2022-11-10 22:35:09 -05:00
|
|
|
use core::{ops::Deref, fmt::Debug};
|
2022-07-15 01:26:07 -04:00
|
|
|
use std::{
|
2022-10-25 23:17:25 -05:00
|
|
|
io::{self, Read, Write},
|
2022-07-15 01:26:07 -04:00
|
|
|
collections::HashMap,
|
|
|
|
|
};
|
2022-04-21 21:36:18 -04:00
|
|
|
|
|
|
|
|
use rand_core::{RngCore, CryptoRng};
|
|
|
|
|
|
2022-11-10 22:35:09 -05:00
|
|
|
use zeroize::Zeroize;
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
|
2022-05-03 07:20:24 -04:00
|
|
|
use transcript::Transcript;
|
|
|
|
|
|
2022-10-25 23:17:25 -05:00
|
|
|
use group::{ff::PrimeField, GroupEncoding};
|
2022-07-12 01:28:01 -04:00
|
|
|
|
2022-05-24 21:41:14 -04:00
|
|
|
use crate::{
|
2022-10-25 23:17:25 -05:00
|
|
|
curve::Curve,
|
2022-10-29 03:54:42 -05:00
|
|
|
FrostError, ThresholdParams, ThresholdKeys, ThresholdView,
|
|
|
|
|
algorithm::{WriteAddendum, Addendum, Algorithm},
|
2022-10-25 23:17:25 -05:00
|
|
|
validate_map,
|
2022-05-24 21:41:14 -04:00
|
|
|
};
|
2022-04-21 21:36:18 -04:00
|
|
|
|
2022-10-25 23:17:25 -05:00
|
|
|
pub(crate) use crate::nonce::*;
|
|
|
|
|
|
|
|
|
|
/// Trait enabling writing preprocesses and signature shares.
|
|
|
|
|
pub trait Writable {
|
|
|
|
|
fn write<W: Write>(&self, writer: &mut W) -> io::Result<()>;
|
2022-10-29 03:54:42 -05:00
|
|
|
|
|
|
|
|
fn serialize(&self) -> Vec<u8> {
|
|
|
|
|
let mut buf = vec![];
|
|
|
|
|
self.write(&mut buf).unwrap();
|
|
|
|
|
buf
|
|
|
|
|
}
|
2022-10-25 23:17:25 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<T: Writable> Writable for Vec<T> {
|
|
|
|
|
fn write<W: Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
|
|
|
for w in self {
|
|
|
|
|
w.write(writer)?;
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-29 03:54:42 -05:00
|
|
|
/// Pairing of an Algorithm with a ThresholdKeys instance and this specific signing set.
|
2022-10-29 05:10:07 -04:00
|
|
|
#[derive(Clone, Zeroize)]
|
2022-04-21 21:36:18 -04:00
|
|
|
pub struct Params<C: Curve, A: Algorithm<C>> {
|
2022-10-29 05:10:07 -04:00
|
|
|
#[zeroize(skip)]
|
2022-04-21 21:36:18 -04:00
|
|
|
algorithm: A,
|
2022-10-29 03:54:42 -05:00
|
|
|
keys: ThresholdKeys<C>,
|
|
|
|
|
view: ThresholdView<C>,
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<C: Curve, A: Algorithm<C>> Params<C, A> {
|
|
|
|
|
pub fn new(
|
|
|
|
|
algorithm: A,
|
2022-10-29 03:54:42 -05:00
|
|
|
keys: ThresholdKeys<C>,
|
2022-05-24 21:41:14 -04:00
|
|
|
included: &[u16],
|
2022-04-29 15:28:04 -04:00
|
|
|
) -> Result<Params<C, A>, FrostError> {
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
let params = keys.params();
|
|
|
|
|
|
2022-04-21 21:36:18 -04:00
|
|
|
let mut included = included.to_vec();
|
2022-07-22 02:34:36 -04:00
|
|
|
included.sort_unstable();
|
2022-04-21 21:36:18 -04:00
|
|
|
|
2022-04-30 04:32:19 -04:00
|
|
|
// Included < threshold
|
2022-10-29 03:54:42 -05:00
|
|
|
if included.len() < usize::from(params.t()) {
|
2022-07-13 02:38:29 -04:00
|
|
|
Err(FrostError::InvalidSigningSet("not enough signers"))?;
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
// Invalid index
|
|
|
|
|
if included[0] == 0 {
|
2022-10-29 03:54:42 -05:00
|
|
|
