add frost-secp256k1-tr crate (BIP340/BIP341)

Author: zebra-lucky

.gitignore

@@ -4,3 +4,4 @@ Cargo.lock
 *~
 **/.DS_Store
 .vscode/*
+*.swp

Cargo.toml

@@ -7,6 +7,7 @@ members = [
     "frost-p256",
     "frost-ristretto255",
     "frost-secp256k1",
+    "frost-secp256k1-tr",
     "frost-rerandomized",
     "gencode"
 ]

frost-core/src/batch.rs

@@ -32,7 +32,7 @@ where
 {
     fn from((vk, sig, msg): (VerifyingKey<C>, Signature<C>, &'msg M)) -> Self {
         // Compute c now to avoid dependency on the msg lifetime.
-        let c = crate::challenge(&sig.R, &vk, msg.as_ref());
+        let c = <C>::challenge(&sig.R, &vk, msg.as_ref());
 
         Self { vk, sig, c }
     }
@@ -118,7 +118,12 @@ where
 
         for item in self.signatures.iter() {
             let z = item.sig.z;
-            let R = item.sig.R;
+            let mut R = item.sig.R;
+            let mut vk = item.vk.element;
+            if <C>::is_need_tweaking() {
+                R = <C>::tweaked_R(&item.sig.R);
+                vk = <C>::tweaked_public_key(&item.vk.element);
+            }
 
             let blind = <<C::Group as Group>::Field>::random(&mut rng);
 
@@ -129,7 +134,7 @@ where
             Rs.push(R);
 
             VK_coeffs.push(<<C::Group as Group>::Field>::zero() + (blind * item.c.0));
-            VKs.push(item.vk.element);
+            VKs.push(vk);
         }
 
         let scalars = once(&P_coeff_acc)

frost-core/src/keys.rs

@@ -120,6 +120,11 @@ where
     pub(crate) fn from_coefficients(coefficients: &[Scalar<C>], peer: Identifier<C>) -> Self {
         Self(evaluate_polynomial(peer, coefficients))
     }
+
+    /// Returns negated SigningShare
+    pub fn negate(&mut self) {
+        self.0 = <<C::Group as Group>::Field>::negate(&self.0);
+    }
 }
 
 impl<C> Debug for SigningShare<C>
@@ -674,6 +679,11 @@ where
             min_signers,
         }
     }
+
+    /// Negate `SigningShare`.
+    pub fn negate_signing_share(&mut self) {
+        self.signing_share.negate();
+    }
 }
 
 #[cfg(feature = "serialization")]

frost-core/src/lib.rs

@@ -69,15 +69,13 @@ where
     C: Ciphersuite,
 {
     /// Creates a challenge from a scalar.
-    #[cfg(feature = "internals")]
     pub fn from_scalar(
         scalar: <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
     ) -> Self {
         Self(scalar)
     }
 
     /// Return the underlying scalar.
-    #[cfg(feature = "internals")]
     pub fn to_scalar(self) -> <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar {
         self.0
     }
@@ -465,6 +463,11 @@ where
     pub fn to_element(self) -> <C::Group as Group>::Element {
         self.0
     }
+
+    /// Check if group commitment is odd
+    pub fn y_is_odd(&self) -> bool {
+        <C::Group as Group>::y_is_odd(&self.0)
+    }
 }
 
 /// Generates the group commitment which is published as part of the joint
@@ -585,6 +588,15 @@ where
         z = z + signature_share.share;
     }
 
+    if <C>::is_need_tweaking() {
+        let challenge = <C>::challenge(
+            &group_commitment.0,
+            &pubkeys.verifying_key,
+            signing_package.message().as_slice(),
+        );
+        z = <C>::aggregate_tweak_z(z, &challenge, &pubkeys.verifying_key.element);
+    }
+
     let signature = Signature {
         R: group_commitment.0,
         z,
@@ -601,7 +613,7 @@ where
     #[cfg(feature = "cheater-detection")]
     if let Err(err) = verification_result {
         // Compute the per-message challenge.
-        let challenge = crate::challenge::<C>(
+        let challenge = <C>::challenge(
             &group_commitment.0,
             &pubkeys.verifying_key,
             signing_package.message().as_slice(),
@@ -636,6 +648,8 @@ where
                 signer_pubkey,
                 lambda_i,
                 &challenge,
+                &group_commitment,
+                &pubkeys.verifying_key,
             )?;
         }
 

frost-core/src/round1.rs

@@ -50,6 +50,11 @@ where
         Self::nonce_generate_from_random_bytes(secret, random_bytes)
     }
 
+    /// Negate `Nonce`.
+    pub fn negate(&mut self) {
+        self.0 = <<C::Group as Group>::Field>::negate(&self.0);
+    }
+
     /// Generates a nonce from the given random bytes.
     /// This function allows testing and MUST NOT be made public.
     pub(crate) fn nonce_generate_from_random_bytes(
@@ -263,6 +268,12 @@ where
     pub fn binding(&self) -> &Nonce<C> {
         &self.binding
     }
+
+    /// Negate `SigningShare`.
+    pub fn negate_nonces(&mut self) {
+        self.binding.negate();
+        self.hiding.negate();
+    }
 }
 
 /// Published by each participant in the first round of the signing protocol.

