Add frost-secp256k1-tr crate (BIP340/BIP341)

.gitignore

@@ -4,3 +4,4 @@ Cargo.lock
 *~
 **/.DS_Store
 .vscode/*
+*.swp

Cargo.toml

@@ -7,6 +7,7 @@ members = [
     "frost-p256",
     "frost-ristretto255",
     "frost-secp256k1",
+    "frost-secp256k1-tr",
     "frost-rerandomized",
     "gencode"
 ]

frost-core/src/batch.rs

@@ -22,6 +22,7 @@ use crate::{scalar_mul::VartimeMultiscalarMul, Ciphersuite, Element, *};
 pub struct Item<C: Ciphersuite> {
     vk: VerifyingKey<C>,
     sig: Signature<C>,
+    sig_params: C::SigningParameters,
     c: Challenge<C>,
 }
 
@@ -32,9 +33,15 @@ where
 {
     fn from((vk, sig, msg): (VerifyingKey<C>, Signature<C>, &'msg M)) -> Self {
         // Compute c now to avoid dependency on the msg lifetime.
-        let c = crate::challenge(&sig.R, &vk, msg.as_ref());
-
-        Self { vk, sig, c }
+        let sig_target = SigningTarget::from_message(msg);
+        let c = <C>::challenge(&sig.R, &vk, &sig_target);
+
+        Self {
+            vk,
+            sig,
+            sig_params: sig_target.sig_params,
+            c,
+        }
     }
 }
 
@@ -50,7 +57,8 @@ where
     /// requires borrowing the message data, the `Item` type is unlinked
     /// from the lifetime of the message.
     pub fn verify_single(self) -> Result<(), Error<C>> {
-        self.vk.verify_prehashed(self.c, &self.sig)
+        self.vk
+            .verify_prehashed(self.c, &self.sig, &self.sig_params)
     }
 }
 
@@ -118,7 +126,8 @@ where
 
         for item in self.signatures.iter() {
             let z = item.sig.z;
-            let R = item.sig.R;
+            let R = <C>::effective_nonce_element(item.sig.R);
+            let vk = <C>::effective_pubkey_element(&item.vk, &item.sig_params);
 
             let blind = <<C::Group as Group>::Field>::random(&mut rng);
 
@@ -129,7 +138,7 @@ where
             Rs.push(R);
 
             VK_coeffs.push(<<C::Group as Group>::Field>::zero() + (blind * item.c.0));
-            VKs.push(item.vk.element);
+            VKs.push(vk);
         }
 
         let scalars = once(&P_coeff_acc)

frost-core/src/keys.rs

@@ -120,6 +120,11 @@ where
     pub(crate) fn from_coefficients(coefficients: &[Scalar<C>], peer: Identifier<C>) -> Self {
         Self(evaluate_polynomial(peer, coefficients))
     }
+
+    /// Returns negated SigningShare
+    pub fn negate(&mut self) {
+        self.0 = <<C::Group as Group>::Field>::negate(&self.0);
+    }
 }
 
 impl<C> Debug for SigningShare<C>
@@ -686,6 +691,11 @@ where
             min_signers,
         }
     }
+
+    /// Negate `SigningShare`.
+    pub fn negate_signing_share(&mut self) {
+        self.signing_share.negate();
+    }
 }
 
 #[cfg(feature = "serialization")]

frost-core/src/lib.rs

@@ -51,7 +51,7 @@ use scalar_mul::VartimeMultiscalarMul;
 pub use serde;
 pub use signature::Signature;
 pub use signing_key::SigningKey;
-pub use traits::{Ciphersuite, Element, Field, Group, Scalar};
+pub use traits::{Ciphersuite, Element, Field, Group, Scalar, SigningParameters};
 pub use verifying_key::VerifyingKey;
 
 /// A type refinement for the scalar field element representing the per-message _[challenge]_.
@@ -69,15 +69,13 @@ where
     C: Ciphersuite,
 {
     /// Creates a challenge from a scalar.
-    #[cfg(feature = "internals")]
     pub fn from_scalar(
         scalar: <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
     ) -> Self {
         Self(scalar)
     }
 
     /// Return the underlying scalar.
-    #[cfg(feature = "internals")]
     pub fn to_scalar(self) -> <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar {
         self.0
     }
@@ -342,6 +340,53 @@ fn derive_interpolating_value<C: Ciphersuite>(
     )
 }
 
