Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add frost-secp256k1-tr crate (BIP340/BIP341) [moved] #730

Merged
merged 14 commits into from
Nov 14, 2024
Merged

Add frost-secp256k1-tr crate (BIP340/BIP341) [moved] #730

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
4cc535c
modify frost-core traits to enable taproot compatibility
conduition Oct 2, 2024
f926438
add frost-secp256k1-tr crate and ciphersuite
conduition Oct 2, 2024
11f43eb
test coverage for taproot crate
conduition Oct 2, 2024
d69a59d
clippy fixes
conduition Oct 4, 2024
802de7a
tweak DKG output to avoid rogue taproot tweaks
conduition Oct 5, 2024
404ba69
add interoperability tests
conradoplg Oct 18, 2024
8e22bc7
cleanup taproot implementation to minimize impact in frost_core
conradoplg Oct 19, 2024
d90169e
Update PoK test vector to use nonce which generates an even-parity point
conduition Oct 27, 2024
f9237f5
BIP341 key package tweaks shouldn't cause key negation
conduition Oct 27, 2024
ebb9f27
prune the Context type, instead negate signature.R before verifying
conduition Nov 3, 2024
eb3a71b
Merge branch 'main' of https://github.com/ZcashFoundation/frost into …
conradoplg Nov 8, 2024
5a66946
proper TapTweak point-addition operates on even internal key represen…
conduition Nov 8, 2024
aa4b5fb
clippy test fixes
conduition Nov 8, 2024
59d1da2
fix no-std issues and warnings
conradoplg Nov 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 6 additions & 10 deletions frost-core/src/batch.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ use crate::{scalar_mul::VartimeMultiscalarMul, Ciphersuite, Element, *};
pub struct Item<C: Ciphersuite> {
vk: VerifyingKey<C>,
sig: Signature<C>,
sig_params: C::SigningParameters,
c: Challenge<C>,
}

Expand All @@ -34,13 +33,12 @@ where
where
M: AsRef<[u8]>,
{
let sig_target = SigningTarget::from_message(msg);
let c = <C>::challenge(&sig.R, &vk, &sig_target)?;
let (msg, sig, vk) = <C>::pre_verify(msg.as_ref(), &sig, &vk)?;
let c = <C>::challenge(&sig.R, &vk, &msg)?;

Ok(Self {
vk,
sig,
sig_params: sig_target.sig_params,
vk: *vk,
sig: *sig,
c,
})
}
Expand All @@ -58,8 +56,7 @@ where
/// requires borrowing the message data, the `Item` type is unlinked
/// from the lifetime of the message.
pub fn verify_single(self) -> Result<(), Error<C>> {
self.vk
.verify_prehashed(self.c, &self.sig, &self.sig_params)
self.vk.verify_prehashed(self.c, &self.sig)
}
}

Expand Down Expand Up @@ -128,7 +125,6 @@ where
for item in self.signatures.iter() {
let z = item.sig.z;
let R = item.sig.R;
let vk = <C>::effective_pubkey_element(&item.vk, &item.sig_params);

let blind = <<C::Group as Group>::Field>::random(&mut rng);

Expand All @@ -139,7 +135,7 @@ where
Rs.push(R);

VK_coeffs.push(<<C::Group as Group>::Field>::zero() + (blind * item.c.0));
VKs.push(vk);
VKs.push(item.vk.to_element());
}

let scalars = core::iter::once(&P_coeff_acc)
Expand Down
12 changes: 1 addition & 11 deletions frost-core/src/keys.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,11 +119,6 @@ where
pub(crate) fn from_coefficients(coefficients: &[Scalar<C>], peer: Identifier<C>) -> Self {
Self::new(evaluate_polynomial(peer, coefficients))
}

/// Returns negated SigningShare
pub fn negate(&mut self) {
self.0 .0 = <<C::Group as Group>::Field>::negate(&self.to_scalar());
}
}

impl<C> Debug for SigningShare<C>
Expand Down Expand Up @@ -333,7 +328,7 @@ where
}

/// Returns VerifiableSecretSharingCommitment from a iterator of serialized
/// CoefficientCommitments (e.g. a Vec<Vec<u8>>).
/// CoefficientCommitments (e.g. a `Vec<Vec<u8>>`).
pub fn deserialize<I, V>(serialized_coefficient_commitments: I) -> Result<Self, Error<C>>
where
I: IntoIterator<Item = V>,
Expand Down Expand Up @@ -635,11 +630,6 @@ where
min_signers,
}
}

