Create dedicated message structures for FROST messages (#140)

* Create message types for FROST key gen Taking in reader borrows absolutely wasn't feasible. Now, proper types which can be read (and then passed directly, without a mutable borrow) exist for key_gen. sign coming next. * Move FROST signing to messages, not Readers/Writers/Vec<u8> Also takes the nonce handling code and makes a dedicated file for it, aiming to resolve complex types and make the code more legible by replacing its previously inlined state. * clippy * Update FROST tests * read_signature_share * Update the Monero library to the new FROST packages * Update processor to latest FROST * Tweaks to terminology and documentation
2025-12-09 12:49:23 +00:00 · 2022-10-25 23:17:25 -05:00
parent ccdb834e6e
commit cbceaff678
26 changed files with 874 additions and 591 deletions
--- a/coins/monero/Cargo.toml
+++ b/coins/monero/Cargo.toml
@@ -34,7 +34,7 @@ dalek-ff-group = { path = "../../crypto/dalek-ff-group", version = "0.1" }
 multiexp = { path = "../../crypto/multiexp", version = "0.2", features = ["batch"] }

 transcript = { package = "flexible-transcript", path = "../../crypto/transcript", version = "0.1", features = ["recommended"], optional = true }
-frost = { package = "modular-frost", path = "../../crypto/frost", version = "0.2", features = ["ed25519"], optional = true }
+frost = { package = "modular-frost", path = "../../crypto/frost", version = "0.3", features = ["ed25519"], optional = true }
 dleq = { path = "../../crypto/dleq", version = "0.1", features = ["serialize"], optional = true }

 monero-generators = { path = "generators", version = "0.1" }
@@ -55,7 +55,7 @@ monero-generators = { path = "generators", version = "0.1" }
 [dev-dependencies]
 tokio = { version = "1", features = ["full"] }

-frost = { package = "modular-frost", path = "../../crypto/frost", version = "0.2", features = ["ed25519", "tests"] }
+frost = { package = "modular-frost", path = "../../crypto/frost", version = "0.3", features = ["ed25519", "tests"] }

 [features]
 multisig = ["rand_chacha", "blake2", "transcript", "frost", "dleq"]
--- a/coins/monero/src/frost.rs
+++ b/coins/monero/src/frost.rs
@@ -1,73 +0,0 @@
-use std::io::Read;
-
-use thiserror::Error;
-use rand_core::{RngCore, CryptoRng};
-
-use zeroize::Zeroize;
-
-use curve25519_dalek::{scalar::Scalar, edwards::EdwardsPoint};
-
-use group::{Group, GroupEncoding};
-
-use transcript::{Transcript, RecommendedTranscript};
-use dalek_ff_group as dfg;
-use dleq::DLEqProof;
-
-#[derive(Clone, Error, Debug)]
-pub(crate) enum MultisigError {
-  #[error("invalid discrete log equality proof")]
-  InvalidDLEqProof(u16),
-}
-
-fn transcript() -> RecommendedTranscript {
-  RecommendedTranscript::new(b"monero_key_image_dleq")
-}
-
-#[allow(non_snake_case)]
-pub(crate) fn write_dleq<R: RngCore + CryptoRng>(
-  rng: &mut R,
-  H: EdwardsPoint,
-  mut x: Scalar,
-) -> Vec<u8> {
-  let mut res = Vec::with_capacity(64);
-  DLEqProof::prove(
-    rng,
-    // Doesn't take in a larger transcript object due to the usage of this
-    // Every prover would immediately write their own DLEq proof, when they can only do so in
-    // the proper order if they want to reach consensus
-    // It'd be a poor API to have CLSAG define a new transcript solely to pass here, just to try to
-    // merge later in some form, when it should instead just merge xH (as it does)
-    &mut transcript(),
-    &[dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(H)],
-    dfg::Scalar(x),
-  )
-  .serialize(&mut res)
-  .unwrap();
-  x.zeroize();
-  res
-}
-
-#[allow(non_snake_case)]
-pub(crate) fn read_dleq<Re: Read>(
-  serialized: &mut Re,
-  H: EdwardsPoint,
-  l: u16,
-  xG: dfg::EdwardsPoint,
-) -> Result<dfg::EdwardsPoint, MultisigError> {
-  let mut bytes = [0; 32];
-  serialized.read_exact(&mut bytes).map_err(|_| MultisigError::InvalidDLEqProof(l))?;
-  // dfg ensures the point is torsion free
-  let xH = Option::<dfg::EdwardsPoint>::from(dfg::EdwardsPoint::from_bytes(&bytes))
-    .ok_or(MultisigError::InvalidDLEqProof(l))?;
-  // Ensure this is a canonical point
-  if xH.to_bytes() != bytes {
-    Err(MultisigError::InvalidDLEqProof(l))?;
-  }
-
-  DLEqProof::<dfg::EdwardsPoint>::deserialize(serialized)
-    .map_err(|_| MultisigError::InvalidDLEqProof(l))?
-    .verify(&mut transcript(), &[dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(H)], &[xG, xH])
-    .map_err(|_| MultisigError::InvalidDLEqProof(l))?;
-
-  Ok(xH)
-}
--- a/coins/monero/src/lib.rs
+++ b/coins/monero/src/lib.rs
@@ -33,9 +33,6 @@ use curve25519_dalek::{

