr * Fix Schnorr tests * Split DKG into a separate crate * Add serialize to Commitments and SecretShare Helper for buf = vec![]; .write(buf).unwrap(); buf * Move FROST over to the new dkg crate * Update Monero lib to latest FROST * Correct ethereum's usage of features * Add serialize to GeneratorProof * Add serialize helper function to FROST * Rename AddendumSerialize to WriteAddendum * Update processor * Slight fix to processor
2022-10-29 03:54:42 -05:00
let these_keys = ThresholdCore::<C>::deserialize::<&[u8]>(&mut serialized.as_ref()).unwrap();
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
assert_eq!(these_keys.params().t(), vectors.threshold);
assert_eq!(usize::from(these_keys.params().n()), shares.len());
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
let participant = Participant::new(i).unwrap();
assert_eq!(these_keys.params().i(), participant);
Fix https://github.com/serai-dex/serai/issues/150
2022-11-10 22:35:09 -05:00
assert_eq!(these_keys.secret_share().deref(), &shares[usize::from(i - 1)]);
Update to FROST v11 Ensures random functions never return zero. This, combined with a check commitments aren't 0, causes no serialized elements to be 0. Also directly reads their vectors.
2022-10-13 00:38:36 -04:00
assert_eq!(hex::encode(these_keys.group_key().to_bytes().as_ref()), vectors.group_key);
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
keys.insert(participant, ThresholdKeys::new(these_keys));
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
}
keys
}
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
pub fn test_with_vectors<R: RngCore + CryptoRng, C: Curve, H: Hram<C>>(
rng: &mut R,
vectors: Vectors,
) {
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
// Test a basic Schnorr signature
{
let keys = key_gen(&mut *rng);
let machines = algorithm_machines(&mut *rng, Schnorr::<C, H>::new(), &keys);
const MSG: &[u8] = b"Hello, World!";
let sig = sign(&mut *rng, Schnorr::<C, H>::new(), keys.clone(), machines, MSG);
3.3.3 (cont) Add a dedicated Participant type
2023-02-23 06:50:45 -05:00
let group_key = keys[&Participant::new(1).unwrap()].group_key();
assert!(sig.verify(group_key, H::hram(&sig.R, &group_key, MSG)));
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I *could* have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor
2022-12-08 19:04:35 -05:00
}
DKG Blame (#196) * Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
// Test blame on an invalid Schnorr signature share
{
let keys = key_gen(&mut *rng);
let machines = algorithm_machines(&mut *rng, Schnorr::<C, H>::new(), &keys);
const MSG: &[u8] = b"Hello, World!";
let (mut machines, mut shares) = commit_and_shares(&mut *rng, machines, |_, _| {}, MSG);
Run latest nightly clippy Also runs clippy on the tests and updates the CI accordingly
2023-01-01 04:18:23 -05:00
let faulty = *shares.keys().next().unwrap();
DKG Blame (#196) * Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00
shares.get_mut(&faulty).unwrap().invalidate();
for (i, machine) in machines.drain() {
if i == faulty {
continue;
}
assert_eq!(
machine.complete(clone_without(&shares, &i)).err(),
Some(FrostError::InvalidShare(faulty))
);
}
}
Add support for Ristretto Replaces P-256 as the curve used for testing FROST.
2022-06-06 04:22:49 -04:00
// Test against the vectors
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
let keys = vectors_to_multisig_keys::<C>(&vectors);
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
{
let group_key =
<C as Curve>::read_G::<&[u8]>(&mut hex::decode(&vectors.group_key).unwrap().as_ref())
.unwrap();
let secret =
C::read_F::<&[u8]>(&mut hex::decode(&vectors.group_secret).unwrap().as_ref()).unwrap();
assert_eq!(C::generator() * secret, group_key);
assert_eq!(recover_key(&keys), secret);
let mut machines = vec![];
for i in &vectors.included {
machines.push((i, AlgorithmMachine::new(Schnorr::<C, H>::new(), keys[i].clone()).unwrap()));
}
let mut commitments = HashMap::new();
let mut machines = machines
.drain(..)