+/// The data which the group's signature should commit to. Includes
+/// a message byte vector, and a set of ciphersuite-specific parameters.
+#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
+#[cfg_attr(feature = "serde", serde(bound = "C: Ciphersuite"))]
+#[derive(Clone, Debug, PartialEq, Eq, Getters)]
+pub struct SigningTarget<C: Ciphersuite> {
+    #[cfg_attr(
+        feature = "serde",
+        serde(
+            serialize_with = "serdect::slice::serialize_hex_lower_or_bin",
+            deserialize_with = "serdect::slice::deserialize_hex_or_bin_vec"
+        )
+    )]
+    message: Vec<u8>,
+    #[cfg_attr(feature = "serde", serde(default))]
+    sig_params: C::SigningParameters,
+}
+
+impl<C: Ciphersuite> SigningTarget<C> {
+    /// Construct a signing target from a message and additional signing parameters.
+    pub fn new<T: AsRef<[u8]>, P: Into<C::SigningParameters>>(
+        message: T,
+        sig_params: P,
+    ) -> SigningTarget<C> {
+        SigningTarget {
+            message: message.as_ref().to_vec(),
+            sig_params: sig_params.into(),
+        }
+    }
+
+    /// Constructs a signing target from an arbitrary message.
+    /// This populates [the `sig_params` field][SigningTarget::sig_params] with
+    /// the [`Default`] instance of the [`Ciphersuite::SigningParameters`].
+    pub fn from_message<T: AsRef<[u8]>>(message: T) -> SigningTarget<C> {
+        SigningTarget {
+            message: message.as_ref().to_vec(),
+            sig_params: C::SigningParameters::default(),
+        }
+    }
+}
+
+impl<C: Ciphersuite, T: AsRef<[u8]>> From<T> for SigningTarget<C> {
+    fn from(message: T) -> Self {
+        Self::from_message(message)
+    }
+}
+
 /// Generated by the coordinator of the signing operation and distributed to
 /// each signing party
 #[derive(Clone, Debug, PartialEq, Eq, Getters)]
@@ -355,18 +400,9 @@ pub struct SigningPackage<C: Ciphersuite> {
     /// The set of commitments participants published in the first round of the
     /// protocol.
     signing_commitments: BTreeMap<Identifier<C>, round1::SigningCommitments<C>>,
-    /// Message which each participant will sign.
-    ///
-    /// Each signer should perform protocol-specific verification on the
-    /// message.
-    #[cfg_attr(
-        feature = "serde",
-        serde(
-            serialize_with = "serdect::slice::serialize_hex_lower_or_bin",
-            deserialize_with = "serdect::slice::deserialize_hex_or_bin_vec"
-        )
-    )]
-    message: Vec<u8>,
+    /// The message and parameters which each participant will use to sign.
+    /// Each signer should perform protocol-specific verification on the signing target.
+    sig_target: SigningTarget<C>,
 }
 
 impl<C> SigningPackage<C>
@@ -376,14 +412,19 @@ where
     /// Create a new `SigningPackage`
     ///
     /// The `signing_commitments` are sorted by participant `identifier`.
+    ///
+    /// The `sig_target` can be any bytes-like type that implements `AsRef<[u8]>`.
+    /// Some ciphersuites like `frost-secp256k1-tr` allow customization of the signing
+    /// process by embedding additional parameters into a [`SigningTarget`], but this
+    /// is optional and not required by most ciphersuites.
     pub fn new(
         signing_commitments: BTreeMap<Identifier<C>, round1::SigningCommitments<C>>,
-        message: &[u8],
+        sig_target: impl Into<SigningTarget<C>>,
     ) -> SigningPackage<C> {
         SigningPackage {
             header: Header::default(),
             signing_commitments,
-            message: message.to_vec(),
+            sig_target: sig_target.into(),
         }
     }
 
@@ -395,6 +436,11 @@ where
         self.signing_commitments.get(identifier).copied()
     }
 
+    /// Returns the message to be signed.
+    pub fn message(&self) -> &[u8] {
+        &self.sig_target.message
+    }
+
     /// Compute the preimages to H1 to compute the per-signer binding factors
     // We separate this out into its own method so it can be tested
     #[cfg_attr(feature = "internals", visibility::make(pub))]
@@ -414,7 +460,7 @@ where
         // The message is hashed with H4 to force the variable-length message
         // into a fixed-length byte string, same for hashing the variable-sized
         // (between runs of the protocol) set of group commitments, but with H5.
-        binding_factor_input_prefix.extend_from_slice(C::H4(self.message.as_slice()).as_ref());
+        binding_factor_input_prefix.extend_from_slice(C::H4(self.message()).as_ref());
         binding_factor_input_prefix.extend_from_slice(
             C::H5(&round1::encode_group_commitments(self.signing_commitments())[..]).as_ref(),
         );
@@ -465,6 +511,11 @@ where
     pub fn to_element(self) -> <C::Group as Group>::Element {
         self.0
     }
+
+    /// Check if group commitment is odd
+    pub fn y_is_odd(&self) -> bool {
+        <C::Group as Group>::y_is_odd(&self.0)
+    }
 }
 
 /// Generates the group commitment which is published as part of the joint
@@ -585,10 +636,12 @@ where
         z = z + signature_share.share;
     }
 
-    let signature = Signature {
-        R: group_commitment.0,
+    let signature: Signature<C> = <C>::aggregate_sig_finalize(
         z,
-    };
+        group_commitment.0,
+        &pubkeys.verifying_key,
+        &signing_package.sig_target,
+    );
 