Err(FrostError::InvalidParticipantIndex(included[0], params.n()))?;
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
// OOB index
|
2022-10-29 03:54:42 -05:00
|
|
|
if included[included.len() - 1] > params.n() {
|
|
|
|
|
Err(FrostError::InvalidParticipantIndex(included[included.len() - 1], params.n()))?;
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
// Same signer included multiple times
|
2022-09-29 01:24:33 -05:00
|
|
|
for i in 0 .. (included.len() - 1) {
|
2022-04-21 21:36:18 -04:00
|
|
|
if included[i] == included[i + 1] {
|
2022-07-13 02:38:29 -04:00
|
|
|
Err(FrostError::DuplicatedIndex(included[i]))?;
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// Not included
|
2022-10-29 03:54:42 -05:00
|
|
|
if !included.contains(¶ms.i()) {
|
2022-07-13 02:38:29 -04:00
|
|
|
Err(FrostError::InvalidSigningSet("signing despite not being included"))?;
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-04-30 04:32:19 -04:00
|
|
|
// Out of order arguments to prevent additional cloning
|
|
|
|
|
Ok(Params { algorithm, view: keys.view(&included).unwrap(), keys })
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-10-29 03:54:42 -05:00
|
|
|
pub fn multisig_params(&self) -> ThresholdParams {
|
Utilize zeroize (#76)
* Apply Zeroize to nonces used in Bulletproofs
Also makes bit decomposition constant time for a given amount of
outputs.
* Fix nonce reuse for single-signer CLSAG
* Attach Zeroize to most structures in Monero, and ZOnDrop to anything with private data
* Zeroize private keys and nonces
* Merge prepare_outputs and prepare_transactions
* Ensure CLSAG is constant time
* Pass by borrow where needed, bug fixes
The past few commitments have been one in-progress chunk which I've
broken up as best read.
* Add Zeroize to FROST structs
Still needs to zeroize internally, yet next step. Not quite as
aggressive as Monero, partially due to the limitations of HashMaps,
partially due to less concern about metadata, yet does still delete a
few smaller items of metadata (group key, context string...).
* Remove Zeroize from most Monero multisig structs
These structs largely didn't have private data, just fields with private
data, yet those fields implemented ZeroizeOnDrop making them already
covered. While there is still traces of the transaction left in RAM,
fully purging that was never the intent.
* Use Zeroize within dleq
bitvec doesn't offer Zeroize, so a manual zeroing has been implemented.
* Use Zeroize for random_nonce
It isn't perfect, due to the inability to zeroize the digest, and due to
kp256 requiring a few transformations. It does the best it can though.
Does move the per-curve random_nonce to a provided one, which is allowed
as of https://github.com/cfrg/draft-irtf-cfrg-frost/pull/231.
* Use Zeroize on FROST keygen/signing
* Zeroize constant time multiexp.
* Correct when FROST keygen zeroizes
* Move the FROST keys Arc into FrostKeys
Reduces amount of instances in memory.
* Manually implement Debug for FrostCore to not leak the secret share
* Misc bug fixes
* clippy + multiexp test bug fixes
* Correct FROST key gen share summation
It leaked our own share for ourself.
