In [1]:
from tecdsa.utils import verify_ecdsa_signature, verify_dsa_signature
from tecdsa.setup import DSASetup, ECDSASetup
from tecdsa.tecdsa import ThresholdSignature

# Setup network

Depending on the signature type we are aiming at (DSA or ECDSA), we can start the network with the class corresponding to that type. Let us see an example with 3 nodes and 1 client.

In [2]:
N = 3; C = 1

### DSA

To start a DSA signature, we use the class DSASetup. There are two options here:
1. Generate the DSA setup from scratch; 
2. Use a DSA setup from predefined variables.

In [3]:
# Option 1
fnil = ThresholdSignature(N, C)

This option takes longer as the `generate_dsa_setup()` function has to find a primitive root for the `q` prime of the DSA setup.

In [3]:
# Option 2
p = 16987220163402883416449356930313946536948708368250187300904484990592060034399925373558684845589122357155245527725130833676269318205326149268410610561367974110319706088695097181729621805806503895242356834473026604015120592348890617701675387428807728090415853765634415325555621648235338466349957683063948139664640253794461972428009207212678775162641560258829400418398089166048123240989061901894801714545511227607162820358567023001939860545346903340718565981921863209491363679301897076211852920953764568258713784702534591771430944194446014721504677270780731006777716425745362753111142293413901721847152726957943402872047 
q = 18615201011907374064080708325380633467600489307695820739772219003499; 
g = 1440750739647392583923353319762863205412412735463771135600354281498545556560554285032144083567469348458038821471561505478727536048946568600306333026876282227253717145726280535747755789389298351217147981114134445522434273687560094566805116079958307881112688486903459951003823567315217837479260063662350297462681218852749673559083125704211468000331391500202590446254295826681166987302499736009857926325072657165790463352645906484288271010829609728496608136458748019477999277575560554800692468233144862681997749241093911491601564874805253852956797072221469937174346581408575685518457073416604892562933677029344283366064
h = 2
dsa_setup = DSASetup(p, q, g, h)
fnil = ThresholdSignature(N, C, setup=dsa_setup)

**Debug mode**: the network can be set to debug mode to keep all elements sent and received throughout protocol execution.

In [4]:
fnil_debug = ThresholdSignature(N, C, setup=dsa_setup, debug=True)

### ECDSA

For ECDSA version, the can use a set of curves:

In [5]:
ECDSASetup.supported_curves()

['P-192', 'P-224', 'P-256', 'P-384', 'P-521']

In [6]:
ecdsa_setup = ECDSASetup(curve="P-256")
ecnil = ThresholdSignature(N, C, setup=ecdsa_setup)

**Debug mode**

In [7]:
ecnil_debug = ThresholdSignature(N, C, setup=ecdsa_setup, debug=True)

# Threshold (EC)DSA 

In the following demo, we emulate a network. For this reason, communication is given as a simple API and the client in the network request the network to sign some message by introducing its `id`.

In [8]:
client_id = 1

## DSA

We start by generating the secret key shared throughout the nodes. This only has to be done once.

In [9]:
# DKG protocol for DSA
fnil.distributed_key_generation_protocol(client_id)

Now, the client can ask the network to sign a message at their will without the network knowing the message.

We can start the preprocessing phase before the message is defined.

In [10]:
# Preprocessing phase (message independent)
fnil.ts_prep_protocol(client_id)

In [11]:
message = "Let me tell you a great secret about Nillion."

In [12]:
# Online phase (message dependent)
fnil.ts_online_protocol(message, client_id)

We can run the above two cells as many times as we want without having to run the DKG protocol from above.

In [13]:
fnil.print_signature(client_id)

    Client(id=1,
      r=6202005962638382719598591827040686943912736840956149356327459726601,
      s=18131665991815852492200116613897714960534471085827748460942091666925,
      m=Let me tell you a great secret about Nillion.,
    )


#### Signature verification

The protocol already has included a verification of the signature. However, we can also verify for ourselves:

In [17]:
# Signature
r, s, m = fnil.retrieve_signature(client_id)
# Public parameters (client's public key, dsa setup)
y = fnil.clients[client_id - 1].get_open(str(client_id)+"th_client_x_pk")
q = fnil.q
p = fnil.dsa.p
g = fnil.dsa.g
# Verify
verify_dsa_signature(message, r, s, y, p, q, g)

## ECDSA

Everything works similarly to the ECDSA version. 

