Trait Ciphersuite 

pub trait Ciphersuite:
    Copy
    + Clone
    + PartialEq
    + Debug
    + 'static {
    type Group: Group;
    type HashOutput: AsRef<[u8]>;
    type SignatureSerialization: AsRef<[u8]> + TryFrom<Vec<u8>>;

    const ID: &'static str;

    // Required methods
    fn H1(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar;
    fn H2(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar;
    fn H3(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar;
    fn H4(m: &[u8]) -> Self::HashOutput;
    fn H5(m: &[u8]) -> Self::HashOutput;

    // Provided methods
    fn HDKG(
        _m: &[u8],
    ) -> Option<<<Self::Group as Group>::Field as Field>::Scalar> { ... }
    fn HID(
        _m: &[u8],
    ) -> Option<<<Self::Group as Group>::Field as Field>::Scalar> { ... }
    fn single_sign<R: RngCore + CryptoRng>(
        signing_key: &SigningKey<Self>,
        rng: R,
        message: &[u8],
    ) -> Signature<Self> { ... }
    fn verify_signature(
        message: &[u8],
        signature: &Signature<Self>,
        public_key: &VerifyingKey<Self>,
    ) -> Result<(), Error<Self>> { ... }
    fn pre_sign<'a>(
        signing_package: &'a SigningPackage<Self>,
        signer_nonces: &'a SigningNonces<Self>,
        key_package: &'a KeyPackage<Self>,
    ) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, SigningNonces<Self>>, Cow<'a, KeyPackage<Self>>), Error<Self>> { ... }
    fn pre_aggregate<'a>(
        signing_package: &'a SigningPackage<Self>,
        signature_shares: &'a BTreeMap<Identifier<Self>, SignatureShare<Self>>,
        public_key_package: &'a PublicKeyPackage<Self>,
    ) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, BTreeMap<Identifier<Self>, SignatureShare<Self>>>, Cow<'a, PublicKeyPackage<Self>>), Error<Self>> { ... }
    fn pre_verify<'a>(
        msg: &'a [u8],
        signature: &'a Signature<Self>,
        public_key: &'a VerifyingKey<Self>,
    ) -> Result<(Cow<'a, [u8]>, Cow<'a, Signature<Self>>, Cow<'a, VerifyingKey<Self>>), Error<Self>> { ... }
    fn generate_nonce<R: RngCore + CryptoRng>(
        rng: &mut R,
    ) -> (<<Self::Group as Group>::Field as Field>::Scalar, <Self::Group as Group>::Element) { ... }
    fn challenge(
        R: &Element<Self>,
        verifying_key: &VerifyingKey<Self>,
        message: &[u8],
    ) -> Result<Challenge<Self>, Error<Self>> { ... }
    fn compute_signature_share(
        _group_commitment: &GroupCommitment<Self>,
        signer_nonces: &SigningNonces<Self>,
        binding_factor: BindingFactor<Self>,
        lambda_i: <<Self::Group as Group>::Field as Field>::Scalar,
        key_package: &KeyPackage<Self>,
        challenge: Challenge<Self>,
    ) -> SignatureShare<Self> { ... }
    fn verify_share(
        _group_commitment: &GroupCommitment<Self>,
        signature_share: &SignatureShare<Self>,
        identifier: Identifier<Self>,
        group_commitment_share: &GroupCommitmentShare<Self>,
        verifying_share: &VerifyingShare<Self>,
        lambda_i: Scalar<Self>,
        challenge: &Challenge<Self>,
    ) -> Result<(), Error<Self>> { ... }
    fn serialize_signature(
        signature: &Signature<Self>,
    ) -> Result<Vec<u8>, Error<Self>> { ... }
    fn deserialize_signature(
        bytes: &[u8],
    ) -> Result<Signature<Self>, Error<Self>> { ... }
    fn post_dkg(
        key_package: KeyPackage<Self>,
        public_key_package: PublicKeyPackage<Self>,
    ) -> Result<(KeyPackage<Self>, PublicKeyPackage<Self>), Error<Self>> { ... }
    fn post_generate(
        secret_shares: BTreeMap<Identifier<Self>, SecretShare<Self>>,
        public_key_package: PublicKeyPackage<Self>,
    ) -> Result<(BTreeMap<Identifier<Self>, SecretShare<Self>>, PublicKeyPackage<Self>), Error<Self>> { ... }
}

A FROST ciphersuite specifies the underlying prime-order group details and cryptographic hash function.