* Fix cross-group DLEq tests
2022-08-03 03:25:18 -05:00
|
|
|
self.keys.params()
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
2022-04-29 15:28:04 -04:00
|
|
|
|
2022-10-29 03:54:42 -05:00
|
|
|
pub fn view(&self) -> ThresholdView<C> {
|
2022-04-29 15:28:04 -04:00
|
|
|
self.view.clone()
|
|
|
|
|
}
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-10-25 23:17:25 -05:00
|
|
|
/// Preprocess for an instance of the FROST signing protocol.
|
2022-10-29 03:54:42 -05:00
|
|
|
#[derive(Clone, PartialEq, Eq)]
|
2022-10-25 23:17:25 -05:00
|
|
|
pub struct Preprocess<C: Curve, A: Addendum> {
|
|
|
|
|
pub(crate) commitments: Commitments<C>,
|
|
|
|
|
pub addendum: A,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<C: Curve, A: Addendum> Writable for Preprocess<C, A> {
|
|
|
|
|
fn write<W: Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
|
|
|
self.commitments.write(writer)?;
|
|
|
|
|
self.addendum.write(writer)
|
|
|
|
|
}
|
2022-07-12 01:28:01 -04:00
|
|
|
}
|
|
|
|
|
|
2022-09-29 07:08:20 -04:00
|
|
|
/// Trait for the initial state machine of a two-round signing protocol.
|
2022-06-24 08:40:14 -04:00
|
|
|
pub trait PreprocessMachine {
|
2022-10-25 23:17:25 -05:00
|
|
|
/// Preprocess message for this machine.
|
|
|
|
|
type Preprocess: Clone + PartialEq + Writable;
|
|
|
|
|
/// Signature produced by this machine.
|
2022-11-10 22:35:09 -05:00
|
|
|
type Signature: Clone + PartialEq + Debug;
|
2022-10-25 23:17:25 -05:00
|
|
|
/// SignMachine this PreprocessMachine turns into.
|
|
|
|
|
type SignMachine: SignMachine<Self::Signature, Preprocess = Self::Preprocess>;
|
2022-04-29 22:36:43 -04:00
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Perform the preprocessing round required in order to sign.
|
2022-10-25 23:17:25 -05:00
|
|
|
/// Returns a preprocess message to be broadcast to all participants, over an authenticated
|
|
|
|
|
/// channel.
|
|
|
|
|
fn preprocess<R: RngCore + CryptoRng>(self, rng: &mut R)
|
|
|
|
|
-> (Self::SignMachine, Self::Preprocess);
|
2022-06-24 08:40:14 -04:00
|
|
|
}
|
|
|
|
|
|
2022-09-29 05:25:29 -04:00
|
|
|
/// State machine which manages signing for an arbitrary signature algorithm.
|
2022-04-29 22:36:43 -04:00
|
|
|
pub struct AlgorithmMachine<C: Curve, A: Algorithm<C>> {
|
2022-07-15 01:26:07 -04:00
|
|
|
params: Params<C, A>,
|
2022-06-24 08:40:14 -04:00
|
|
|
}
|
|
|
|
|
|
2022-04-29 22:36:43 -04:00
|
|
|
impl<C: Curve, A: Algorithm<C>> AlgorithmMachine<C, A> {
|
2022-09-29 05:25:29 -04:00
|
|
|
/// Creates a new machine to generate a signature with the specified keys.
