frost-rerandomized 3.0.0

Types and traits to support implementing a re-randomized variant of Flexible Round-Optimized Schnorr Threshold signature schemes (FROST).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227

//! Ciphersuite-generic test functions for re-randomized FROST.
#![cfg(feature = "serialization")]

use alloc::borrow::ToOwned;
use alloc::collections::BTreeMap;
use alloc::vec::Vec;

use crate::{frost_core as frost, RandomizedCiphersuite, RandomizedParams, Randomizer};
use frost_core::{
    round1::SigningCommitments, Field, Group, Identifier, Signature, SigningPackage, VerifyingKey,
};
use rand_core::{CryptoRng, RngCore};

/// Test re-randomized FROST signing with trusted dealer with a Ciphersuite.
/// Returns the signed message, generated signature, and the randomized public key
/// so that the caller can verify the signature with their own implementation.
pub fn check_randomized_sign_with_dealer<C: RandomizedCiphersuite, R: RngCore + CryptoRng>(
    mut rng: R,
) -> (Vec<u8>, Signature<C>, VerifyingKey<C>) {
    ////////////////////////////////////////////////////////////////////////////
    // Key generation
    ////////////////////////////////////////////////////////////////////////////

    let max_signers = 5;
    let min_signers = 3;
    let (shares, pubkeys) = frost::keys::generate_with_dealer(
        max_signers,
        min_signers,
        frost::keys::IdentifierList::Default,
        &mut rng,
    )
    .unwrap();

    // Verifies the secret shares from the dealer
    let mut key_packages: BTreeMap<frost::Identifier<C>, frost::keys::KeyPackage<C>> =
        BTreeMap::new();

    for (k, v) in shares {
        key_packages.insert(k, frost::keys::KeyPackage::try_from(v).unwrap());
    }

    let mut nonces: BTreeMap<frost::Identifier<C>, frost::round1::SigningNonces<C>> =
        BTreeMap::new();
    let mut commitments: BTreeMap<frost::Identifier<C>, frost::round1::SigningCommitments<C>> =
        BTreeMap::new();

    ////////////////////////////////////////////////////////////////////////////
    // Round 1: generating nonces and signing commitments for each participant
    ////////////////////////////////////////////////////////////////////////////

    for participant_index in 1..(min_signers + 1) {
        let participant_identifier = participant_index.try_into().expect("should be nonzero");
        // Generate one (1) nonce and one SigningCommitments instance for each
        // participant, up to _min_signers_.
        let (nonce, commitment) = frost::round1::commit(
            key_packages
                .get(&participant_identifier)
                .unwrap()
                .signing_share(),
            &mut rng,
        );
        nonces.insert(participant_identifier, nonce);
        commitments.insert(participant_identifier, commitment);
    }

    // This is what the signature aggregator / coordinator needs to do:
    // - decide what message to sign
    // - take one (unused) commitment per signing participant
    let mut signature_shares: BTreeMap<frost::Identifier<_>, frost::round2::SignatureShare<_>> =
        BTreeMap::new();
    let message = "message to sign".as_bytes();
    let signing_package = frost::SigningPackage::new(commitments, message);

    check_randomizer(&pubkeys, &signing_package, &mut rng);
    let (randomizer_params, randomizer_seed) = RandomizedParams::new_from_commitments(
        pubkeys.verifying_key(),
        signing_package.signing_commitments(),
        &mut rng,
    )
    .unwrap();

    ////////////////////////////////////////////////////////////////////////////
    // Round 2: each participant generates their signature share
    ////////////////////////////////////////////////////////////////////////////

    for participant_identifier in nonces.keys() {
        let key_package = key_packages.get(participant_identifier).unwrap();

        let nonces_to_use = &nonces.get(participant_identifier).unwrap();

        // Each participant generates their signature share.
        let signature_share = crate::sign_with_randomizer_seed(
            &signing_package,
            nonces_to_use,
            key_package,
            &randomizer_seed,
        )
        .unwrap();
        signature_shares.insert(*participant_identifier, signature_share);
    }

    ////////////////////////////////////////////////////////////////////////////
    // Aggregation: collects the signing shares from all participants,
    // generates the final signature.
    ////////////////////////////////////////////////////////////////////////////

    // Aggregate (also verifies the signature shares)
    let group_signature_res = crate::aggregate(
        &signing_package,
        &signature_shares,
        &pubkeys,
        &randomizer_params,
    );

    assert!(group_signature_res.is_ok());

    let group_signature = group_signature_res.unwrap();

    // Check that the threshold signature can be verified by the randomized group public
    // key (the verification key).
    assert!(randomizer_params
        .randomized_verifying_key()
        .verify(message, &group_signature)
        .is_ok());

    // Note that key_package.verifying_key can't be used to verify the signature
    // since those are non-randomized.