 pub use monero_generators::H;

-#[cfg(feature = "multisig")]
-pub(crate) mod frost;
-
 mod serialize;

 /// RingCT structs and functionality.
--- a/coins/monero/src/ringct/clsag/mod.rs
+++ b/coins/monero/src/ringct/clsag/mod.rs
@@ -22,7 +22,7 @@ use crate::{
 #[cfg(feature = "multisig")]
 mod multisig;
 #[cfg(feature = "multisig")]
-pub use multisig::{ClsagDetails, ClsagMultisig};
+pub use multisig::{ClsagDetails, ClsagAddendum, ClsagMultisig};

 lazy_static! {
  static ref INV_EIGHT: Scalar = Scalar::from(8u8).invert();
--- a/coins/monero/src/ringct/clsag/multisig.rs
+++ b/coins/monero/src/ringct/clsag/multisig.rs
@@ -1,6 +1,6 @@
 use core::fmt::Debug;
 use std::{
-  io::Read,
+  io::{self, Read, Write},
  sync::{Arc, RwLock},
 };

@@ -16,20 +16,26 @@ use curve25519_dalek::{
  edwards::EdwardsPoint,
 };

-use group::Group;
+use group::{Group, GroupEncoding};

 use transcript::{Transcript, RecommendedTranscript};
-use frost::{curve::Ed25519, FrostError, FrostView, algorithm::Algorithm};
 use dalek_ff_group as dfg;
-
-use crate::{
-  frost::{write_dleq, read_dleq},
-  ringct::{
-    hash_to_point,
-    clsag::{ClsagInput, Clsag},
-  },
+use dleq::DLEqProof;
+use frost::{
+  curve::Ed25519,
+  FrostError, FrostView,
+  algorithm::{AddendumSerialize, Algorithm},
 };

+use crate::ringct::{
+  hash_to_point,
+  clsag::{ClsagInput, Clsag},
+};
+
+fn dleq_transcript() -> RecommendedTranscript {
+  RecommendedTranscript::new(b"monero_key_image_dleq")
+}
+
 impl ClsagInput {
  fn transcript<T: Transcript>(&self, transcript: &mut T) {
    // Doesn't domain separate as this is considered part of the larger CLSAG proof
@@ -54,7 +60,7 @@ impl ClsagInput {
  }
 }

-/// CLSAG Input and the mask to use for it.
+/// CLSAG input and the mask to use for it.
 #[derive(Clone, Debug, Zeroize, ZeroizeOnDrop)]
 pub struct ClsagDetails {
  input: ClsagInput,
@@ -67,6 +73,20 @@ impl ClsagDetails {
  }
 }