Required Associated Constants

const ID: &'static str

The ciphersuite ID string. It should be equal to the contextString in the spec. For new ciphersuites, this should be a string that identifies the ciphersuite; it’s recommended to use a similar format to the ciphersuites in the FROST spec, e.g. “FROST-RISTRETTO255-SHA512-v1”.

Required Associated Types

type Group: Group

The prime order group (or subgroup) that this ciphersuite operates over.

type HashOutput: AsRef<[u8]>

A unique byte array of fixed length.

type SignatureSerialization: AsRef<[u8]> + TryFrom<Vec<u8>>

A unique byte array of fixed length that is the Group::ElementSerialization + Group::ScalarSerialization

Required Methods

fn H1(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar

H1 for a FROST ciphersuite.

Maps arbitrary inputs to Self::Scalar elements of the prime-order group scalar field.

fn H2(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar

H2 for a FROST ciphersuite.

Maps arbitrary inputs to Self::Scalar elements of the prime-order group scalar field.

fn H3(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar

H3 for a FROST ciphersuite.

Maps arbitrary inputs to Self::Scalar elements of the prime-order group scalar field.

fn H4(m: &[u8]) -> Self::HashOutput

H4 for a FROST ciphersuite.

Usually an an alias for the ciphersuite hash function H with domain separation applied.

fn H5(m: &[u8]) -> Self::HashOutput

H5 for a FROST ciphersuite.

Usually an an alias for the ciphersuite hash function H with domain separation applied.

Provided Methods

fn HDKG(_m: &[u8]) -> Option<<<Self::Group as Group>::Field as Field>::Scalar>

Hash function for a FROST ciphersuite, used for the DKG.

The DKG it not part of the specification, thus this is optional. It can return None if DKG is not supported by the Ciphersuite. This is the default implementation.

Maps arbitrary inputs to non-zero Self::Scalar elements of the prime-order group scalar field.

fn HID(_m: &[u8]) -> Option<<<Self::Group as Group>::Field as Field>::Scalar>

Hash function for a FROST ciphersuite, used for deriving identifiers from strings.

This feature is not part of the specification and is just a convenient way of creating identifiers. Therefore it can return None if this is not supported by the Ciphersuite. This is the default implementation.

Maps arbitrary inputs to non-zero Self::Scalar elements of the prime-order group scalar field.

fn single_sign<R: RngCore + CryptoRng>( signing_key: &SigningKey<Self>, rng: R, message: &[u8], ) -> Signature<Self>

Optional. Do regular (non-FROST) signing with a SigningKey. Called by SigningKey::sign(). This is not used by FROST. Can be overridden if required which is useful if FROST signing has been changed by the other Ciphersuite trait methods and regular signing should be changed accordingly to match.

fn verify_signature( message: &[u8], signature: &Signature<Self>, public_key: &VerifyingKey<Self>, ) -> Result<(), Error<Self>>

Optional. Verify a signature for this ciphersuite. Called by VerifyingKey::verify(). The default implementation uses the “cofactored” equation (it multiplies by the cofactor returned by Group::cofactor()).

