Remove DLEq proofs from CLSAG multisig

1) Removes the key image DLEq on the Monero side of things, as the produced signature share serves as a DLEq for it. 2) Removes the nonce DLEqs from modular-frost as they're unnecessary for monero-serai. Updates documentation accordingly. Without the proof the nonces are internally consistent, the produced signatures from modular-frost can be argued as a batch-verifiable CP93 DLEq (R0, R1, s), or as a GSP for the CP93 DLEq statement (which naturally produces (R0, R1, s)). The lack of proving the nonces consistent does make the process weaker, yet it's also unnecessary for the class of protocols this is intended to service. To provide DLEqs for the nonces would be to provide PoKs for the nonce commitments (in the traditional Schnorr case).
2025-12-12 14:09:25 +00:00 · 2024-04-21 22:50:07 -04:00
parent 558a2bfa46
commit a25e6330bd
12 changed files with 131 additions and 306 deletions
--- a/coins/monero/src/wallet/send/multisig.rs
+++ b/coins/monero/src/wallet/send/multisig.rs
@@ -18,6 +18,7 @@ use transcript::{Transcript, RecommendedTranscript};
 use frost::{
  curve::Ed25519,
  Participant, FrostError, ThresholdKeys,
+  dkg::lagrange,
  sign::{
    Writable, Preprocess, CachedPreprocess, SignatureShare, PreprocessMachine, SignMachine,
    SignatureMachine, AlgorithmMachine, AlgorithmSignMachine, AlgorithmSignatureMachine,
@@ -27,7 +28,7 @@ use frost::{
 use crate::{
  random_scalar,
  ringct::{
-    clsag::{ClsagInput, ClsagDetails, ClsagAddendum, ClsagMultisig, add_key_image_share},
+    clsag::{ClsagInput, ClsagDetails, ClsagAddendum, ClsagMultisig},
    RctPrunable,
  },
  transaction::{Input, Transaction},
@@ -261,8 +262,13 @@ impl SignMachine<Transaction> for TransactionSignMachine {
    included.push(self.i);
    included.sort_unstable();

-    // Convert the unified commitments to a Vec of the individual commitments
+    // Start calculating the key images, as needed on the TX level
    let mut images = vec![EdwardsPoint::identity(); self.clsags.len()];
+    for (image, (generator, offset)) in images.iter_mut().zip(&self.key_images) {
+      *image = generator * offset;
+    }
+
+    // Convert the serialized nonces commitments to a parallelized Vec
    let mut commitments = (0 .. self.clsags.len())
      .map(|c| {
        included
@@ -291,14 +297,7 @@ impl SignMachine<Transaction> for TransactionSignMachine {
            // provides the easiest API overall, as this is where the TX is (which needs the key
            // images in its message), along with where the outputs are determined (where our
            // outputs may need these in order to guarantee uniqueness)
-            add_key_image_share(
-              &mut images[c],
-              self.key_images[c].0,
-              self.key_images[c].1,
-              &included,
-              *l,
-              preprocess.addendum.key_image.0,
-            );
+            images[c] += preprocess.addendum.key_image.0 * lagrange::<dfg::Scalar>(*l, &included).0;

            Ok((*l, preprocess))
          })