-
Notifications
You must be signed in to change notification settings - Fork 296
/
lib.rs
1300 lines (1205 loc) · 46 KB
/
lib.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
//!
//! # Threshold ECDSA
//!
//! The public interface for the threshold ECDSA implementation is in `src/lib.rs`.
//!
//! Internally within the library, the error type `ThresholdEcdsaError` is used. In
//! the public interfaces, this error is mapped onto function specific error types.
//!
//! ## Attack Model
//!
//! The code in this crate endeavors to be safe with regards to timing and
//! cache based side channels. No provision is made with regards to power
//! analysis attacks, fault attacks, etc.
//!
//! ## Protocol: Dealings
//!
//! File: `dealings.rs`
//!
//! A dealing [`IDkgDealingInternal`] consists of a [MEGa
//! ciphertext](#protocol-mega-encryption), a commitment to the values
//! encrypted, and potentially a [`dealings::ZkProof`](zero knowledge
//! proof).
//!
//! The dealing will either be "masked" (the commitments are Pedersen commitments)
//! or "unmasked" (the commitments are simple dlog commitments).
//!
//! There are five types of dealings
//! - RandomUnmasked: outputs unmasked dealing, no proof
//! - Random: outputs masked dealing, no proof
//! - ReshareOfUnmasked: outputs unmasked dealing, no proof is
//! required since equivalence is provable from the commitments
//! - ReshareOfMasked: outputs unmasked dealing, contains proof
//! that the resharing is correct (`ProofOfMaskedResharing`)
//! - UnmaskedTimesMasked: outputs masked dealing, contains
//! proof of product (`ProofOfProduct`)
//!
//! In addition to being generated, dealings have two forms of verification: public
//! and private. Public verification can be performed by any party, and checks that
//! the proof (if included) is correct and that the commitments are of the expected
//! type. Private verification decrypts the dealing ciphertext and verifies that
//! the decrypted plaintext is consistent with the commitments.
//!
//! ## Protocol: Complaints
//!
//! File: `complaints.rs`
//!
//! Defines a type for a complaint [`IDkgComplaintInternal`]. Complaints can
//! be generated and verified. The function `generate_complaints` attempts
//! to decrypt a set of dealings; any dealing which cannot be decrypted
//! correctly (with regards to the included commitment) results in a
//! complaint being generated.
//!
//! ## Protocol: Transcripts
//!
//! File: `transcript.rs`
//!
//! A transcript is a combination of dealings which have been publicly verified.
//! [`IDkgTranscriptInternal`] is a commitment which commits to the value which is
//! formed by the set of dealings. Both the transcript and the dealings which
//! created it are normally provided for further operations.
//!
//! Transcript verification refers to the process of creating a new transcript from
//! a set of dealings. If the new transcript is equal to the given transcript, the
//! transcript is considered verified with respect to the dealings.
//!
//! ## Protocol: Signature Generation and Verification
//!
//! File: `sign.rs`
//!
//! * Generation and verification of signature shares
//! * Generation and verification of combined signatures
//!
//! ## Protocol: Multi-encryption gadget (MEGa)
//!
//! File: `mega.rs`
//!
//! Implements the MEGa encryption/decryption scheme, including key
//! generation.
//!
//! [`RandomOracle`](#utility-functions-random-oracle) is used to
//! generate the additive masking values.
//!
//! ## Protocol: Polynomial Arithmetic and Commitments
//!
//! File: `poly.rs`
//!
//! Defines [`poly::Polynomial`] - a polynomial with coefficients that
//! are integers modulo the order of an elliptic curve.
//!
//! Also defines two types of commitments to polynomials:
//! [`poly::SimpleCommitment`] (simple (dlog) commitments)
//! and [`poly::PedersenCommitment`] (Pedersen commitments).
//!
//! ## Protocol: Zero Knowledge Proofs
//!
//! File: `zk.rs`
//!
//! Defines three zero knowledge proofs used in the protocol:
//!
//! * [`zk::ProofOfEqualOpenings`]: a proof of equal openings of
//! simple and Pedersen commitments
//! * [`zk::ProofOfProduct`]: a proof that a Pedersen commitment
//! opens to the value of the product of openings of a simple and
//! another Pedersen commitment.