+/// Addendum produced during the FROST signing process with relevant data.
+#[derive(Clone, PartialEq, Eq, Zeroize, Debug)]
+pub struct ClsagAddendum {
+  pub(crate) key_image: dfg::EdwardsPoint,
+  dleq: DLEqProof<dfg::EdwardsPoint>,
+}
+
+impl AddendumSerialize for ClsagAddendum {
+  fn write<W: Write>(&self, writer: &mut W) -> io::Result<()> {
+    writer.write_all(self.key_image.compress().to_bytes().as_ref())?;
+    self.dleq.serialize(writer)
+  }
+}
+
 #[allow(non_snake_case)]
 #[derive(Clone, PartialEq, Eq, Debug)]
 struct Interim {
@@ -113,10 +133,6 @@ impl ClsagMultisig {
    }
  }

-  pub(crate) const fn serialized_len() -> usize {
-    32 + (2 * 32)
-  }
-
  fn input(&self) -> ClsagInput {
    (*self.details.read().unwrap()).as_ref().unwrap().input.clone()
  }
@@ -128,6 +144,7 @@ impl ClsagMultisig {

 impl Algorithm<Ed25519> for ClsagMultisig {
  type Transcript = RecommendedTranscript;
+  type Addendum = ClsagAddendum;
  type Signature = (Clsag, EdwardsPoint);

  fn nonces(&self) -> Vec<Vec<dfg::EdwardsPoint>> {
@@ -138,18 +155,42 @@ impl Algorithm<Ed25519> for ClsagMultisig {
    &mut self,
    rng: &mut R,
    view: &FrostView<Ed25519>,
-  ) -> Vec<u8> {
-    let mut serialized = Vec::with_capacity(Self::serialized_len());
-    serialized.extend((view.secret_share().0 * self.H).compress().to_bytes());
-    serialized.extend(write_dleq(rng, self.H, view.secret_share().0));
-    serialized
+  ) -> ClsagAddendum {
+    ClsagAddendum {
+      key_image: dfg::EdwardsPoint(self.H * view.secret_share().0),
+      dleq: DLEqProof::prove(
+        rng,
+        // Doesn't take in a larger transcript object due to the usage of this
+        // Every prover would immediately write their own DLEq proof, when they can only do so in
+        // the proper order if they want to reach consensus
+        // It'd be a poor API to have CLSAG define a new transcript solely to pass here, just to
+        // try to merge later in some form, when it should instead just merge xH (as it does)
+        &mut dleq_transcript(),
+        &[dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(self.H)],
+        dfg::Scalar(view.secret_share().0),
+      ),
+    }
  }

-  fn process_addendum<Re: Read>(
+  fn read_addendum<R: Read>(&self, reader: &mut R) -> io::Result<ClsagAddendum> {
+    let mut bytes = [0; 32];
+    reader.read_exact(&mut bytes)?;
+    // dfg ensures the point is torsion free
+    let xH = Option::<dfg::EdwardsPoint>::from(dfg::EdwardsPoint::from_bytes(&bytes))
+      .ok_or_else(|| io::Error::new(io::ErrorKind::Other, "invalid key image"))?;
+    // Ensure this is a canonical point
+    if xH.to_bytes() != bytes {
+      Err(io::Error::new(io::ErrorKind::Other, "non-canonical key image"))?;
+    }
+
+    Ok(ClsagAddendum { key_image: xH, dleq: DLEqProof::<dfg::EdwardsPoint>::deserialize(reader)? })
+  }
+
+  fn process_addendum(
    &mut self,
    view: &FrostView<Ed25519>,
    l: u16,
-    serialized: &mut Re,
+    addendum: ClsagAddendum,
  ) -> Result<(), FrostError> {
    if self.image.is_identity() {
      self.transcript.domain_separate(b"CLSAG");
@@ -158,11 +199,20 @@ impl Algorithm<Ed25519> for ClsagMultisig {
    }

