Add frost-secp256k1-tr crate (BIP340/BIP341)

.gitignore

@@ -4,3 +4,4 @@ Cargo.lock
 *~
 **/.DS_Store
 .vscode/*
+*.swp

Cargo.toml

@@ -7,6 +7,7 @@ members = [
  "frost-p256",
  "frost-ristretto255",
  "frost-secp256k1",
+ "frost-secp256k1-tr",
  "frost-rerandomized",
  "gencode"
 ]

frost-core/src/batch.rs

@@ -22,6 +22,7 @@ use crate::{scalar_mul::VartimeMultiscalarMul, Ciphersuite, Element, *};
 pub struct Item<C: Ciphersuite> {
  vk: VerifyingKey<C>,
  sig: Signature<C>,
+ sig_params: C::SigningParameters,
  c: Challenge<C>,
 }
 
@@ -32,9 +33,15 @@ where
 {
  fn from((vk, sig, msg): (VerifyingKey<C>, Signature<C>, &'msg M)) -> Self {
  // Compute c now to avoid dependency on the msg lifetime.
- let c = crate::challenge(&sig.R, &vk, msg.as_ref());
-
- Self { vk, sig, c }
+ let sig_target = SigningTarget::from_message(msg);
+ let c = <C>::challenge(&sig.R, &vk, &sig_target);
+
+ Self {
+ vk,
+ sig,
+ sig_params: sig_target.sig_params,
+ c,
+ }
  }
 }
 
@@ -50,7 +57,8 @@ where
  /// requires borrowing the message data, the `Item` type is unlinked
  /// from the lifetime of the message.
  pub fn verify_single(self) -> Result<(), Error<C>> {
- self.vk.verify_prehashed(self.c, &self.sig)
+ self.vk
+ .verify_prehashed(self.c, &self.sig, &self.sig_params)
  }
 }
 
@@ -119,6 +127,7 @@ where
  for item in self.signatures.iter() {
  let z = item.sig.z;
  let R = item.sig.R;
+ let vk = <C>::effective_pubkey_element(&item.vk, &item.sig_params);
 
  let blind = <<C::Group as Group>::Field>::random(&mut rng);
 
@@ -129,7 +138,7 @@ where
  Rs.push(R);
 
  VK_coeffs.push(<<C::Group as Group>::Field>::zero() + (blind * item.c.0));
- VKs.push(item.vk.element);
+ VKs.push(vk);
  }
 
  let scalars = once(&P_coeff_acc)

frost-core/src/keys.rs

@@ -120,6 +120,11 @@ where
  pub(crate) fn from_coefficients(coefficients: &[Scalar<C>], peer: Identifier<C>) -> Self {
  Self(evaluate_polynomial(peer, coefficients))
  }
+
+ /// Returns negated SigningShare
+ pub fn negate(&mut self) {
+ self.0 = <<C::Group as Group>::Field>::negate(&self.0);
+ }
 }
 
 impl<C> Debug for SigningShare<C>
@@ -686,6 +691,11 @@ where
  min_signers,
  }
  }
+
+ /// Negate `SigningShare`.
+ pub fn negate_signing_share(&mut self) {
+ self.signing_share.negate();
+ }
 }
 
 #[cfg(feature = "serialization")]

frost-core/src/keys/dkg.rs

@@ -36,7 +36,7 @@ use rand_core::{CryptoRng, RngCore};
 
 use crate::{
  Challenge, Ciphersuite, Element, Error, Field, Group, Header, Identifier, Scalar, Signature,
- SigningKey, VerifyingKey,
+ SigningKey,
 };
 
 use super::{
@@ -314,7 +314,7 @@ pub fn part1<C: Ciphersuite, R: RngCore + CryptoRng>(
 /// Generates the challenge for the proof of knowledge to a secret for the DKG.
 fn challenge<C>(
  identifier: Identifier<C>,
- verifying_key: &VerifyingKey<C>,
+ verifying_key: &Element<C>,
  R: &Element<C>,
 ) -> Option<Challenge<C>>
 where
@@ -323,7 +323,7 @@ where
  let mut preimage = vec![];
 
  preimage.extend_from_slice(identifier.serialize().as_ref());
- preimage.extend_from_slice(<C::Group>::serialize(&verifying_key.element).as_ref());
+ preimage.extend_from_slice(<C::Group>::serialize(&verifying_key).as_ref());
  preimage.extend_from_slice(<C::Group>::serialize(R).as_ref());
 