.enumerate()
.map(|(c, (i, machine))| {
let nonce = |i| {
Zeroizing::new(
C::read_F::<&[u8]>(&mut hex::decode(&vectors.nonces[c][i]).unwrap().as_ref()).unwrap(),
)
};
let nonces = [nonce(0), nonce(1)];
let these_commitments =
[C::generator() * nonces[0].deref(), C::generator() * nonces[1].deref()];
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
assert_eq!(
these_commitments[0].to_bytes().as_ref(),
hex::decode(&vectors.commitments[c][0]).unwrap()
);
assert_eq!(
these_commitments[1].to_bytes().as_ref(),
hex::decode(&vectors.commitments[c][1]).unwrap()
);
let preprocess = Preprocess {
commitments: Commitments {
nonces: vec![NonceCommitments {
generators: vec![GeneratorCommitments(these_commitments)],
}],
dleq: None,
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
},
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
addendum: (),
};
// FROST doesn't specify how to serialize these together, yet this is sane
// (and the simplest option)
assert_eq!(
preprocess.serialize(),
hex::decode(vectors.commitments[c][0].clone() + &vectors.commitments[c][1]).unwrap()
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
);
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
let machine = machine.unsafe_override_preprocess(vec![Nonce(nonces)], preprocess);
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
commitments.insert(
*i,
machine
.read_preprocess::<&[u8]>(
&mut [
these_commitments[0].to_bytes().as_ref(),
these_commitments[1].to_bytes().as_ref(),
]
.concat()
.as_ref(),
)
.unwrap(),
);
(i, machine)
})
.collect::<Vec<_>>();
let mut shares = HashMap::new();
let mut machines = machines
.drain(..)
.enumerate()
.map(|(c, (i, machine))| {
let (machine, share) = machine
.sign(clone_without(&commitments, i), &hex::decode(&vectors.msg).unwrap())
.unwrap();
let share = {
let mut buf = vec![];
share.write(&mut buf).unwrap();
buf
};
assert_eq!(share, hex::decode(&vectors.sig_shares[c]).unwrap());
shares.insert(*i, machine.read_share::<&[u8]>(&mut share.as_ref()).unwrap());
(i, machine)
})
.collect::<HashMap<_, _>>();
for (i, machine) in machines.drain() {
let sig = machine.complete(clone_without(&shares, i)).unwrap();
let mut serialized = sig.R.to_bytes().as_ref().to_vec();
serialized.extend(sig.s.to_repr().as_ref());
assert_eq!(hex::encode(serialized), vectors.sig);
}
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
}
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
// The above code didn't test the nonce generation due to the infeasibility of doing so against
// the current codebase
// A transparent RNG which has a fixed output
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
struct TransparentRng(Vec<[u8; 32]>);
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
impl RngCore for TransparentRng {
fn next_u32(&mut self) -> u32 {
unimplemented!()
}
fn next_u64(&mut self) -> u64 {
unimplemented!()
}
fn fill_bytes(&mut self, dest: &mut [u8]) {
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
dest.copy_from_slice(&self.0.remove(0))
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
}
fn try_fill_bytes(&mut self, _: &mut [u8]) -> Result<(), rand_core::Error> {
unimplemented!()
}
}
// CryptoRng requires the output not reveal any info about any other outputs
// Since this only will produce one output, this is actually met, even though it'd be fine to
// fake it as this is a test
impl CryptoRng for TransparentRng {}
// Test C::random_nonce matches the expected vectors
for (i, l) in vectors.included.iter().enumerate() {
let l = usize::from(u16::from(*l));
// Shares are a zero-indexed array of all participants, hence l - 1
let share = Zeroizing::new(
C::read_F::<&[u8]>(&mut hex::decode(&vectors.shares[l - 1]).unwrap().as_ref()).unwrap(),
);
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
let randomness = vectors.nonce_randomness[i]
.iter()
.map(|randomness| hex::decode(randomness).unwrap().try_into().unwrap())
.collect::<Vec<_>>();
let nonces = vectors.nonces[i]
.iter()
.map(|nonce| {
Zeroizing::new(C::read_F::<&[u8]>(&mut hex::decode(nonce).unwrap().as_ref()).unwrap())
})
.collect::<Vec<_>>();
for (randomness, nonce) in randomness.iter().zip(&nonces) {