    self.transcript.append_message(b"participant", &l.to_be_bytes());
-    let image = read_dleq(serialized, self.H, l, view.verification_share(l))
-      .map_err(|_| FrostError::InvalidCommitment(l))?
-      .0;
-    self.transcript.append_message(b"key_image_share", image.compress().to_bytes().as_ref());
-    self.image += image;
+
+    addendum
+      .dleq
+      .verify(
+        &mut dleq_transcript(),
+        &[dfg::EdwardsPoint::generator(), dfg::EdwardsPoint(self.H)],
+        &[view.verification_share(l), addendum.key_image],
+      )
+      .map_err(|_| FrostError::InvalidPreprocess(l))?;
+
+    self
+      .transcript
+      .append_message(b"key_image_share", addendum.key_image.compress().to_bytes().as_ref());
+    self.image += addendum.key_image.0;

    Ok(())
  }
--- a/coins/monero/src/tests/clsag.rs
+++ b/coins/monero/src/tests/clsag.rs
@@ -19,10 +19,7 @@ use crate::{
  },
 };
 #[cfg(feature = "multisig")]
-use crate::{
-  frost::MultisigError,
-  ringct::clsag::{ClsagDetails, ClsagMultisig},
-};
+use crate::ringct::clsag::{ClsagDetails, ClsagMultisig};

 #[cfg(feature = "multisig")]
 use frost::tests::{key_gen, algorithm_machines, sign};
@@ -79,7 +76,7 @@ fn clsag() {

 #[cfg(feature = "multisig")]
 #[test]
-fn clsag_multisig() -> Result<(), MultisigError> {
+fn clsag_multisig() {
  let keys = key_gen::<_, Ed25519>(&mut OsRng);

  let randomness = random_scalar(&mut OsRng);
@@ -125,6 +122,4 @@ fn clsag_multisig() -> Result<(), MultisigError> {
    ),
    &[1; 32],
  );
-
-  Ok(())
 }
--- a/coins/monero/src/wallet/send/multisig.rs
+++ b/coins/monero/src/wallet/send/multisig.rs
@@ -1,5 +1,5 @@
 use std::{
-  io::{Read, Cursor},
+  io::{self, Read},
  sync::{Arc, RwLock},
  collections::HashMap,
 };
@@ -7,26 +7,22 @@ use std::{
 use rand_core::{RngCore, CryptoRng, SeedableRng};
 use rand_chacha::ChaCha20Rng;

-use curve25519_dalek::{
-  traits::Identity,
-  scalar::Scalar,
-  edwards::{EdwardsPoint, CompressedEdwardsY},
-};
+use curve25519_dalek::{traits::Identity, scalar::Scalar, edwards::EdwardsPoint};

 use transcript::{Transcript, RecommendedTranscript};
 use frost::{
  curve::Ed25519,
  FrostError, FrostKeys,
  sign::{
-    PreprocessMachine, SignMachine, SignatureMachine, AlgorithmMachine, AlgorithmSignMachine,
-    AlgorithmSignatureMachine,
+    Writable, Preprocess, SignatureShare, PreprocessMachine, SignMachine, SignatureMachine,
+    AlgorithmMachine, AlgorithmSignMachine, AlgorithmSignatureMachine,
  },
 };

 use crate::{
  random_scalar,
  ringct::{
-    clsag::{ClsagInput, ClsagDetails, ClsagMultisig},
+    clsag::{ClsagInput, ClsagDetails, ClsagAddendum, ClsagMultisig},
    RctPrunable,
  },
  transaction::{Input, Transaction},
@@ -58,7 +54,7 @@ pub struct TransactionSignMachine {
  inputs: Vec<Arc<RwLock<Option<ClsagDetails>>>>,
  clsags: Vec<AlgorithmSignMachine<Ed25519, ClsagMultisig>>,