frost-core/src/round2.rs

@@ -4,7 +4,7 @@ use std::fmt::{self, Debug};
 
 use crate as frost;
 use crate::{
-    challenge, Challenge, Ciphersuite, Error, Field, Group, {round1, *},
+    Challenge, Ciphersuite, Error, Field, Group, {round1, *},
 };
 
 #[cfg(feature = "serde")]
@@ -90,9 +90,23 @@ where
         verifying_share: &frost::keys::VerifyingShare<C>,
         lambda_i: Scalar<C>,
         challenge: &Challenge<C>,
+        group_commitment: &frost::GroupCommitment<C>,
+        verifying_key: &frost::VerifyingKey<C>,
     ) -> Result<(), Error<C>> {
+        let mut commitment_share = group_commitment_share.0;
+        let mut vsh = verifying_share.0;
+        if <C>::is_need_tweaking() {
+            commitment_share = <C>::tweaked_group_commitment_share(
+                &group_commitment_share.0,
+                &group_commitment.0
+            );
+            vsh = <C>::tweaked_verifying_share(
+                &verifying_share.0,
+                &verifying_key.element
+            );
+        }
         if (<C::Group>::generator() * self.share)
-            != (group_commitment_share.0 + (verifying_share.0 * challenge.0 * lambda_i))
+            != (commitment_share + (vsh * challenge.0 * lambda_i))
         {
             return Err(Error::InvalidSignatureShare {
                 culprit: identifier,
@@ -150,9 +164,7 @@ where
 }
 
 /// Compute the signature share for a signing operation.
-#[cfg_attr(feature = "internals", visibility::make(pub))]
-#[cfg_attr(docsrs, doc(cfg(feature = "internals")))]
-fn compute_signature_share<C: Ciphersuite>(
+pub fn compute_signature_share<C: Ciphersuite>(
     signer_nonces: &round1::SigningNonces<C>,
     binding_factor: BindingFactor<C>,
     lambda_i: <<<C as Ciphersuite>::Group as Group>::Field as Field>::Scalar,
@@ -214,20 +226,33 @@ pub fn sign<C: Ciphersuite>(
     let lambda_i = frost::derive_interpolating_value(key_package.identifier(), signing_package)?;
 
     // Compute the per-message challenge.
-    let challenge = challenge::<C>(
+    let challenge = <C>::challenge(
         &group_commitment.0,
         &key_package.verifying_key,
         signing_package.message.as_slice(),
     );
 
     // Compute the Schnorr signature share.
-    let signature_share = compute_signature_share(
-        signer_nonces,
-        binding_factor,
-        lambda_i,
-        key_package,
-        challenge,
-    );
+    if <C>::is_need_tweaking() {
+        let signature_share = <C>::compute_tweaked_signature_share(
+            signer_nonces,
+            binding_factor,
+            group_commitment,
+            lambda_i,
+            key_package,
+            challenge,
+        );
 
-    Ok(signature_share)
+        Ok(signature_share)
+    } else {
+        let signature_share = compute_signature_share(
+            signer_nonces,
+            binding_factor,
+            lambda_i,
+            key_package,
+            challenge,
+        );
+
+        Ok(signature_share)
+    }
 }

frost-core/src/signature.rs

@@ -1,11 +1,12 @@
 //! Schnorr signatures over prime order groups (or subgroups)
 
 use debugless_unwrap::DebuglessUnwrap;
+use derive_getters::Getters;
 
 use crate::{Ciphersuite, Element, Error, Field, Group, Scalar};
 
 /// A Schnorr signature over some prime order group (or subgroup).
-#[derive(Copy, Clone, Eq, PartialEq)]
+#[derive(Copy, Clone, Eq, PartialEq, Getters)]
 pub struct Signature<C: Ciphersuite> {
     /// The commitment `R` to the signature nonce.
     pub(crate) R: Element<C>,

frost-core/src/signing_key.rs

@@ -2,7 +2,7 @@
 
 use rand_core::{CryptoRng, RngCore};
 
-use crate::{random_nonzero, Ciphersuite, Error, Field, Group, Scalar, Signature, VerifyingKey};
+use crate::{random_nonzero, Ciphersuite, Error, Field, Group, Scalar, Signature, VerifyingKey, Challenge};
 
 /// A signing key for a Schnorr signature on a FROST [`Ciphersuite::Group`].
 #[derive(Copy, Clone, PartialEq, Eq)]
@@ -45,14 +45,21 @@ where
 
     /// Create a signature `msg` using this `SigningKey`.
     pub fn sign<R: RngCore + CryptoRng>(&self, mut rng: R, msg: &[u8]) -> Signature<C> {
-        let k = random_nonzero::<C, R>(&mut rng);
-
+        let public = VerifyingKey::<C>::from(*self);
+        let mut secret = self.scalar;
+        if <C>::is_need_tweaking() {
+            secret = <C>::tweaked_secret_key(secret, &public.element);
+        }
+        let mut k = random_nonzero::<C, R>(&mut rng);
         let R = <C::Group>::generator() * k;
+        if <C>::is_need_tweaking() {
+            k = <C>::tweaked_nonce(k, &R);
+        }
 
         // Generate Schnorr challenge
-        let c = crate::challenge::<C>(&R, &VerifyingKey::<C>::from(*self), msg);
+        let c: Challenge<C> = <C>::challenge(&R, &public, msg);
 
-        let z = k + (c.0 * self.scalar);
+        let z = k + (c.0 * secret);
 
         Signature { R, z }
     }