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
// Nonces are only present for participating signers, hence i
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
assert_eq!(C::random_nonce(&share, &mut TransparentRng(vec![*randomness])), *nonce);
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
}
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
// Also test it at the Commitments level
let (generated_nonces, commitments) = Commitments::<C>::new::<_, IetfTranscript>(
&mut TransparentRng(randomness),
&share,
&[vec![C::generator()]],
&[],
);
assert_eq!(generated_nonces.len(), 1);
assert_eq!(generated_nonces[0].0, [nonces[0].clone(), nonces[1].clone()]);
let mut commitments_bytes = vec![];
commitments.write(&mut commitments_bytes).unwrap();
assert_eq!(
commitments_bytes,
hex::decode(vectors.commitments[i][0].clone() + &vectors.commitments[i][1]).unwrap()
);
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
}
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
// This doesn't verify C::random_nonce is called correctly, where the code should call it with
// the output from a ChaCha20 stream
// Create a known ChaCha20 stream to verify it ends up at random_nonce properly
{
let mut chacha_seed = [0; 32];
rng.fill_bytes(&mut chacha_seed);
let mut ours = ChaCha20Rng::from_seed(chacha_seed);
let frosts = ours.clone();
// The machines should geenerate a seed, and then use that seed in a ChaCha20 RNG for nonces
let mut preprocess_seed = [0; 32];
ours.fill_bytes(&mut preprocess_seed);
let mut ours = ChaCha20Rng::from_seed(preprocess_seed);
// Get the randomness which will be used
let mut randomness = ([0; 32], [0; 32]);
ours.fill_bytes(&mut randomness.0);
ours.fill_bytes(&mut randomness.1);
// Create the machines
let mut machines = vec![];
for i in &vectors.included {
machines.push((i, AlgorithmMachine::new(Schnorr::<C, H>::new(), keys[i].clone()).unwrap()));
}
for (i, machine) in machines.drain(..) {
let (_, preprocess) = machine.preprocess(&mut frosts.clone());
// Calculate the expected nonces
let mut expected = (C::generator() *
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
C::random_nonce(keys[i].secret_share(), &mut TransparentRng(vec![randomness.0])).deref())
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
.to_bytes()
.as_ref()
.to_vec();
expected.extend(
(C::generator() *
3.6.3 Check commitment encoding Also extends tests of 3.6.2 and so on.
2023-02-28 21:57:18 -05:00
C::random_nonce(keys[i].secret_share(), &mut TransparentRng(vec![randomness.1]))
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
.deref())
.to_bytes()
.as_ref(),
Apply an initial set of rustfmt rules
2022-07-15 01:26:07 -04:00
);
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
3.6.2 Test nonce generation There's two ways which this could be tested. 1) Preprocess not taking in an arbitrary RNG item, yet the relevant bytes This would be an unsafe level of refactoring, in my opinion. 2) Test random_nonce and test the passed in RNG eventually ends up at random_nonce. This takes the latter route, both verifying random_nonce meets the vectors and that the FROST machine calls random_nonce properly.
2023-02-28 02:16:32 -05:00
// Ensure they match
assert_eq!(preprocess.serialize(), expected);
}
Verify being FROST v5 compliant No functional changes have been made to signing, with solely slight API changes being made. Technically not actually FROST v5 compatible, due to differing on zero checks and randomness, yet the vectors do confirm the core algorithm. For any valid FROST implementation, this will be interoperable if they can successfully communicate. For any devious FROST implementation, this will be fingerprintable, yet should still be valid. Relevant to https://github.com/serai-dex/serai/issues/9 as any curve can now specify vectors for itself and be tested against them. Moves the FROST testing curve from k256 to p256. Does not expose p256 despite being compliant. It's not at a point I'm happy with it, notably regarding hash to curve, and I'm not sure I care to support p256. If it has value to the larger FROST ecosystem...
2022-06-03 01:25:46 -04:00
}
}
Reference in New Issue Copy Permalink