Use a non-constant generator in FROST

2025-12-09 12:49:23 +00:00 · 2022-08-13 05:07:07 -04:00
parent 6f776ff004
commit 885d816309
12 changed files with 29 additions and 24 deletions
--- a/crypto/frost/src/tests/curve.rs
+++ b/crypto/frost/src/tests/curve.rs
@@ -30,7 +30,7 @@ pub fn test_curve<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
    let mut sum = C::G::identity();
    for _ in 0 .. 10 {
      for _ in 0 .. 100 {
-        pairs.push((C::F::random(&mut *rng), C::GENERATOR * C::F::random(&mut *rng)));
+        pairs.push((C::F::random(&mut *rng), C::generator() * C::F::random(&mut *rng)));
        sum += pairs[pairs.len() - 1].1 * pairs[pairs.len() - 1].0;
      }
      assert_eq!(multiexp::multiexp(&pairs), sum);
--- a/crypto/frost/src/tests/mod.rs
+++ b/crypto/frost/src/tests/mod.rs
@@ -99,7 +99,7 @@ pub fn recover<C: Curve>(keys: &HashMap<u16, FrostKeys<C>>) -> C::F {
  let group_private = keys.iter().fold(C::F::zero(), |accum, (i, keys)| {
    accum + (keys.secret_share() * lagrange::<C::F>(*i, &included))
  });
-  assert_eq!(C::GENERATOR * group_private, first.group_key(), "failed to recover keys");
+  assert_eq!(C::generator() * group_private, first.group_key(), "failed to recover keys");
  group_private
 }

--- a/crypto/frost/src/tests/schnorr.rs
+++ b/crypto/frost/src/tests/schnorr.rs
@@ -16,7 +16,7 @@ pub(crate) fn core_sign<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
  let nonce = C::F::random(&mut *rng);
  let challenge = C::F::random(rng); // Doesn't bother to craft an HRAM
  assert!(schnorr::verify::<C>(
-    C::GENERATOR * private_key,
+    C::generator() * private_key,
    challenge,
    &schnorr::sign(private_key, nonce, challenge)
  ));
@@ -27,9 +27,9 @@ pub(crate) fn core_sign<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
 // random
 pub(crate) fn core_verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
  assert!(!schnorr::verify::<C>(
-    C::GENERATOR * C::F::random(&mut *rng),
+    C::generator() * C::F::random(&mut *rng),
    C::F::random(rng),
-    &SchnorrSignature { R: C::GENERATOR * C::F::zero(), s: C::F::zero() }
+    &SchnorrSignature { R: C::identity(), s: C::F::zero() }
  ));
 }

@@ -46,7 +46,7 @@ pub(crate) fn core_batch_verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {

  // Batch verify
  let triplets = (0 .. 5)
-    .map(|i| (u16::try_from(i + 1).unwrap(), C::GENERATOR * keys[i], challenges[i], sigs[i]))
+    .map(|i| (u16::try_from(i + 1).unwrap(), C::generator() * keys[i], challenges[i], sigs[i]))
    .collect::<Vec<_>>();
  schnorr::batch_verify(rng, &triplets).unwrap();

@@ -111,7 +111,7 @@ fn sign_with_offset<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
  for i in 1 ..= u16::try_from(keys.len()).unwrap() {
    keys.insert(i, keys[&i].offset(offset));
  }
-  let offset_key = group_key + (C::GENERATOR * offset);
+  let offset_key = group_key + (C::generator() * offset);

  sign_core(rng, offset_key, &keys);
 }
--- a/crypto/frost/src/tests/vectors.rs
+++ b/crypto/frost/src/tests/vectors.rs
@@ -32,7 +32,7 @@ fn vectors_to_multisig_keys<C: Curve>(vectors: &Vectors) -> HashMap<u16, FrostKe
    .iter()
    .map(|secret| C::read_F(&mut Cursor::new(hex::decode(secret).unwrap())).unwrap())
    .collect::<Vec<_>>();
-  let verification_shares = shares.iter().map(|secret| C::GENERATOR * secret).collect::<Vec<_>>();
+  let verification_shares = shares.iter().map(|secret| C::generator() * secret).collect::<Vec<_>>();

  let mut keys = HashMap::new();
  for i in 1 ..= u16::try_from(shares.len()).unwrap() {
@@ -71,7 +71,8 @@ pub fn test_with_vectors<R: RngCore + CryptoRng, C: Curve, H: Hram<C>>(
  let keys = vectors_to_multisig_keys::<C>(&vectors);
  let group_key = C::read_G(&mut Cursor::new(hex::decode(vectors.group_key).unwrap())).unwrap();
  assert_eq!(
-    C::GENERATOR * C::read_F(&mut Cursor::new(hex::decode(vectors.group_secret).unwrap())).unwrap(),
+    C::generator() *
+      C::read_F(&mut Cursor::new(hex::decode(vectors.group_secret).unwrap())).unwrap(),
    group_key
  );
  assert_eq!(
@@ -102,7 +103,7 @@ pub fn test_with_vectors<R: RngCore + CryptoRng, C: Curve, H: Hram<C>>(
        C::read_F(&mut Cursor::new(hex::decode(vectors.nonces[c][1]).unwrap())).unwrap(),
      ];
      c += 1;
-      let these_commitments = vec![[C::GENERATOR * nonces[0], C::GENERATOR * nonces[1]]];
+      let these_commitments = vec![[C::generator() * nonces[0], C::generator() * nonces[1]]];
      let machine = machine.unsafe_override_preprocess(PreprocessPackage {
        nonces: vec![nonces],
        commitments: vec![these_commitments.clone()],