|
2022-04-29 22:36:43 -04:00
|
|
|
pub fn new(
|
|
|
|
|
algorithm: A,
|
2022-10-29 03:54:42 -05:00
|
|
|
keys: ThresholdKeys<C>,
|
2022-05-24 21:41:14 -04:00
|
|
|
included: &[u16],
|
2022-04-29 22:36:43 -04:00
|
|
|
) -> Result<AlgorithmMachine<C, A>, FrostError> {
|
2022-06-24 08:40:14 -04:00
|
|
|
Ok(AlgorithmMachine { params: Params::new(algorithm, keys, included)? })
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
2022-06-03 01:25:46 -04:00
|
|
|
|
2022-10-15 23:46:22 -04:00
|
|
|
#[cfg(any(test, feature = "tests"))]
|
2022-06-24 08:40:14 -04:00
|
|
|
pub(crate) fn unsafe_override_preprocess(
|
|
|
|
|
self,
|
2022-10-29 05:10:07 -04:00
|
|
|
nonces: Vec<Nonce<C>>,
|
|
|
|
|
preprocess: Preprocess<C, A::Addendum>,
|
2022-07-13 02:38:29 -04:00
|
|
|
) -> AlgorithmSignMachine<C, A> {
|
2022-10-29 05:10:07 -04:00
|
|
|
AlgorithmSignMachine { params: self.params, nonces, preprocess }
|
2022-06-03 01:25:46 -04:00
|
|
|
}
|
2022-04-29 22:36:43 -04:00
|
|
|
}
|
2022-04-21 21:36:18 -04:00
|
|
|
|
2022-06-24 08:40:14 -04:00
|
|
|
impl<C: Curve, A: Algorithm<C>> PreprocessMachine for AlgorithmMachine<C, A> {
|
2022-10-25 23:17:25 -05:00
|
|
|
type Preprocess = Preprocess<C, A::Addendum>;
|
2022-04-29 22:36:43 -04:00
|
|
|
type Signature = A::Signature;
|
2022-06-24 08:40:14 -04:00
|
|
|
type SignMachine = AlgorithmSignMachine<C, A>;
|
2022-04-29 22:36:43 -04:00
|
|
|
|
2022-10-25 23:17:25 -05:00
|
|
|
fn preprocess<R: RngCore + CryptoRng>(
|
|
|
|
|
self,
|
|
|
|
|
rng: &mut R,
|
|
|
|
|
) -> (Self::SignMachine, Preprocess<C, A::Addendum>) {
|
2022-06-24 08:40:14 -04:00
|
|
|
let mut params = self.params;
|
2022-10-29 05:10:07 -04:00
|
|
|
|
|
|
|
|
let (nonces, commitments) = Commitments::new::<_, A::Transcript>(
|
|
|
|
|
&mut *rng,
|
|
|
|
|
params.view().secret_share(),
|
|
|
|
|
¶ms.algorithm.nonces(),
|
|
|
|
|
);
|
|
|
|
|
let addendum = params.algorithm.preprocess_addendum(rng, ¶ms.view);
|
|
|
|
|
|
|
|
|
|
let preprocess = Preprocess { commitments, addendum };
|
|
|
|
|
(AlgorithmSignMachine { params, nonces, preprocess: preprocess.clone() }, preprocess)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Share of a signature produced via FROST.
|
|
|
|
|
#[derive(Clone, PartialEq, Eq)]
|
|
|
|
|
pub struct SignatureShare<C: Curve>(C::F);
|
|
|
|
|
impl<C: Curve> Writable for SignatureShare<C> {
|
|
|
|
|
fn write<W: Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
|
|
|
writer.write_all(self.0.to_repr().as_ref())
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
2022-06-24 08:40:14 -04:00
|
|
|
}
|
|
|
|
|
|
2022-10-29 05:10:07 -04:00
|
|
|
/// Trait for the second machine of a two-round signing protocol.
|
|
|
|
|
pub trait SignMachine<S> {
|
|
|
|
|
/// Preprocess message for this machine.
|
|
|
|
|
type Preprocess: Clone + PartialEq + Writable;
|
|
|
|
|
/// SignatureShare message for this machine.
|
|
|
|
|
type SignatureShare: Clone + PartialEq + Writable;
|
|
|
|
|
/// SignatureMachine this SignMachine turns into.
|
|
|
|
|
type SignatureMachine: SignatureMachine<S, SignatureShare = Self::SignatureShare>;
|
|
|
|
|
|
|
|
|
|
/// Read a Preprocess message.
|
|
|
|
|
fn read_preprocess<R: Read>(&self, reader: &mut R) -> io::Result<Self::Preprocess>;
|
|
|
|
|
|
|
|
|
|
/// Sign a message.
|
|
|
|
|
/// Takes in the participants' preprocess messages. Returns the signature share to be broadcast
|
|
|
|
|
/// to all participants, over an authenticated channel.
|
|
|
|
|
fn sign(
|
|
|
|
|
self,
|
|
|
|
|
commitments: HashMap<u16, Self::Preprocess>,
|
|
|
|
|
msg: &[u8],
|
|
|
|
|
) -> Result<(Self::SignatureMachine, Self::SignatureShare), FrostError>;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Next step of the state machine for the signing process.
