From 73205c5f9696628f6fa109c6a69bd73c7e9131e7 Mon Sep 17 00:00:00 2001 From: Luke Parker Date: Fri, 12 Aug 2022 23:17:31 -0400 Subject: [PATCH] Transcript the offset as a point Potentially improves privacy with the reversion to a coordinator setting, where the coordinator is the only party with the offset. While any signer (or anyone) can claim key A relates to B, they can't prove it without the discrete log of the offset. This enables creating a signing process without a known offset, while maintaining a consistent transcript format. Doesn't affect security given a static generator. Does have a slight effect on performance. --- crypto/frost/src/sign.rs | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/crypto/frost/src/sign.rs b/crypto/frost/src/sign.rs index 1dffa026..37744efe 100644 --- a/crypto/frost/src/sign.rs +++ b/crypto/frost/src/sign.rs @@ -255,11 +255,19 @@ fn sign_with_share>( b"commitments", &C::hash_msg(params.algorithm.transcript().challenge(b"commitments").as_ref()), ); + // Include the offset, if one exists // While this isn't part of the FROST-expected rho transcript, the offset being here coincides - // with another specification + // with another specification (despite the transcript format being distinct) if let Some(offset) = params.keys.offset { - rho_transcript.append_message(b"offset", offset.to_repr().as_ref()); + // Transcript as a point + // Under a coordinated model, the coordinater can be the only party to know the discrete log + // of the offset. This removes the ability for any signer to provide the discrete log, + // proving a key is related to another, slightly increasing security + // While further code edits would still be required for such a model (having the offset + // communicated as a point along with only a single party applying the offset), this means it + // wouldn't require a transcript change as well + rho_transcript.append_message(b"offset", (C::GENERATOR * offset).to_bytes().as_ref()); } // Generate the per-signer binding factors