-  our_preprocess: Vec<u8>,
+  our_preprocess: Vec<Preprocess<Ed25519, ClsagAddendum>>,
 }

 pub struct TransactionSignatureMachine {
@@ -166,28 +162,26 @@ impl SignableTransaction {
 }

 impl PreprocessMachine for TransactionMachine {
+  type Preprocess = Vec<Preprocess<Ed25519, ClsagAddendum>>;
  type Signature = Transaction;
  type SignMachine = TransactionSignMachine;

  fn preprocess<R: RngCore + CryptoRng>(
    mut self,
    rng: &mut R,
-  ) -> (TransactionSignMachine, Vec<u8>) {
+  ) -> (TransactionSignMachine, Self::Preprocess) {
    // Iterate over each CLSAG calling preprocess
-    let mut serialized = Vec::with_capacity(
-      // D_{G, H}, E_{G, H}, DLEqs, key image addendum
-      self.clsags.len() * ((2 * (32 + 32)) + (2 * (32 + 32)) + ClsagMultisig::serialized_len()),
-    );
+    let mut preprocesses = Vec::with_capacity(self.clsags.len());
    let clsags = self
      .clsags
      .drain(..)
      .map(|clsag| {
        let (clsag, preprocess) = clsag.preprocess(rng);
-        serialized.extend(&preprocess);
+        preprocesses.push(preprocess);
        clsag
      })
      .collect();
-    let our_preprocess = serialized.clone();
+    let our_preprocess = preprocesses.clone();

    // We could add further entropy here, and previous versions of this library did so
    // As of right now, the multisig's key, the inputs being spent, and the FROST data itself
@@ -212,33 +206,35 @@ impl PreprocessMachine for TransactionMachine {

        our_preprocess,
      },
-      serialized,
+      preprocesses,
    )
  }
 }

 impl SignMachine<Transaction> for TransactionSignMachine {
+  type Preprocess = Vec<Preprocess<Ed25519, ClsagAddendum>>;
+  type SignatureShare = Vec<SignatureShare<Ed25519>>;
  type SignatureMachine = TransactionSignatureMachine;

-  fn sign<Re: Read>(
+  fn read_preprocess<R: Read>(&self, reader: &mut R) -> io::Result<Self::Preprocess> {
+    self.clsags.iter().map(|clsag| clsag.read_preprocess(reader)).collect()
+  }
+
+  fn sign(
    mut self,
-    mut commitments: HashMap<u16, Re>,
+    mut commitments: HashMap<u16, Self::Preprocess>,
    msg: &[u8],
-  ) -> Result<(TransactionSignatureMachine, Vec<u8>), FrostError> {
+  ) -> Result<(TransactionSignatureMachine, Self::SignatureShare), FrostError> {
    if !msg.is_empty() {
      Err(FrostError::InternalError(
        "message was passed to the TransactionMachine when it generates its own",
      ))?;
    }

-    // FROST commitments and their DLEqs, and the image and its DLEq
-    const CLSAG_LEN: usize = (2 * (32 + 32)) + (2 * (32 + 32)) + ClsagMultisig::serialized_len();
-
    // Convert the unified commitments to a Vec of the individual commitments
    let mut images = vec![EdwardsPoint::identity(); self.clsags.len()];
    let mut commitments = (0 .. self.clsags.len())
      .map(|c| {
-        let mut buf = [0; CLSAG_LEN];
        self
          .included
          .iter()
@@ -248,31 +244,27 @@ impl SignMachine<Transaction> for TransactionSignMachine {
            // transcripts cloned from this TX's initial premise's transcript. For our TX
            // transcript to have the CLSAG data for entropy, it'll have to be added ourselves here
            self.transcript.append_message(b"participant", &(*l).to_be_bytes());
-            if *l == self.i {
-              buf.copy_from_slice(self.our_preprocess.drain(.. CLSAG_LEN).as_slice());
+
+            let preprocess = if *l == self.i {
+              self.our_preprocess[c].clone()
            } else {
-              commitments
-                .get_mut(l)
-                .ok_or(FrostError::MissingParticipant(*l))?
-                .read_exact(&mut buf)
-                .map_err(|_| FrostError::InvalidCommitment(*l))?;
+              commitments.get_mut(l).ok_or(FrostError::MissingParticipant(*l))?[c].clone()
+            };
+
+            {
+              let mut buf = vec![];
+              preprocess.write(&mut buf).unwrap();
+              self.transcript.append_message(b"preprocess", &buf);
            }
-            self.transcript.append_message(b"preprocess", &buf);