  Some(Challenge(C::HDKG(&preimage[..])?))
@@ -344,14 +344,23 @@ pub(crate) fn compute_proof_of_knowledge<C: Ciphersuite, R: RngCore + CryptoRng>
  // > a_{i0} by calculating σ_i = (R_i, μ_i), such that k ← Z_q, R_i = g^k,
  // > c_i = H(i, Φ, g^{a_{i0}} , R_i), μ_i = k + a_{i0} · c_i, with Φ being
  // > a context string to prevent replay attacks.
- let k = <<C::Group as Group>::Field>::random(&mut rng);
- let R_i = <C::Group>::generator() * k;
- let c_i = challenge::<C>(identifier, &commitment.verifying_key()?, &R_i)
- .ok_or(Error::DKGNotSupported)?;
+ let mut k = <<C::Group as Group>::Field>::random(&mut rng);
+ let mut R_i = <C::Group>::generator() * k;
+ k = <C>::effective_nonce_secret(k, &R_i);
+ R_i = <C>::effective_nonce_element(R_i);
+
+ let verifying_key = commitment.verifying_key()?;
+ let sig_params = Default::default();
+
+ let phi_ell0 = <C>::effective_pubkey_element(&verifying_key, &sig_params);
+
+ let c_i = challenge::<C>(identifier, &phi_ell0, &R_i).ok_or(Error::DKGNotSupported)?;
  let a_i0 = *coefficients
  .first()
  .expect("coefficients must have at least one element");
- let mu_i = k + a_i0 * c_i.0;
+ let a_i0_effective = <C>::effective_secret_key(a_i0, &verifying_key, &sig_params);
+
+ let mu_i = k + a_i0_effective * c_i.0;
  Ok(Signature { R: R_i, z: mu_i })
 }
 
@@ -371,9 +380,12 @@ pub(crate) fn verify_proof_of_knowledge<C: Ciphersuite>(
  let ell = identifier;
  let R_ell = proof_of_knowledge.R;
  let mu_ell = proof_of_knowledge.z;
- let phi_ell0 = commitment.verifying_key()?;
+
+ let verifying_key = commitment.verifying_key()?;
+ let phi_ell0 = <C>::effective_pubkey_element(&verifying_key, &Default::default());
  let c_ell = challenge::<C>(ell, &phi_ell0, &R_ell).ok_or(Error::DKGNotSupported)?;
- if R_ell != <C::Group>::generator() * mu_ell - phi_ell0.element * c_ell.0 {
+
+ if R_ell != <C::Group>::generator() * mu_ell - phi_ell0 * c_ell.0 {
  return Err(Error::InvalidProofOfKnowledge { culprit: ell });
  }
  Ok(())

frost-core/src/lib.rs

@@ -51,7 +51,7 @@ use scalar_mul::VartimeMultiscalarMul;
 pub use serde;
 pub use signature::Signature;
 pub use signing_key::SigningKey;
-pub use traits::{Ciphersuite, Element, Field, Group, Scalar};
+pub use traits::{Ciphersuite, Element, Field, Group, Scalar, SigningParameters};
 pub use verifying_key::VerifyingKey;
 
 /// A type refinement for the scalar field element representing the per-message _[challenge]_.
@@ -69,15 +69,13 @@ where
  C: Ciphersuite,
 {
  /// Creates a challenge from a scalar.
- #[cfg(feature = "internals")]
  pub fn from_scalar(
  scalar: <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
  ) -> Self {
  Self(scalar)
  }
 
  /// Return the underlying scalar.
- #[cfg(feature = "internals")]
  pub fn to_scalar(self) -> <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar {
  self.0
  }
@@ -342,6 +340,53 @@ fn derive_interpolating_value<C: Ciphersuite>(
  )
 }
 
+/// The data which the group's signature should commit to. Includes
+/// a message byte vector, and a set of ciphersuite-specific parameters.
+#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
+#[cfg_attr(feature = "serde", serde(bound = "C: Ciphersuite"))]
+#[derive(Clone, Debug, PartialEq, Eq, Getters)]
+pub struct SigningTarget<C: Ciphersuite> {
+ #[cfg_attr(
+ feature = "serde",
+ serde(
+ serialize_with = "serdect::slice::serialize_hex_lower_or_bin",
+ deserialize_with = "serdect::slice::deserialize_hex_or_bin_vec"
+ )
+ )]
+ message: Vec<u8>,
+ #[cfg_attr(feature = "serde", serde(default))]
+ sig_params: C::SigningParameters,
+}
+
+impl<C: Ciphersuite> SigningTarget<C> {
+ /// Construct a signing target from a message and additional signing parameters.
+ pub fn new<T: AsRef<[u8]>, P: Into<C::SigningParameters>>(
+ message: T,
+ sig_params: P,
+ ) -> SigningTarget<C> {
+ SigningTarget {
+ message: message.as_ref().to_vec(),
+ sig_params: sig_params.into(),
+ }
+ }
+
+ /// Constructs a signing target from an arbitrary message.
+ /// This populates [the `sig_params` field][SigningTarget::sig_params] with
+ /// the [`Default`] instance of the [`Ciphersuite::SigningParameters`].
+ pub fn from_message<T: AsRef<[u8]>>(message: T) -> SigningTarget<C> {
+ SigningTarget {
+ message: message.as_ref().to_vec(),
+ sig_params: C::SigningParameters::default(),
+ }
+ }
+}
+
+impl<C: Ciphersuite, T: AsRef<[u8]>> From<T> for SigningTarget<C> {
+ fn from(message: T) -> Self {
+ Self::from_message(message)
+ }
+}
+
 /// Generated by the coordinator of the signing operation and distributed to
 /// each signing party
 #[derive(Clone, Debug, PartialEq, Eq, Getters)]
@@ -355,18 +400,9 @@ pub struct SigningPackage<C: Ciphersuite> {
  /// The set of commitments participants published in the first round of the
  /// protocol.
  signing_commitments: BTreeMap<Identifier<C>, round1::SigningCommitments<C>>,
- /// Message which each participant will sign.
- ///
- /// Each signer should perform protocol-specific verification on the
- /// message.
- #[cfg_attr(
- feature = "serde",
- serde(
- serialize_with = "serdect::slice::serialize_hex_lower_or_bin",
- deserialize_with = "serdect::slice::deserialize_hex_or_bin_vec"
- )
- )]
- message: Vec<u8>,
+ /// The message and parameters which each participant will use to sign.
+ /// Each signer should perform protocol-specific verification on the signing target.
+ sig_target: SigningTarget<C>,
 }
 
