modular-frost 0.2.2

Modular implementation of FROST over ff/group
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

use core::{marker::PhantomData, fmt::Debug};
use std::io::Read;

use rand_core::{RngCore, CryptoRng};

use transcript::Transcript;

use crate::{Curve, FrostError, FrostView, schnorr};
pub use schnorr::SchnorrSignature;

/// Algorithm to use FROST with
pub trait Algorithm<C: Curve>: Clone {
  type Transcript: Transcript + Clone + Debug;
  /// The resulting type of the signatures this algorithm will produce
  type Signature: Clone + PartialEq + Debug;

  /// Obtain a mutable borrow of the underlying transcript
  fn transcript(&mut self) -> &mut Self::Transcript;

  /// Obtain the list of nonces to generate, as specified by the basepoints to create commitments
  /// against per-nonce. These are not committed to by FROST on the underlying transcript
  fn nonces(&self) -> Vec<Vec<C::G>>;

  /// Generate an addendum to FROST"s preprocessing stage
  fn preprocess_addendum<R: RngCore + CryptoRng>(
    &mut self,
    rng: &mut R,
    params: &FrostView<C>,
  ) -> Vec<u8>;

  /// Proccess the addendum for the specified participant. Guaranteed to be ordered
  fn process_addendum<Re: Read>(
    &mut self,
    params: &FrostView<C>,
    l: u16,
    reader: &mut Re,
  ) -> Result<(), FrostError>;

  /// Sign a share with the given secret/nonce
  /// The secret will already have been its lagrange coefficient applied so it is the necessary
  /// key share
  /// The nonce will already have been processed into the combined form d + (e * p)
  fn sign_share(
    &mut self,
    params: &FrostView<C>,
    nonce_sums: &[Vec<C::G>],
    nonces: &[C::F],
    msg: &[u8],
  ) -> C::F;

  /// Verify a signature
  #[must_use]
  fn verify(&self, group_key: C::G, nonces: &[Vec<C::G>], sum: C::F) -> Option<Self::Signature>;

  /// Verify a specific share given as a response. Used to determine blame if signature
  /// verification fails
  #[must_use]
  fn verify_share(&self, verification_share: C::G, nonces: &[Vec<C::G>], share: C::F) -> bool;
}

// Transcript which will create an IETF compliant serialization for the binding factor
#[derive(Clone, Debug)]
pub struct IetfTranscript(Vec<u8>);
impl Transcript for IetfTranscript {
  type Challenge = Vec<u8>;

  fn new(_: &'static [u8]) -> IetfTranscript {
    IetfTranscript(vec![])
  }

  fn domain_separate(&mut self, _: &[u8]) {}

  fn append_message(&mut self, _: &'static [u8], message: &[u8]) {
    self.0.extend(message);
  }

  fn challenge(&mut self, _: &'static [u8]) -> Vec<u8> {
    self.0.clone()
  }

  fn rng_seed(&mut self, _: &'static [u8]) -> [u8; 32] {
    unimplemented!()
  }
}

pub trait Hram<C: Curve>: Clone {
  /// HRAM function to generate a challenge
  /// H2 from the IETF draft despite having a different argument set (not pre-formatted)
  #[allow(non_snake_case)]
  fn hram(R: &C::G, A: &C::G, m: &[u8]) -> C::F;
}

#[derive(Clone)]
pub struct Schnorr<C: Curve, H: Hram<C>> {
  transcript: IetfTranscript,
  c: Option<C::F>,
  _hram: PhantomData<H>,
}

impl<C: Curve, H: Hram<C>> Default for Schnorr<C, H> {
  fn default() -> Self {
    Self::new()
  }
}

impl<C: Curve, H: Hram<C>> Schnorr<C, H> {
  pub fn new() -> Schnorr<C, H> {
    Schnorr { transcript: IetfTranscript(vec![]), c: None, _hram: PhantomData }
  }
}

/// Implementation of Schnorr signatures for use with FROST
impl<C: Curve, H: Hram<C>> Algorithm<C> for Schnorr<C, H> {
  type Transcript = IetfTranscript;
  type Signature = SchnorrSignature<C>;

  fn transcript(&mut self) -> &mut Self::Transcript {
    &mut self.transcript
  }

  fn nonces(&self) -> Vec<Vec<C::G>> {
    vec![vec![C::generator()]]
  }

  fn preprocess_addendum<R: RngCore + CryptoRng>(
    &mut self,
    _: &mut R,
    _: &FrostView<C>,
  ) -> Vec<u8> {
    vec![]
  }

  fn process_addendum<Re: Read>(
    &mut self,
    _: &FrostView<C>,
    _: u16,
    _: &mut Re,
  ) -> Result<(), FrostError> {
    Ok(())
  }

  fn sign_share(
    &mut self,
    params: &FrostView<C>,
    nonce_sums: &[Vec<C::G>],
    nonces: &[C::F],
    msg: &[u8],
  ) -> C::F {
    let c = H::hram(&nonce_sums[0][0], &params.group_key(), msg);
    self.c = Some(c);
    schnorr::sign::<C>(params.secret_share(), nonces[0], c).s
  }

  #[must_use]
  fn verify(&self, group_key: C::G, nonces: &[Vec<C::G>], sum: C::F) -> Option<Self::Signature> {
    let sig = SchnorrSignature { R: nonces[0][0], s: sum };
    if schnorr::verify::<C>(group_key, self.c.unwrap(), &sig) {
      Some(sig)
    } else {
      None
    }
  }

  #[must_use]
  fn verify_share(&self, verification_share: C::G, nonces: &[Vec<C::G>], share: C::F) -> bool {
    schnorr::verify::<C>(
      verification_share,
      self.c.unwrap(),
      &SchnorrSignature { R: nonces[0][0], s: share },
    )
  }
}