//! * [`zk::ProofOfDLogEquivalence`]: a proof of equal discrete logarithm
//!
//! ## Protocol: Key Derivation
//!
//! File: `key_derivation.rs`
//!
//! Performs (extended) BIP32 key derivation.
//!
//! Instead of only using 32-bit indices for the derivation path, this
//! derivation supports arbitrary byte strings.
//!
//! In the case that only 32-bit values are used, it is compatible with
//! standard BIP32.
//!
//! ## Utility Functions: Elliptic Curve Group
//!
//! Files: `group.rs` and `group/*.rs`
//!
//! To insulate the implementation from API changes in dependencies, and also
//! to provide a consistent abstraction across multiple curves, wrapper
//! types are provided, namely [`EccScalar`] and [`EccPoint`].
//!
//! An important exception to the general policy of avoiding timing
//! attacks is in this file. The function [`EccPoint::mul_by_node_index`]
//! takes advantage of the fact that node indexes are both small and
//! public. Uses a simple square-and-multiply implementation, which provides
//! notable performance improvements.
//!
//! Currently, curve arithmetic is implemented using the `k256` and `p256`
//! crates from the RustCrypto project. Wrappers for these types are
//! included in the `group` subdirectory.
//!
//! ## Utility Functions: H2C and XMD
//!
//! Files: `hash2curve.rs`, and `xmd.rs` in `seed` crate
//!
//! An implementation of IETF standard hash2curve is implemented in
//! `hash2curve.rs`. This is actually never called in production; we do
//! use h2c to derive a `h` generator unrelated to the standard group
//! generator for Pedersen commitments, but this is done offline.
//!
//! The primary entry point for hash2curve is [`EccPoint::hash_to_point`].
//!
//! [Note: we may use hash2curve in the future for Proof Of Possession of
//! MEGa private keys]
//!
//! The XMD hash used in hash2curve is implemented in `xmd.rs`. This
//! derivation function is used elsewhere, namely in [`Seed`] and the
//! [random oracle](#utility-functions-random-oracle).
//!
//! ## Utility Functions: Seed
//!
//! File: `lib.rs` in `seed` crate
//!
//! This crate is deterministic; all randomness is provided by the
//! caller. We may require several different random inputs for various
//! purposes. To accomplish this, a type called [`Seed`] encapsulates
//! a crypto variable which can be used to derive additional values
//! (using XMD) or be turned into a random number generator
//! (ChaCha20).
//!
//! ## Utility Functions: Random Oracle
//!
//! File: `ro.rs`
//!
//! For purposes including MEGa encryption and while computing zero
//! knowledge proofs, we must derive some value from multiple
//! inputs. This is done in a systematic way with
//! [`ro::RandomOracle`].
//!
//! This type takes named inputs of various types (scalars, points,
//! bytestrings, and small integers), along with a domain separator, and
//! hashes them using XMD to produce outputs which can be scalars, points,
//! or bytestrings.
//!
//! ## Utility Functions: Testing
//!
//! File: `test_utils.rs`
//!
//! Contains a function for corrupting dealings which is used when testing
//! malicious behavior.