            // While here, calculate the key image
            // Clsag will parse/calculate/validate this as needed, yet doing so here as well
            // provides the easiest API overall, as this is where the TX is (which needs the key
            // images in its message), along with where the outputs are determined (where our
            // outputs may need these in order to guarantee uniqueness)
-            images[c] += CompressedEdwardsY(
-              buf[(CLSAG_LEN - 96) .. (CLSAG_LEN - 64)]
-                .try_into()
-                .map_err(|_| FrostError::InvalidCommitment(*l))?,
-            )
-            .decompress()
-            .ok_or(FrostError::InvalidCommitment(*l))?;
+            images[c] += preprocess.addendum.key_image.0;

-            Ok((*l, Cursor::new(buf)))
+            Ok((*l, preprocess))
          })
          .collect::<Result<HashMap<_, _>, _>>()
      })
@@ -346,37 +338,39 @@ impl SignMachine<Transaction> for TransactionSignMachine {
    let msg = tx.signature_hash();

    // Iterate over each CLSAG calling sign
-    let mut serialized = Vec::with_capacity(self.clsags.len() * 32);
+    let mut shares = Vec::with_capacity(self.clsags.len());
    let clsags = self
      .clsags
      .drain(..)
      .map(|clsag| {
        let (clsag, share) = clsag.sign(commitments.remove(0), &msg)?;
-        serialized.extend(&share);
+        shares.push(share);
        Ok(clsag)
      })
      .collect::<Result<_, _>>()?;

-    Ok((TransactionSignatureMachine { tx, clsags }, serialized))
+    Ok((TransactionSignatureMachine { tx, clsags }, shares))
  }
 }

 impl SignatureMachine<Transaction> for TransactionSignatureMachine {
-  fn complete<Re: Read>(self, mut shares: HashMap<u16, Re>) -> Result<Transaction, FrostError> {
+  type SignatureShare = Vec<SignatureShare<Ed25519>>;
+
+  fn read_share<R: Read>(&self, reader: &mut R) -> io::Result<Self::SignatureShare> {
+    self.clsags.iter().map(|clsag| clsag.read_share(reader)).collect()
+  }
+
+  fn complete(
+    mut self,
+    shares: HashMap<u16, Self::SignatureShare>,
+  ) -> Result<Transaction, FrostError> {
    let mut tx = self.tx;
    match tx.rct_signatures.prunable {
      RctPrunable::Null => panic!("Signing for RctPrunable::Null"),
      RctPrunable::Clsag { ref mut clsags, ref mut pseudo_outs, .. } => {
-        for clsag in self.clsags {
+        for (c, clsag) in self.clsags.drain(..).enumerate() {
          let (clsag, pseudo_out) = clsag.complete(
-            shares
-              .iter_mut()
-              .map(|(l, shares)| {
-                let mut buf = [0; 32];
-                shares.read_exact(&mut buf).map_err(|_| FrostError::InvalidShare(*l))?;
-                Ok((*l, Cursor::new(buf)))
-              })
-              .collect::<Result<HashMap<_, _>, _>>()?,
+            shares.iter().map(|(l, shares)| (*l, shares[c].clone())).collect::<HashMap<_, _>>(),
          )?;
          clsags.push(clsag);
          pseudo_outs.push(pseudo_out);