Skip to main content

frost_core/
signing_key.rs

1//! Schnorr signature signing keys
2
3use alloc::vec::Vec;
4
5use rand_core::{CryptoRng, RngCore};
6use zeroize::ZeroizeOnDrop;
7
8use crate::{
9    random_nonzero, serialization::SerializableScalar, Challenge, Ciphersuite, Error, Field, Group,
10    Scalar, Signature, VerifyingKey,
11};
12
13/// A signing key for a Schnorr signature on a FROST [`Ciphersuite::Group`].
14#[derive(Clone, PartialEq, Eq)]
15pub struct SigningKey<C>
16where
17    C: Ciphersuite,
18{
19    pub(crate) scalar: Scalar<C>,
20}
21
22impl<C> SigningKey<C>
23where
24    C: Ciphersuite,
25{
26    /// Generate a new signing key.
27    pub fn new<R: RngCore + CryptoRng>(rng: &mut R) -> SigningKey<C> {
28        let scalar = random_nonzero::<C, R>(rng);
29
30        SigningKey { scalar }
31    }
32
33    /// Deserialize from bytes
34    pub fn deserialize(bytes: &[u8]) -> Result<SigningKey<C>, Error<C>> {
35        Self::from_scalar(SerializableScalar::deserialize(bytes)?.0)
36    }
37
38    /// Serialize `SigningKey` to bytes
39    pub fn serialize(&self) -> Vec<u8> {
40        SerializableScalar::<C>(self.scalar).serialize()
41    }
42
43    /// Create a signature `msg` using this `SigningKey`.
44    pub fn sign<R: RngCore + CryptoRng>(&self, rng: R, message: &[u8]) -> Signature<C> {
45        <C>::single_sign(self, rng, message)
46    }
47
48    /// Create a signature `msg` using this `SigningKey` using the default
49    /// signing.
50    #[cfg_attr(feature = "internals", visibility::make(pub))]
51    pub(crate) fn default_sign<R: RngCore + CryptoRng>(
52        &self,
53        mut rng: R,
54        message: &[u8],
55    ) -> Signature<C> {
56        let public = VerifyingKey::<C>::from(self.clone());
57
58        let (k, R) = <C>::generate_nonce(&mut rng);
59
60        // Generate Schnorr challenge
61        let c: Challenge<C> = <C>::challenge(&R, &public, message).expect("should not return error since that happens only if one of the inputs is the identity. R is not since k is nonzero. The verifying_key is not because signing keys are not allowed to be zero.");
62
63        let z = k + (c.0 * self.scalar);
64
65        Signature { R, z }
66    }
67
68    /// Creates a SigningKey from a scalar. Returns an error if the scalar is zero.
69    pub fn from_scalar(
70        scalar: <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
71    ) -> Result<Self, Error<C>> {
72        if scalar == <<C::Group as Group>::Field as Field>::zero() {
73            return Err(Error::MalformedSigningKey);
74        }
75        Ok(Self { scalar })
76    }
77
78    /// Return the underlying scalar.
79    pub fn to_scalar(self) -> <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar {
80        self.scalar
81    }
82}
83
84impl<C> ZeroizeOnDrop for SigningKey<C> where C: Ciphersuite {}
85
86impl<C> Drop for SigningKey<C>
87where
88    C: Ciphersuite,
89{
90    fn drop(&mut self) {
91        self.scalar = <<C::Group as Group>::Field as Field>::zero();
92    }
93}
94
95impl<C> core::fmt::Debug for SigningKey<C>
96where
97    C: Ciphersuite,
98{
99    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
100        f.debug_tuple("SigningKey").field(&"<redacted>").finish()
101    }
102}
103
104impl<C> From<&SigningKey<C>> for VerifyingKey<C>
105where
106    C: Ciphersuite,
107{
108    fn from(signing_key: &SigningKey<C>) -> Self {
109        VerifyingKey::new(C::Group::generator() * signing_key.scalar)
110    }
111}
112
113impl<C> From<SigningKey<C>> for VerifyingKey<C>
114where
115    C: Ciphersuite,
116{
117    fn from(signing_key: SigningKey<C>) -> Self {
118        VerifyingKey::<C>::from(&signing_key)
119    }
120}