#![forbid(unsafe_code)]
use ic_crypto_internal_seed::xmd::XmdError;
use ic_types::crypto::canister_threshold_sig::{ExtendedDerivationPath, MasterEcdsaPublicKey};
use ic_types::crypto::AlgorithmId;
use ic_types::{NumberOfNodes, Randomness};
use serde::{Deserialize, Serialize};
use std::collections::BTreeMap;
pub use ic_crypto_internal_seed::Seed;
use ic_types::crypto::canister_threshold_sig::error::{
IDkgLoadTranscriptError, IDkgVerifyComplaintError, IDkgVerifyDealingPrivateError,
IDkgVerifyTranscriptError,
};
pub use ic_types::crypto::canister_threshold_sig::EcdsaPublicKey;
pub use ic_types::NodeIndex;
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum ThresholdEcdsaError {
CurveMismatch,
InconsistentCiphertext,
InconsistentOpeningAndCommitment,
InsufficientDealings,
InsufficientOpenings(usize, usize),
InterpolationError,
InvalidArguments(String),
InvalidCommitment,
InvalidComplaint,
InvalidFieldElement,
InvalidPoint,
InvalidProof,
InvalidRandomOracleInput,
InvalidRecipients,
InvalidScalar,
InvalidSecretShare,
InvalidSignature,
InvalidSignatureShare,
InvalidThreshold(usize, usize),
UnexpectedCommitmentType,
}
pub type ThresholdEcdsaResult<T> = std::result::Result<T, ThresholdEcdsaError>;
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub struct ThresholdEcdsaSerializationError(pub String);
pub type ThresholdEcdsaSerializationResult<T> =
std::result::Result<T, ThresholdEcdsaSerializationError>;
pub mod test_utils;
mod idkg;
mod signing;
mod utils;
pub use crate::idkg::mega::*;
pub use crate::idkg::complaints::*;
pub use crate::idkg::dealings::*;
pub use crate::idkg::transcript::*;
pub use crate::idkg::zk;
pub use crate::utils::group::*;
pub use crate::utils::poly::*;
pub use crate::utils::ro::*;
pub use crate::signing::bip340::{
derive_bip340_public_key, ThresholdBip340CombinedSignatureInternal,
ThresholdBip340SignatureShareInternal,
};
pub use crate::signing::ecdsa::{
ThresholdEcdsaCombinedSigInternal, ThresholdEcdsaSigShareInternal,
};
pub use crate::signing::key_derivation::{DerivationIndex, DerivationPath};
/// Create MEGa encryption keypair
pub fn gen_keypair(curve_type: EccCurveType, seed: Seed) -> (MEGaPublicKey, MEGaPrivateKey) {
let rng = &mut seed.into_rng();
let private_key = MEGaPrivateKey::generate(curve_type, rng);
let public_key = private_key.public_key();
(public_key, private_key)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum IdkgCreateDealingInternalError {
UnsupportedAlgorithm,
InvalidRecipients,
// Contains the requested threshold and the number of receivers
InvalidThreshold(usize, usize),
InvalidSecretShare,
InternalError(String),
}
impl From<ThresholdEcdsaError> for IdkgCreateDealingInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::InvalidRecipients => Self::InvalidRecipients,
ThresholdEcdsaError::InvalidSecretShare => Self::InvalidSecretShare,
ThresholdEcdsaError::InvalidThreshold(t, r) => Self::InvalidThreshold(t, r),
x => Self::InternalError(format!("{:?}", x)),
}
}
}
/// Create a dealing for threshold ECDSA
pub fn create_dealing(
algorithm_id: ic_types::crypto::AlgorithmId,
associated_data: &[u8],
dealer_index: NodeIndex,
threshold: NumberOfNodes,
recipients: &[MEGaPublicKey],
shares: &SecretShares,
seed: Seed,
) -> Result<IDkgDealingInternal, IdkgCreateDealingInternalError> {
let signature_curve = EccCurveType::from_algorithm(algorithm_id)
.ok_or(IdkgCreateDealingInternalError::UnsupportedAlgorithm)?;
IDkgDealingInternal::new(
shares,
signature_curve,
seed,
threshold.get() as usize,
recipients,
dealer_index,
associated_data,
)
.map_err(IdkgCreateDealingInternalError::from)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum IDkgCreateTranscriptInternalError {
UnsupportedAlgorithm,
InconsistentCommitments,
InsufficientDealings,
InternalError(String),
}
impl From<ThresholdEcdsaError> for IDkgCreateTranscriptInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::CurveMismatch => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidCommitment => Self::InconsistentCommitments,
ThresholdEcdsaError::InsufficientDealings => Self::InsufficientDealings,
x => Self::InternalError(format!("{:?}", x)),