In [23]:
# DKG protocol for ECDSA
ecnil.distributed_key_generation_protocol(client_id)

In [24]:
# Preprocessing phase (message independent)
ecnil.ts_prep_protocol(client_id)

In [25]:
message = "This is one of many releases we are going to have in the next few months."

In [26]:
# Online phase (message dependent)
ecnil.ts_online_protocol(message, client_id)

In [27]:
# Signature
r, s, m = ecnil.retrieve_signature(client_id)
# Public parameters (client's public key, ecdsa setup)
Y = ecnil.clients[client_id - 1].get_open(str(client_id)+"th_client_x_pk")
q = ecnil.q
G = ecnil.ecdsa.G
# Verify
verify_ecdsa_signature(message, r, s, Y, q, G)

Let us see a case where the signature is not valid for some message. We give it a different message.

In [28]:
other_message = "So, are you ready for the Nillimania that is about to come?"
# Signature
r, s, m = ecnil.retrieve_signature(client_id)
# Public parameters (client's public key, ecdsa setup)
Y = ecnil.clients[client_id - 1].get_open(str(client_id)+"th_client_x_pk")
q = ecnil.q
G = ecnil.ecdsa.G
# Verify
verify_ecdsa_signature(other_message, r, s, Y, q, G)

VerifySignatureError: Signature verification failed. Signature mismatch. Abort.

### Debugging

We can also take a closer look into the network, in case we want to explore more. For that, we have available the print() function, which shows the elements owned by each party.

In [29]:
ecnil.print()

Network(N=3, q=115792089210356248762697446949407573529996955224135760342422259061068512044369,
  nodes=[
    Node(id=1,
      shares_db={
        1th_client_x_enc_sh_exp: <phe.paillier.EncryptedNumber object at 0x7f98be40dae0>,
        1th_client_m_lambda_exp_sh_exp: 18805008961205655853974338859205055368831044864697545644490465153571438711799,
        1th_client_signature_sh_base: 91779520132695752504598595459510400413067395296456213887423493859572385422122,
             },
      public_keys={
        0: <PaillierPublicKey 9819134c11>,
             },
      open_db={
        1th_client_x_sk: 102469784307885151344434448408108083163496555990607993030079296257768877177482,
        1th_client_x_pk: <Crypto.PublicKey.ECC.EccPoint object at 0x7f98be5551b0>,
        1th_client_k_r: 31753913312844769919847511464927299861472164513026404815794344435752523133091,
        1th_client_k_inv_sk: 99007062913722544630459242921033930766972195770224818402003123704021659134276,
        1th_client_gap_par

In debug mode, we have access to all elements:

In [30]:
# DKG protocol for ECDSA
ecnil_debug.distributed_key_generation_protocol(client_id)

In [31]:
# Preprocessing phase (message independent)
ecnil_debug.ts_prep_protocol(client_id)

In [32]:
message = "Stay tunned. Join the Telegram chat. Join the Discord channel. Be happy."

In [33]:
# Online phase (message dependent)
ecnil_debug.ts_online_protocol(message, client_id)

In [34]:
ecnil_debug.print()

Network(N=3, q=115792089210356248762697446949407573529996955224135760342422259061068512044369,
  nodes=[
    Node(id=1,
      shares_db={
        randomsh_node_1: 26769440234656992175755532478958052042591858765515471507714033651589557161275,
        randomsh_node_2: 101114896275779667892858842630820945984339520389178341454003745582001833565950,
        randomsh_node_3: 65295368212334320364822732577293115580823338745394808319313401203985502047244,
        random_minus_1th_client_x_sh_exp: 21285557804254400517499316140863911282953027731008870766837031342101421986995,
        1th_client_x_enc_sh_exp: <phe.paillier.EncryptedNumber object at 0x7f98be5b40d0>,
        1th_client_k_lambda_sh_exp: 64808101058331855648098966258074768495522068627855889258210392032045767117789,
        1th_client_k_lambda_sh_base: 45914160945743234463835765639491558729542954125290225663180923306814251949178,
        1th_client_lambda_1_lambda_sh_exp: 1102619212684019801997777957562443107033913589039697072768788335