|
2022-11-10 22:35:09 -05:00
|
|
|
#[derive(Zeroize)]
|
2022-10-29 05:10:07 -04:00
|
|
|
pub struct AlgorithmSignMachine<C: Curve, A: Algorithm<C>> {
|
|
|
|
|
params: Params<C, A>,
|
|
|
|
|
pub(crate) nonces: Vec<Nonce<C>>,
|
2022-11-10 22:35:09 -05:00
|
|
|
#[zeroize(skip)]
|
2022-10-29 05:10:07 -04:00
|
|
|
pub(crate) preprocess: Preprocess<C, A::Addendum>,
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-24 08:40:14 -04:00
|
|
|
impl<C: Curve, A: Algorithm<C>> SignMachine<A::Signature> for AlgorithmSignMachine<C, A> {
|
2022-10-25 23:17:25 -05:00
|
|
|
type Preprocess = Preprocess<C, A::Addendum>;
|
|
|
|
|
type SignatureShare = SignatureShare<C>;
|
2022-06-24 08:40:14 -04:00
|
|
|
type SignatureMachine = AlgorithmSignatureMachine<C, A>;
|
2022-04-21 21:36:18 -04:00
|
|
|
|
2022-10-25 23:17:25 -05:00
|
|
|
fn read_preprocess<R: Read>(&self, reader: &mut R) -> io::Result<Self::Preprocess> {
|
|
|
|
|
Ok(Preprocess {
|
|
|
|
|
commitments: Commitments::read::<_, A::Transcript>(reader, &self.params.algorithm.nonces())?,
|
|
|
|
|
addendum: self.params.algorithm.read_addendum(reader)?,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn sign(
|
2022-10-29 05:10:07 -04:00
|
|
|
mut self,
|
|
|
|
|
mut preprocesses: HashMap<u16, Preprocess<C, A::Addendum>>,
|
2022-07-15 01:26:07 -04:00
|
|
|
msg: &[u8],
|
2022-10-25 23:17:25 -05:00
|
|
|
) -> Result<(Self::SignatureMachine, SignatureShare<C>), FrostError> {
|
2022-10-29 05:10:07 -04:00
|
|
|
let multisig_params = self.params.multisig_params();
|
|
|
|
|
validate_map(&preprocesses, &self.params.view.included(), multisig_params.i())?;
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
// Domain separate FROST
|
|
|
|
|
self.params.algorithm.transcript().domain_separate(b"FROST");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let nonces = self.params.algorithm.nonces();
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
let mut B = BindingFactor(HashMap::<u16, _>::with_capacity(self.params.view.included().len()));
|
|
|
|
|
{
|
|
|
|
|
// Parse the preprocesses
|
|
|
|
|
for l in &self.params.view.included() {
|
|
|
|
|
{
|
|
|
|
|
self
|
|
|
|
|
.params
|
|
|
|
|
.algorithm
|
|
|
|
|
.transcript()
|
2022-11-05 18:43:36 -04:00
|
|
|
.append_message(b"participant", C::F::from(u64::from(*l)).to_repr());
|
2022-10-29 05:10:07 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if *l == self.params.keys.params().i() {
|
|
|
|
|
let commitments = self.preprocess.commitments.clone();
|
|
|
|
|
commitments.transcript(self.params.algorithm.transcript());
|
|
|
|
|
|
|
|
|
|
let addendum = self.preprocess.addendum.clone();
|
|
|
|
|
{
|
|
|
|
|
let mut buf = vec![];
|
|
|
|
|
addendum.write(&mut buf).unwrap();
|
2022-11-05 18:43:36 -04:00
|
|
|
self.params.algorithm.transcript().append_message(b"addendum", buf);
|
2022-10-29 05:10:07 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
B.insert(*l, commitments);
|
|
|
|
|
self.params.algorithm.process_addendum(&self.params.view, *l, addendum)?;
|
|
|
|
|
} else {
|
|
|
|
|
let preprocess = preprocesses.remove(l).unwrap();
|
|
|
|
|
preprocess.commitments.transcript(self.params.algorithm.transcript());
|
|
|
|
|
{
|
|
|
|
|
let mut buf = vec![];
|
|
|
|
|
preprocess.addendum.write(&mut buf).unwrap();
|
2022-11-05 18:43:36 -04:00
|
|
|
self.params.algorithm.transcript().append_message(b"addendum", buf);
|