Cryptographic Safety

You may override this to provide a tailored implementation, but if the ciphersuite defines it, it must also multiply by the cofactor to comply with the RFC. Note that batch verification (see crate::batch::Verifier) also uses the default implementation regardless whether a tailored implementation was provided.

fn pre_sign<'a>( signing_package: &'a SigningPackage<Self>, signer_nonces: &'a SigningNonces<Self>, key_package: &'a KeyPackage<Self>, ) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, SigningNonces<Self>>, Cow<'a, KeyPackage<Self>>), Error<Self>>

Optional. Pre-process round2::sign() inputs. The default implementation returns them as-is. Cow is used so implementations can choose to return the same passed reference or a modified clone.

fn pre_aggregate<'a>( signing_package: &'a SigningPackage<Self>, signature_shares: &'a BTreeMap<Identifier<Self>, SignatureShare<Self>>, public_key_package: &'a PublicKeyPackage<Self>, ) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, BTreeMap<Identifier<Self>, SignatureShare<Self>>>, Cow<'a, PublicKeyPackage<Self>>), Error<Self>>

Optional. Pre-process crate::aggregate() and crate::verify_signature_share() inputs. In the latter case, “dummy” container BTreeMap and PublicKeyPackage are passed with the relevant values. The default implementation returns them as-is. Cow is used so implementations can choose to return the same passed reference or a modified clone.

fn pre_verify<'a>( msg: &'a [u8], signature: &'a Signature<Self>, public_key: &'a VerifyingKey<Self>, ) -> Result<(Cow<'a, [u8]>, Cow<'a, Signature<Self>>, Cow<'a, VerifyingKey<Self>>), Error<Self>>

Optional. Pre-process VerifyingKey::verify() inputs. The default implementation returns them as-is. Cow is used so implementations can choose to return the same passed reference or a modified clone.

fn generate_nonce<R: RngCore + CryptoRng>( rng: &mut R, ) -> (<<Self::Group as Group>::Field as Field>::Scalar, <Self::Group as Group>::Element)

Optional. Generate a nonce and a commitment to it. Used by SigningKey for regular (non-FROST) signing and internally by the DKG to generate proof-of-knowledge signatures.

fn challenge( R: &Element<Self>, verifying_key: &VerifyingKey<Self>, message: &[u8], ) -> Result<Challenge<Self>, Error<Self>>

Optional. Generates the challenge as is required for Schnorr signatures. Called by round2::sign() and crate::aggregate().

fn compute_signature_share( _group_commitment: &GroupCommitment<Self>, signer_nonces: &SigningNonces<Self>, binding_factor: BindingFactor<Self>, lambda_i: <<Self::Group as Group>::Field as Field>::Scalar, key_package: &KeyPackage<Self>, challenge: Challenge<Self>, ) -> SignatureShare<Self>

Optional. Compute the signature share for a particular signer on a given challenge. Called by round2::sign().

fn verify_share( _group_commitment: &GroupCommitment<Self>, signature_share: &SignatureShare<Self>, identifier: Identifier<Self>, group_commitment_share: &GroupCommitmentShare<Self>, verifying_share: &VerifyingShare<Self>, lambda_i: Scalar<Self>, challenge: &Challenge<Self>, ) -> Result<(), Error<Self>>

Optional. Verify a signing share. Called by crate::aggregate() if cheater detection is enabled.

fn serialize_signature( signature: &Signature<Self>, ) -> Result<Vec<u8>, Error<Self>>

Optional. Converts a signature to its Ciphersuite::SignatureSerialization in bytes.

The default implementation serializes a signature by serializing its R point and z component independently, and then concatenating them.

fn deserialize_signature(bytes: &[u8]) -> Result<Signature<Self>, Error<Self>>

Optional. Converts bytes as Ciphersuite::SignatureSerialization into a Signature<C>.

The default implementation assumes the serialization is a serialized R point followed by a serialized z component with no padding or extra fields.

fn post_dkg( key_package: KeyPackage<Self>, public_key_package: PublicKeyPackage<Self>, ) -> Result<(KeyPackage<Self>, PublicKeyPackage<Self>), Error<Self>>

Post-process the output of the DKG for a given participant.

fn post_generate( secret_shares: BTreeMap<Identifier<Self>, SecretShare<Self>>, public_key_package: PublicKeyPackage<Self>, ) -> Result<(BTreeMap<Identifier<Self>, SecretShare<Self>>, PublicKeyPackage<Self>), Error<Self>>

Post-process the output of the key generation for a participant.

Dyn Compatibility

This trait is not dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety", so this trait is not object safe.

Implementors