wsts 14.0.2

Weighted Schnorr Threshold Signatures, based on FROST
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

use aes_gcm::{aead::Aead, Aes256Gcm, KeyInit, Nonce};
use rand_core::{CryptoRng, OsRng, RngCore};
use sha2::{Digest, Sha256};

use crate::{
    curve::{point::Point, scalar::Scalar},
    errors::EncryptionError,
};

/// Size of the AES-GCM nonce
pub const AES_GCM_NONCE_SIZE: usize = 12;

#[allow(dead_code)]
/// Digest the hasher to a Scalar
pub fn hash_to_scalar(hasher: &mut Sha256) -> Scalar {
    let h = hasher.clone();
    let hash = h.finalize();
    let mut hash_bytes: [u8; 32] = [0; 32];
    hash_bytes.clone_from_slice(hash.as_slice());

    Scalar::from(hash_bytes)
}

/// Do a Diffie-Hellman key exchange to create a shared secret from the passed private/public keys
pub fn make_shared_secret(private_key: &Scalar, public_key: &Point) -> [u8; 32] {
    let shared_key = private_key * public_key;

    make_shared_secret_from_key(&shared_key)
}

/// Create a shared secret from the passed Diffie-Hellman shared key
pub fn make_shared_secret_from_key(shared_key: &Point) -> [u8; 32] {
    ansi_x963_derive_key(
        shared_key.compress().as_bytes(),
        "DH_SHARED_SECRET_KEY/".as_bytes(),
    )
}

/// Derive a shared key using the ANSI-x963 standard
/// https://www.secg.org/sec1-v2.pdf (section 3.6.1)
pub fn ansi_x963_derive_key(shared_key: &[u8], shared_info: &[u8]) -> [u8; 32] {
    let mut hasher = Sha256::new();
    let counter = 1u32;

    hasher.update(shared_key);
    hasher.update(counter.to_be_bytes());
    hasher.update(shared_info);

    let hash = hasher.finalize();
    let mut bytes = [0u8; 32];

    bytes.clone_from_slice(hash.as_slice());
    bytes
}

/// Encrypt the passed data using the key
pub fn encrypt<RNG: RngCore + CryptoRng>(
    key: &[u8; 32],
    data: &[u8],
    rng: &mut RNG,
) -> Result<Vec<u8>, EncryptionError> {
    let mut nonce_bytes = [0u8; AES_GCM_NONCE_SIZE];

    rng.fill_bytes(&mut nonce_bytes);

    let nonce_vec = nonce_bytes.to_vec();
    let nonce = Nonce::from_slice(&nonce_vec);
    let cipher = Aes256Gcm::new(key.into());
    let cipher_vec = cipher.encrypt(nonce, data.to_vec().as_ref())?;
    let mut bytes = Vec::new();

    bytes.extend_from_slice(&nonce_vec);
    bytes.extend_from_slice(&cipher_vec);

    Ok(bytes)
}

/// Decrypt the passed data using the key
pub fn decrypt(key: &[u8; 32], data: &[u8]) -> Result<Vec<u8>, EncryptionError> {
    let Some(nonce_data) = data.get(..AES_GCM_NONCE_SIZE) else {
        return Err(EncryptionError::MissingNonce);
    };
    let Some(cipher_data) = data.get(AES_GCM_NONCE_SIZE..) else {
        return Err(EncryptionError::MissingData);
    };
    if cipher_data.is_empty() {
        return Err(EncryptionError::MissingData);
    }
    let nonce = Nonce::from_slice(nonce_data);
    let cipher = Aes256Gcm::new(key.into());

    Ok(cipher.decrypt(nonce, cipher_data)?)
}

/// Creates a new random number generator.
pub fn create_rng() -> impl RngCore + CryptoRng {
    OsRng
}

#[cfg(test)]
mod test {
    use super::*;
    use crate::curve::{point::Point, scalar::Scalar};

    #[test]
    #[allow(non_snake_case)]
    fn test_shared_secret() {
        let mut rng = create_rng();

        let x = Scalar::random(&mut rng);
        let y = Scalar::random(&mut rng);

        let X = Point::from(x);
        let Y = Point::from(y);

        let xy = make_shared_secret(&x, &Y);
        let yx = make_shared_secret(&y, &X);

        assert_eq!(xy, yx);
    }

    #[test]
    #[allow(non_snake_case)]
    fn test_encrypt_decrypt() {
        let mut rng = create_rng();
        let msg = "It was many and many a year ago, in a kingdom by the sea...";

        let x = Scalar::random(&mut rng);
        let y = Scalar::random(&mut rng);

        let X = Point::from(x);
        let Y = Point::from(y);

        let xy = make_shared_secret(&x, &Y);
        let yx = make_shared_secret(&y, &X);

        let cipher = encrypt(&xy, msg.as_bytes(), &mut rng).unwrap();
        let plain = decrypt(&yx, &cipher).unwrap();

        assert_eq!(msg.as_bytes(), &plain);

        let missing_nonce = &cipher[..AES_GCM_NONCE_SIZE - 1];
        match decrypt(&yx, &missing_nonce) {
            Err(EncryptionError::MissingNonce) => {}
            Err(e) => panic!("expected MissingNonce got Err({e})"),
            Ok(_) => panic!("expected MissingNonce got Ok()"),
        }

        let missing_data = &cipher[..AES_GCM_NONCE_SIZE];
        match decrypt(&yx, &missing_data) {
            Err(EncryptionError::MissingData) => (),
            Err(e) => panic!("expected MissingData got Err({e})"),
            Ok(_) => panic!("expected MissingData got Ok()"),
        }

        let small_data = &cipher[..AES_GCM_NONCE_SIZE + 1];
        match decrypt(&yx, &small_data) {
            Err(EncryptionError::AesGcm(_)) => (),
            Err(e) => panic!("expected EncryptionError(AesGcm) got Err({e:?})"),
            Ok(_) => panic!("expected EncryptionError(AesGcm) got Ok()"),
        }
    }
}