2022-10-29 05:10:07 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
B.insert(*l, preprocess.commitments);
|
|
|
|
|
self.params.algorithm.process_addendum(&self.params.view, *l, preprocess.addendum)?;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Re-format into the FROST-expected rho transcript
|
|
|
|
|
let mut rho_transcript = A::Transcript::new(b"FROST_rho");
|
2022-11-05 18:43:36 -04:00
|
|
|
rho_transcript.append_message(b"message", C::hash_msg(msg));
|
2022-10-29 05:10:07 -04:00
|
|
|
rho_transcript.append_message(
|
|
|
|
|
b"preprocesses",
|
|
|
|
|
&C::hash_commitments(
|
|
|
|
|
self.params.algorithm.transcript().challenge(b"preprocesses").as_ref(),
|
|
|
|
|
),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// Include the offset, if one exists
|
|
|
|
|
// While this isn't part of the FROST-expected rho transcript, the offset being here
|
|
|
|
|
// coincides with another specification (despite the transcript format still being distinct)
|
|
|
|
|
if let Some(offset) = self.params.keys.current_offset() {
|
|
|
|
|
// Transcript as a point
|
|
|
|
|
// Under a coordinated model, the coordinater can be the only party to know the discrete
|
|
|
|
|
// log of the offset. This removes the ability for any signer to provide the discrete log,
|
|
|
|
|
// proving a key is related to another, slightly increasing security
|
|
|
|
|
// While further code edits would still be required for such a model (having the offset
|
|
|
|
|
// communicated as a point along with only a single party applying the offset), this means
|
|
|
|
|
// it wouldn't require a transcript change as well
|
2022-11-05 18:43:36 -04:00
|
|
|
rho_transcript.append_message(b"offset", (C::generator() * offset).to_bytes());
|
2022-10-29 05:10:07 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Generate the per-signer binding factors
|
|
|
|
|
B.calculate_binding_factors(&mut rho_transcript);
|
|
|
|
|
|
|
|
|
|
// Merge the rho transcript back into the global one to ensure its advanced, while
|
|
|
|
|
// simultaneously committing to everything
|
|
|
|
|
self
|
|
|
|
|
.params
|
|
|
|
|
.algorithm
|
|
|
|
|
.transcript()
|
2022-11-05 18:43:36 -04:00
|
|
|
.append_message(b"rho_transcript", rho_transcript.challenge(b"merge"));
|
2022-10-29 05:10:07 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
let Rs = B.nonces(&nonces);
|
|
|
|
|
|
|
|
|
|
let our_binding_factors = B.binding_factors(multisig_params.i());
|
2022-11-10 22:35:09 -05:00
|
|
|
let nonces = self
|
2022-10-29 05:10:07 -04:00
|
|
|
.nonces
|
2022-11-10 22:35:09 -05:00
|
|
|
.drain(..)
|
2022-10-29 05:10:07 -04:00
|
|
|
.enumerate()
|
2022-11-10 22:35:09 -05:00
|
|
|
.map(|(n, nonces)| {
|
|
|
|
|
let [base, mut actual] = nonces.0;
|
|
|
|
|
*actual *= our_binding_factors[n];
|
|
|
|
|
*actual += base.deref();
|
|
|
|
|
actual
|
|
|
|
|
})
|
2022-10-29 05:10:07 -04:00
|
|
|
.collect::<Vec<_>>();
|
|
|
|
|
|
2022-11-10 22:35:09 -05:00
|
|
|
let share = self.params.algorithm.sign_share(&self.params.view, &Rs, nonces, msg);
|
2022-10-29 05:10:07 -04:00
|
|
|
|
|
|
|
|
Ok((
|
|
|
|
|
AlgorithmSignatureMachine { params: self.params.clone(), B, Rs, share },
|
|
|
|
|
SignatureShare(share),
|
|
|
|
|
))
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
2022-06-24 08:40:14 -04:00
|
|
|
}
|
2022-04-21 21:36:18 -04:00
|
|
|
|
2022-10-29 05:10:07 -04:00
|
|
|
/// Trait for the final machine of a two-round signing protocol.