     // Verify the aggregate signature
     let verification_result = pubkeys
@@ -601,10 +654,10 @@ where
     #[cfg(feature = "cheater-detection")]
     if let Err(err) = verification_result {
         // Compute the per-message challenge.
-        let challenge = crate::challenge::<C>(
+        let challenge = <C>::challenge(
             &group_commitment.0,
             &pubkeys.verifying_key,
-            signing_package.message().as_slice(),
+            &signing_package.sig_target,
         );
 
         // Verify the signature shares.
@@ -636,6 +689,9 @@ where
                 signer_pubkey,
                 lambda_i,
                 &challenge,
+                &group_commitment,
+                &pubkeys.verifying_key,
+                &signing_package.sig_target.sig_params,
             )?;
         }
 

frost-core/src/round1.rs

@@ -54,6 +54,11 @@ where
         Self::nonce_generate_from_random_bytes(secret, random_bytes)
     }
 
+    /// Negate `Nonce`.
+    pub fn negate(&mut self) {
+        self.0 = <<C::Group as Group>::Field>::negate(&self.0);
+    }
+
     /// Generates a nonce from the given random bytes.
     /// This function allows testing and MUST NOT be made public.
     pub(crate) fn nonce_generate_from_random_bytes(
@@ -317,6 +322,12 @@ where
     pub fn deserialize(bytes: &[u8]) -> Result<Self, Error<C>> {
         Deserialize::deserialize(bytes)
     }
+
+    /// Negate `SigningShare`.
+    pub fn negate_nonces(&mut self) {
+        self.binding.negate();
+        self.hiding.negate();
+    }
 }
 
 /// Published by each participant in the first round of the signing protocol.
@@ -393,6 +404,14 @@ where
 #[derive(Clone, Copy, PartialEq)]
 pub struct GroupCommitmentShare<C: Ciphersuite>(pub(super) Element<C>);
 
+impl<C: Ciphersuite> GroupCommitmentShare<C> {
+    /// Return the underlying element.
+    #[cfg_attr(feature = "internals", visibility::make(pub))]
+    pub(crate) fn to_element(self) -> Element<C> {
+        self.0
+    }
+}
+
 /// Encode the list of group signing commitments.
 ///
 /// Implements [`encode_group_commitment_list()`] from the spec.

frost-core/src/round2.rs

@@ -4,7 +4,7 @@ use std::fmt::{self, Debug};
 
 use crate as frost;
 use crate::{
-    challenge, Challenge, Ciphersuite, Error, Field, Group, {round1, *},
+    Challenge, Ciphersuite, Error, Field, Group, {round1, *},
 };
 
 #[cfg(feature = "serde")]
@@ -83,16 +83,24 @@ where
     /// [`verify_signature_share`]: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-14.html#name-signature-share-verificatio
     #[cfg_attr(feature = "internals", visibility::make(pub))]
     #[cfg_attr(docsrs, doc(cfg(feature = "internals")))]
+    #[allow(clippy::too_many_arguments)]
     pub(crate) fn verify(
         &self,
         identifier: Identifier<C>,
         group_commitment_share: &round1::GroupCommitmentShare<C>,
         verifying_share: &frost::keys::VerifyingShare<C>,
         lambda_i: Scalar<C>,
         challenge: &Challenge<C>,
+        group_commitment: &frost::GroupCommitment<C>,
+        verifying_key: &frost::VerifyingKey<C>,
+        sig_params: &C::SigningParameters,
     ) -> Result<(), Error<C>> {
+        let commitment_share =
+            <C>::effective_commitment_share(group_commitment_share.clone(), &group_commitment);
+        let vsh = <C>::effective_verifying_share(&verifying_share, &verifying_key, &sig_params);
+
         if (<C::Group>::generator() * self.share)
-            != (group_commitment_share.0 + (verifying_share.0 * challenge.0 * lambda_i))
+            != (commitment_share + (vsh * challenge.0 * lambda_i))
         {
             return Err(Error::InvalidSignatureShare {
                 culprit: identifier,
@@ -150,9 +158,7 @@ where
 }
 
 /// Compute the signature share for a signing operation.
-#[cfg_attr(feature = "internals", visibility::make(pub))]
-#[cfg_attr(docsrs, doc(cfg(feature = "internals")))]
-fn compute_signature_share<C: Ciphersuite>(
+pub fn compute_signature_share<C: Ciphersuite>(
     signer_nonces: &round1::SigningNonces<C>,
     binding_factor: BindingFactor<C>,
     lambda_i: <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
@@ -214,19 +220,21 @@ pub fn sign<C: Ciphersuite>(
     let lambda_i = frost::derive_interpolating_value(key_package.identifier(), signing_package)?;
 
     // Compute the per-message challenge.
-    let challenge = challenge::<C>(
+    let challenge = <C>::challenge(
         &group_commitment.0,
         &key_package.verifying_key,
-        signing_package.message.as_slice(),
+        &signing_package.sig_target,
     );
 
     // Compute the Schnorr signature share.
-    let signature_share = compute_signature_share(
+    let signature_share = <C>::compute_signature_share(
         signer_nonces,
         binding_factor,
+        group_commitment,
         lambda_i,
         key_package,
         challenge,
+        &signing_package.sig_target.sig_params,
     );
 
     Ok(signature_share)