/// Negate `SigningShare`.
pub fn negate_signing_share(&mut self) {
self.signing_share.negate();
}
}

#[cfg(feature = "serialization")]
Expand Down
44 changes: 17 additions & 27 deletions frost-core/src/keys/dkg.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ use rand_core::{CryptoRng, RngCore};

use crate::{
Challenge, Ciphersuite, Element, Error, Field, Group, Header, Identifier, Scalar, Signature,
SigningKey,
SigningKey, VerifyingKey,
};

#[cfg(feature = "serialization")]
Expand Down Expand Up @@ -322,7 +322,7 @@ pub fn part1<C: Ciphersuite, R: RngCore + CryptoRng>(
/// Generates the challenge for the proof of knowledge to a secret for the DKG.
fn challenge<C>(
identifier: Identifier<C>,
verifying_key: &Element<C>,
verifying_key: &VerifyingKey<C>,
R: &Element<C>,
) -> Result<Challenge<C>, Error<C>>
where
Expand All @@ -331,7 +331,7 @@ where
let mut preimage = vec![];

preimage.extend_from_slice(identifier.serialize().as_ref());
preimage.extend_from_slice(<C::Group>::serialize(verifying_key)?.as_ref());
preimage.extend_from_slice(<C::Group>::serialize(&verifying_key.to_element())?.as_ref());
preimage.extend_from_slice(<C::Group>::serialize(R)?.as_ref());

Ok(Challenge(
Expand All @@ -354,23 +354,12 @@ pub(crate) fn compute_proof_of_knowledge<C: Ciphersuite, R: RngCore + CryptoRng>
// > a_{i0} by calculating σ_i = (R_i, μ_i), such that k ← Z_q, R_i = g^k,
// > c_i = H(i, Φ, g^{a_{i0}} , R_i), μ_i = k + a_{i0} · c_i, with Φ being
// > a context string to prevent replay attacks.
let mut k = <<C::Group as Group>::Field>::random(&mut rng);
let mut R_i = <C::Group>::generator() * k;
k = <C>::effective_nonce_secret(k, &R_i);
R_i = <C>::effective_nonce_element(R_i);

let verifying_key = commitment.verifying_key()?;
let sig_params = Default::default();

let phi_ell0 = <C>::effective_pubkey_element(&verifying_key, &sig_params);

let c_i = challenge::<C>(identifier, &phi_ell0, &R_i)?;
let (k, R_i) = <C>::generate_nonce(&mut rng);
let c_i = challenge::<C>(identifier, &commitment.verifying_key()?, &R_i)?;
let a_i0 = *coefficients
.first()
.expect("coefficients must have at least one element");
let a_i0_effective = <C>::effective_secret_key(a_i0, &verifying_key, &sig_params);

let mu_i = k + a_i0_effective * c_i.0;
let mu_i = k + a_i0 * c_i.0;
Ok(Signature { R: R_i, z: mu_i })
}

Expand All @@ -390,12 +379,9 @@ pub(crate) fn verify_proof_of_knowledge<C: Ciphersuite>(
let ell = identifier;
let R_ell = proof_of_knowledge.R;
let mu_ell = proof_of_knowledge.z;

let verifying_key = commitment.verifying_key()?;
let phi_ell0 = <C>::effective_pubkey_element(&verifying_key, &Default::default());
let phi_ell0 = commitment.verifying_key()?;
let c_ell = challenge::<C>(ell, &phi_ell0, &R_ell)?;

if R_ell != <C::Group>::generator() * mu_ell - phi_ell0 * c_ell.0 {
if R_ell != <C::Group>::generator() * mu_ell - phi_ell0.to_element() * c_ell.0 {
return Err(Error::InvalidProofOfKnowledge { culprit: ell });
}
Ok(())
Expand Down Expand Up @@ -562,12 +548,16 @@ pub fn part3<C: Ciphersuite>(
&round2_secret_package.commitment,
)))
.collect();
let public_key_package = PublicKeyPackage::from_dkg_commitments(&commitments)?;

C::dkg_output_finalize(
round2_secret_package.identifier,
commitments,
let key_package = KeyPackage {
header: Header::default(),
identifier: round2_secret_package.identifier,
signing_share,
verifying_share,
round2_secret_package.min_signers,
)
verifying_key: public_key_package.verifying_key,
min_signers: round2_secret_package.min_signers,
};

C::post_dkg(key_package, public_key_package)
}
Loading