frost-core 3.0.0

Types and traits to support implementing Flexible Round-Optimized Schnorr Threshold signature schemes (FROST).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

//! FROST Round 2 functionality and types, for signature share generation

use core::fmt::{self, Debug};

use crate as frost;
use crate::{
    Challenge, Ciphersuite, Error, Field, Group, {round1, *},
};

/// A participant's signature share, which the coordinator will aggregate with all other signer's
/// shares into the joint signature.
#[derive(Clone, Copy, Eq, PartialEq, Getters)]
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
#[cfg_attr(feature = "serde", serde(bound = "C: Ciphersuite"))]
#[cfg_attr(feature = "serde", serde(deny_unknown_fields))]
pub struct SignatureShare<C: Ciphersuite> {
    /// Serialization header
    #[getter(skip)]
    pub(crate) header: Header<C>,
    /// This participant's signature over the message.
    pub(crate) share: SerializableScalar<C>,
}

impl<C> SignatureShare<C>
where
    C: Ciphersuite,
{
    pub(crate) fn new(
        scalar: <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
    ) -> Self {
        Self {
            header: Header::default(),
            share: SerializableScalar(scalar),
        }
    }

    pub(crate) fn to_scalar(
        self,
    ) -> <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar {
        self.share.0
    }

    /// Deserialize [`SignatureShare`] from bytes
    pub fn deserialize(bytes: &[u8]) -> Result<Self, Error<C>> {
        Ok(Self {
            header: Header::default(),
            share: SerializableScalar::deserialize(bytes)?,
        })
    }

    /// Serialize [`SignatureShare`] to bytes
    pub fn serialize(&self) -> Vec<u8> {
        self.share.serialize()
    }

    /// Tests if a signature share issued by a participant is valid before
    /// aggregating it into a final joint signature to publish.
    ///
    /// This is the final step of [`verify_signature_share`] from the spec.
    ///
    /// [`verify_signature_share`]: https://datatracker.ietf.org/doc/html/rfc9591#name-signature-share-aggregation
    #[cfg_attr(feature = "internals", visibility::make(pub))]
    #[cfg_attr(docsrs, doc(cfg(feature = "internals")))]
    pub(crate) fn verify(
        &self,
        identifier: Identifier<C>,
        group_commitment_share: &round1::GroupCommitmentShare<C>,
        verifying_share: &frost::keys::VerifyingShare<C>,
        lambda_i: Scalar<C>,
        challenge: &Challenge<C>,
    ) -> Result<(), Error<C>> {
        if (<C::Group>::generator() * self.to_scalar())
            != (group_commitment_share.to_element()
                + (verifying_share.to_element() * challenge.0 * lambda_i))
        {
            return Err(Error::InvalidSignatureShare {
                culprits: vec![identifier],
            });
        }

        Ok(())
    }
}

impl<C> Debug for SignatureShare<C>
where
    C: Ciphersuite,
{
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        f.debug_struct("SignatureShare")
            .field("share", &hex::encode(self.serialize()))
            .finish()
    }
}

/// Compute the signature share for a signing operation.
#[cfg_attr(feature = "internals", visibility::make(pub))]
#[cfg_attr(docsrs, doc(cfg(feature = "internals")))]
pub(super) fn compute_signature_share<C: Ciphersuite>(
    signer_nonces: &round1::SigningNonces<C>,
    binding_factor: BindingFactor<C>,
    lambda_i: <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
    key_package: &keys::KeyPackage<C>,
    challenge: Challenge<C>,
) -> SignatureShare<C> {
    let z_share: <<C::Group as Group>::Field as Field>::Scalar = signer_nonces.hiding.to_scalar()
        + (signer_nonces.binding.to_scalar() * binding_factor.0)
        + (lambda_i * key_package.signing_share.to_scalar() * challenge.to_scalar());

    SignatureShare::<C>::new(z_share)
}

/// Performed once by each participant selected for the signing operation.
///
/// Implements [`sign`] from the spec.
///
/// Receives the message to be signed and a set of signing commitments and a set
/// of randomizing commitments to be used in that signing operation, including
/// that for this participant.
///
/// Assumes the participant has already determined which nonce corresponds with
/// the commitment that was assigned by the coordinator in the SigningPackage.
///
/// [`sign`]: https://datatracker.ietf.org/doc/html/rfc9591#name-round-two-signature-share-g
pub fn sign<C: Ciphersuite>(
    signing_package: &SigningPackage<C>,
    signer_nonces: &round1::SigningNonces<C>,
    key_package: &frost::keys::KeyPackage<C>,
) -> Result<SignatureShare<C>, Error<C>> {
    if signing_package.signing_commitments().len() < key_package.min_signers as usize {
        return Err(Error::IncorrectNumberOfCommitments);
    }

    // Validate the signer's commitment is present in the signing package
    let commitment = signing_package
        .signing_commitments
        .get(&key_package.identifier)
        .ok_or(Error::MissingCommitment)?;

    // Validate if the signer's commitment exists
    if &signer_nonces.commitments != commitment {
        return Err(Error::IncorrectCommitment);
    }

    let (signing_package, signer_nonces, key_package) =
        <C>::pre_sign(signing_package, signer_nonces, key_package)?;

    // Encodes the signing commitment list produced in round one as part of generating [`BindingFactor`], the
    // binding factor.
    let binding_factor_list: BindingFactorList<C> =
        compute_binding_factor_list(&signing_package, &key_package.verifying_key, &[])?;
    let binding_factor: frost::BindingFactor<C> = binding_factor_list
        .get(&key_package.identifier)
        .ok_or(Error::UnknownIdentifier)?
        .clone();

    // Compute the group commitment from signing commitments produced in round one.
    let (signing_package, signer_nonces) =
        <C>::pre_commitment_sign(&signing_package, &signer_nonces, &binding_factor_list)?;
    let group_commitment = compute_group_commitment(&signing_package, &binding_factor_list)?;

    // Compute Lagrange coefficient.
    let lambda_i = frost::derive_interpolating_value(key_package.identifier(), &signing_package)?;

    // Compute the per-message challenge.
    let challenge = <C>::challenge(
        &group_commitment.0,
        &key_package.verifying_key,
        signing_package.message(),
    )?;

    // Compute the Schnorr signature share.
    let signature_share = <C>::compute_signature_share(
        &group_commitment,
        &signer_nonces,
        binding_factor,
        lambda_i,
        &key_package,
        challenge,
    );

    Ok(signature_share)
}