schnorr 0.0.20

Schnorr Signatures
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

//! MuSig Key

use crate::{
    errors::{self, MuSigError},
    MuSigContext, PublicKey, SchnorrError,
};
use bacteria::Transcript;
use mohan::dalek::{ristretto::RistrettoPoint, scalar::Scalar};

/// MuSig aggregated key context
#[derive(Clone)]
pub struct MultiKey {
    prf: Option<Transcript>,
    aggregated_key: PublicKey,
    public_keys: Vec<PublicKey>,
}

impl MultiKey {
    /// Constructs a new MuSig multikey aggregating the pubkeys.
    pub fn new(pubkeys: Vec<PublicKey>) -> Result<Self, SchnorrError> {
        match pubkeys.len() {
            0 => {
                return Err(errors::from_musig(MuSigError::BadArguments));
            }
            1 => {
                // Special case: single key can be wrapped in a Multikey type
                // without a delinearization factor applied.
                return Ok(MultiKey {
                    prf: None,
                    aggregated_key: pubkeys[0],
                    public_keys: pubkeys,
                });
            }
            _ => {}
        }

        // Create transcript for Multikey
        let mut prf = Transcript::new(b"Musig.aggregated-key");
        prf.append_u64(b"n", pubkeys.len() as u64);

        // Commit pubkeys into the transcript
        // <L> = H(X_1 || X_2 || ... || X_n)
        for X in &pubkeys {
            prf.commit_point(b"X", X.as_compressed());
        }

        // aggregated_key = sum_i ( a_i * X_i )
        let mut aggregated_key = RistrettoPoint::default();

        for (i, X) in pubkeys.iter().enumerate() {
            let a = MultiKey::compute_factor(&prf, i);
            let X = X.into_point();
            aggregated_key = aggregated_key + a * X;
        }

        Ok(MultiKey {
            prf: Some(prf),
            aggregated_key: PublicKey::from_point(aggregated_key),
            public_keys: pubkeys,
        })
    }

    /// Returns `a_i` factor for component key in aggregated key.
    /// a_i = H(<L>, X_i). The list of pubkeys, <L>, has already been committed to the transcript.
    fn compute_factor(prf: &Transcript, i: usize) -> Scalar {
        let mut a_i_prf = prf.clone();
        a_i_prf.append_u64(b"i", i as u64);
        a_i_prf.challenge_scalar(b"a_i")
    }

    /// Returns VerificationKey representation of aggregated key.
    pub fn aggregated_key(&self) -> PublicKey {
        self.aggregated_key
    }
}

impl MuSigContext for MultiKey {
    fn commit(&self, transcript: &mut Transcript) {
        // Domain seperation
        transcript.proto_name(b"organism_schnorr");
        //commit corresponding public key
        transcript.commit_point(b"public_key", self.aggregated_key.as_compressed());
    }

    fn challenge(&self, i: usize, transcript: &mut Transcript) -> Scalar {
        // Make c = H(X, R, m)
        // The message `m`, nonce commitment `R`, and aggregated key `X`
        // have already been fed into the transcript.
        let c = transcript.challenge_scalar(b"c");

        // Make a_i, the per-party factor. a_i = H(<L>, X_i).
        // The list of pubkeys, <L>, has already been committed to self.transcript.
        let a_i = match &self.prf {
            Some(t) => MultiKey::compute_factor(&t, i),
            None => Scalar::one(),
        };

        c * a_i
    }

    fn len(&self) -> usize {
        self.public_keys.len()
    }

    fn key(&self, index: usize) -> PublicKey {
        self.public_keys[index]
    }
}