 impl<C> SigningPackage<C>
@@ -376,14 +412,19 @@ where
  /// Create a new `SigningPackage`
  ///
  /// The `signing_commitments` are sorted by participant `identifier`.
+ ///
+ /// The `sig_target` can be any bytes-like type that implements `AsRef<[u8]>`.
+ /// Some ciphersuites like `frost-secp256k1-tr` allow customization of the signing
+ /// process by embedding additional parameters into a [`SigningTarget`], but this
+ /// is optional and not required by most ciphersuites.
  pub fn new(
  signing_commitments: BTreeMap<Identifier<C>, round1::SigningCommitments<C>>,
- message: &[u8],
+ sig_target: impl Into<SigningTarget<C>>,
  ) -> SigningPackage<C> {
  SigningPackage {
  header: Header::default(),
  signing_commitments,
- message: message.to_vec(),
+ sig_target: sig_target.into(),
  }
  }
 
@@ -395,6 +436,11 @@ where
  self.signing_commitments.get(identifier).copied()
  }
 
+ /// Returns the message to be signed.
+ pub fn message(&self) -> &[u8] {
+ &self.sig_target.message
+ }
+
  /// Compute the preimages to H1 to compute the per-signer binding factors
  // We separate this out into its own method so it can be tested
  #[cfg_attr(feature = "internals", visibility::make(pub))]
@@ -414,7 +460,7 @@ where
  // The message is hashed with H4 to force the variable-length message
  // into a fixed-length byte string, same for hashing the variable-sized
  // (between runs of the protocol) set of group commitments, but with H5.
- binding_factor_input_prefix.extend_from_slice(C::H4(self.message.as_slice()).as_ref());
+ binding_factor_input_prefix.extend_from_slice(C::H4(self.message()).as_ref());
  binding_factor_input_prefix.extend_from_slice(
  C::H5(&round1::encode_group_commitments(self.signing_commitments())[..]).as_ref(),
  );
@@ -465,6 +511,11 @@ where
  pub fn to_element(self) -> <C::Group as Group>::Element {
  self.0
  }
+
+ /// Check if group commitment is odd
+ pub fn y_is_odd(&self) -> bool {
+ <C::Group as Group>::y_is_odd(&self.0)
+ }
 }
 
 /// Generates the group commitment which is published as part of the joint
@@ -572,6 +623,7 @@ where
 
  // Compute the group commitment from signing commitments produced in round one.
  let group_commitment = compute_group_commitment(signing_package, &binding_factor_list)?;
+ let R = <C>::effective_nonce_element(group_commitment.0);
 
  // The aggregation of the signature shares by summing them up, resulting in
  // a plain Schnorr signature.
@@ -585,27 +637,21 @@ where
  z = z + signature_share.share;
  }
 
- let signature = Signature {
- R: group_commitment.0,
- z,
- };
+ let signature: Signature<C> =
+ <C>::aggregate_sig_finalize(z, R, &pubkeys.verifying_key, &signing_package.sig_target);
 
  // Verify the aggregate signature
  let verification_result = pubkeys
  .verifying_key
- .verify(signing_package.message(), &signature);
+ .verify(signing_package.sig_target.clone(), &signature);
 
  // Only if the verification of the aggregate signature failed; verify each share to find the cheater.
  // This approach is more efficient since we don't need to verify all shares
  // if the aggregate signature is valid (which should be the common case).
  #[cfg(feature = "cheater-detection")]
  if let Err(err) = verification_result {
  // Compute the per-message challenge.
- let challenge = crate::challenge::<C>(
- &group_commitment.0,
- &pubkeys.verifying_key,
- signing_package.message().as_slice(),
- );
+ let challenge = <C>::challenge(&R, &pubkeys.verifying_key, &signing_package.sig_target);
 
  // Verify the signature shares.
  for (signature_share_identifier, signature_share) in signature_shares {
@@ -636,6 +682,9 @@ where
  signer_pubkey,
  lambda_i,
  &challenge,
+ &group_commitment,
+ &pubkeys.verifying_key,
+ &signing_package.sig_target.sig_params,
  )?;
  }