|
|
|
|
|
pub trait SignatureMachine<S> {
|
|
|
|
|
/// SignatureShare message for this machine.
|
|
|
|
|
type SignatureShare: Clone + PartialEq + Writable;
|
|
|
|
|
|
|
|
|
|
/// Read a Signature Share message.
|
|
|
|
|
fn read_share<R: Read>(&self, reader: &mut R) -> io::Result<Self::SignatureShare>;
|
|
|
|
|
|
|
|
|
|
/// Complete signing.
|
|
|
|
|
/// Takes in everyone elses' shares. Returns the signature.
|
|
|
|
|
fn complete(self, shares: HashMap<u16, Self::SignatureShare>) -> Result<S, FrostError>;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Final step of the state machine for the signing process.
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
|
pub struct AlgorithmSignatureMachine<C: Curve, A: Algorithm<C>> {
|
|
|
|
|
params: Params<C, A>,
|
|
|
|
|
B: BindingFactor<C>,
|
|
|
|
|
Rs: Vec<Vec<C::G>>,
|
|
|
|
|
share: C::F,
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-15 01:26:07 -04:00
|
|
|
impl<C: Curve, A: Algorithm<C>> SignatureMachine<A::Signature> for AlgorithmSignatureMachine<C, A> {
|
2022-10-25 23:17:25 -05:00
|
|
|
type SignatureShare = SignatureShare<C>;
|
|
|
|
|
|
|
|
|
|
fn read_share<R: Read>(&self, reader: &mut R) -> io::Result<SignatureShare<C>> {
|
|
|
|
|
Ok(SignatureShare(C::read_F(reader)?))
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-29 05:10:07 -04:00
|
|
|
fn complete(
|
|
|
|
|
self,
|
|
|
|
|
mut shares: HashMap<u16, SignatureShare<C>>,
|
|
|
|
|
) -> Result<A::Signature, FrostError> {
|
|
|
|
|
let params = self.params.multisig_params();
|
|
|
|
|
validate_map(&shares, &self.params.view.included(), params.i())?;
|
|
|
|
|
|
|
|
|
|
let mut responses = HashMap::new();
|
|
|
|
|
responses.insert(params.i(), self.share);
|
|
|
|
|
let mut sum = self.share;
|
|
|
|
|
for (l, share) in shares.drain() {
|
|
|
|
|
responses.insert(l, share.0);
|
|
|
|
|
sum += share.0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Perform signature validation instead of individual share validation
|
|
|
|
|
// For the success route, which should be much more frequent, this should be faster
|
|
|
|
|
// It also acts as an integrity check of this library's signing function
|
|
|
|
|
if let Some(sig) = self.params.algorithm.verify(self.params.view.group_key(), &self.Rs, sum) {
|
|
|
|
|
return Ok(sig);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Find out who misbehaved. It may be beneficial to randomly sort this to have detection be
|
|
|
|
|
// within n / 2 on average, and not gameable to n, though that should be minor
|
|
|
|
|
// TODO
|
|
|
|
|
for l in &self.params.view.included() {
|
|
|
|
|
if !self.params.algorithm.verify_share(
|
|
|
|
|
self.params.view.verification_share(*l),
|
|
|
|
|
&self.B.bound(*l),
|
|
|
|
|
responses[l],
|
|
|
|
|
) {
|
|
|
|
|
Err(FrostError::InvalidShare(*l))?;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If everyone has a valid share and there were enough participants, this should've worked
|
|
|
|
|
Err(FrostError::InternalError("everyone had a valid share yet the signature was still invalid"))
|
2022-04-21 21:36:18 -04:00
|
|
|
}
|
|
|
|
|
}
|