    (
        message.to_owned(),
        group_signature,
        *randomizer_params.randomized_verifying_key(),
    )
}

fn check_randomizer<C: RandomizedCiphersuite, R: RngCore + CryptoRng>(
    pubkeys: &frost::keys::PublicKeyPackage<C>,
    signing_package: &frost::SigningPackage<C>,
    mut rng: &mut R,
) {
    check_from_randomizer(&mut rng, signing_package, pubkeys);

    check_from_randomizer_and_signing_package(&mut rng, signing_package);

    check_from_seed_and_signing_commitments(&mut rng, signing_package.signing_commitments());
}

fn check_from_randomizer<C: RandomizedCiphersuite, R: RngCore + CryptoRng>(
    rng: &mut R,
    signing_package: &SigningPackage<C>,
    pubkeys: &frost::keys::PublicKeyPackage<C>,
) {
    #[allow(deprecated)]
    let randomizer = Randomizer::new(rng, signing_package).unwrap();

    let randomizer_params = RandomizedParams::from_randomizer(pubkeys.verifying_key(), randomizer);

    assert!(*randomizer_params.randomizer() == randomizer);
}

fn check_from_randomizer_and_signing_package<C: RandomizedCiphersuite, R: RngCore + CryptoRng>(
    mut rng: &mut R,
    signing_package: &SigningPackage<C>,
) {
    let rng_randomizer1 = <<C::Group as Group>::Field as Field>::random(&mut rng);
    let rng_randomizer2 = <<C::Group as Group>::Field as Field>::random(&mut rng);

    let randomizer1 =
        Randomizer::from_randomizer_and_signing_package(rng_randomizer1, signing_package);
    let randomizer2 =
        Randomizer::from_randomizer_and_signing_package(rng_randomizer1, signing_package);

    // Make sure same inputs lead to same randomizer (and that equality works)
    assert!(randomizer1 == randomizer2);

    let randomizer2 =
        Randomizer::from_randomizer_and_signing_package(rng_randomizer2, signing_package);

    // Make sure that different rng_randomizers lead to different randomizers
    assert!(randomizer1 != randomizer2);

    let signing_package2 = SigningPackage::new(
        signing_package.signing_commitments().clone(),
        "fresh new message".as_bytes(),
    );
    let randomizer2 =
        Randomizer::from_randomizer_and_signing_package(rng_randomizer1, &signing_package2);

    // Make sure that different packages lead to different randomizers
    assert!(randomizer1 != randomizer2);
}

fn check_from_seed_and_signing_commitments<C: RandomizedCiphersuite, R: RngCore + CryptoRng>(
    mut rng: &mut R,
    signing_commitments: &BTreeMap<Identifier<C>, SigningCommitments<C>>,
) {
    // Make sure regeneration returns the same Randomizer.
    let (randomizer1, randomizer_seed1) =
        Randomizer::new_from_commitments(&mut rng, signing_commitments).unwrap();
    let randomizer2 =
        Randomizer::regenerate_from_seed_and_commitments(&randomizer_seed1, signing_commitments)
            .unwrap();
    assert!(randomizer1 == randomizer2);

    let (randomizer2, randomizer_seed2) =
        Randomizer::new_from_commitments(&mut rng, signing_commitments).unwrap();

    // Make sure that different rng_randomizers lead to different randomizers
    assert!(randomizer1 != randomizer2);
    assert!(randomizer_seed1 != randomizer_seed2);

    // Modify the commitments map, by overwriting the first entry with the value
    // of the last entry.
    let mut modified_signing_commitments = signing_commitments.clone();
    modified_signing_commitments
        .first_entry()
        .unwrap()
        .insert(*signing_commitments.last_key_value().unwrap().1);
    let randomizer2 = Randomizer::regenerate_from_seed_and_commitments(
        &randomizer_seed1,
        &modified_signing_commitments,
    )
    .unwrap();

    // Make sure that different packages lead to different randomizers
    assert!(randomizer1 != randomizer2);
}