}
}
}
impl From<XmdError> for ThresholdEcdsaError {
fn from(e: XmdError) -> Self {
match e {
XmdError::InvalidOutputLength(x) => Self::InvalidArguments(format!("{:?}", x)),
}
}
}
/// Create a new IDkg transcript
pub fn create_transcript(
algorithm_id: AlgorithmId,
reconstruction_threshold: NumberOfNodes,
verified_dealings: &BTreeMap<NodeIndex, IDkgDealingInternal>,
operation_mode: &IDkgTranscriptOperationInternal,
) -> Result<IDkgTranscriptInternal, IDkgCreateTranscriptInternalError> {
let curve = EccCurveType::from_algorithm(algorithm_id)
.ok_or(IDkgCreateTranscriptInternalError::UnsupportedAlgorithm)?;
IDkgTranscriptInternal::new(
curve,
reconstruction_threshold.get() as usize,
verified_dealings,
operation_mode,
)
.map_err(IDkgCreateTranscriptInternalError::from)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum IDkgVerifyTranscriptInternalError {
IncorrectTranscript,
FailedToCreateTranscript(IDkgCreateTranscriptInternalError),
}
impl From<IDkgVerifyTranscriptInternalError> for IDkgVerifyTranscriptError {
fn from(verify_transcript_internal_error: IDkgVerifyTranscriptInternalError) -> Self {
type Vtie = IDkgVerifyTranscriptInternalError;
type Vte = IDkgVerifyTranscriptError;
match verify_transcript_internal_error {
Vtie::IncorrectTranscript => Vte::InvalidTranscript,
Vtie::FailedToCreateTranscript(create_transcript_error) => Vte::InvalidArgument(
format!("failed to create transcript: {:?}", create_transcript_error),
),
}
}
}
/// Verifies the consistency of the transcript with the set of `verified_dealings`.
pub fn verify_transcript(
internal_transcript: &IDkgTranscriptInternal,
algorithm_id: AlgorithmId,
reconstruction_threshold: NumberOfNodes,
verified_dealings: &BTreeMap<NodeIndex, IDkgDealingInternal>,
operation_mode: &IDkgTranscriptOperationInternal,
) -> Result<(), IDkgVerifyTranscriptInternalError> {
let transcript = create_transcript(
algorithm_id,
reconstruction_threshold,
verified_dealings,
operation_mode,
);
match transcript {
Ok(transcript) => {
if &transcript == internal_transcript {
Ok(())
} else {
Err(IDkgVerifyTranscriptInternalError::IncorrectTranscript)
}
}
Err(e) => Err(IDkgVerifyTranscriptInternalError::FailedToCreateTranscript(
e,
)),
}
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum IDkgComputeSecretSharesInternalError {
ComplaintShouldBeIssued,
InsufficientOpenings(usize, usize),
InvalidCiphertext(String),
UnableToReconstruct(String),
UnableToCombineOpenings(String),
}
/// Computes secret shares (in the form of commitment openings) from
/// the given dealings.
///
/// # Arguments:
/// * `verified_dealings`: dealings to be decrypted,
/// * `transcript`: the combined commitment to the coefficients of the shared polynomial,
/// * `context_data`: associated data used in encryption and the zero-knowledge proofs,
/// * `receiver_index`: index of the receiver in this specific IDKG instance,
/// * `secret_key`: MEGa secret decryption key of the receiver,
/// * `public_key`: MEGa public encryption key associated to `secret_key`,
///
/// # Errors:
/// * `ComplaintShouldBeIssued`: if a ciphertext decrypts to a share that does not match with the commitment.
/// * `InvalidCiphertext`: if a ciphertext cannot be decrypted.
/// * `UnableToCombineOpenings`: internal error denoting that the decrypted share cannot be combined.
pub fn compute_secret_shares(
verified_dealings: &BTreeMap<NodeIndex, IDkgDealingInternal>,
transcript: &IDkgTranscriptInternal,
context_data: &[u8],
receiver_index: NodeIndex,
secret_key: &MEGaPrivateKey,
public_key: &MEGaPublicKey,
) -> Result<CommitmentOpening, IDkgComputeSecretSharesInternalError> {
CommitmentOpening::from_dealings(
verified_dealings,
&transcript.combined_commitment,
context_data,
receiver_index,
secret_key,
public_key,
)
}
/// Computes secret shares (in the form of commitment openings) from
/// the given dealings and openings.
///
/// # Preconditions
/// * The openings have all been verified to be valid.
/// * There are sufficient valid openings (at least `reconstruction_threshold`
/// many) for each corrupted dealing.
///
/// # Arguments:
/// * `verified_dealings`: dealings to be decrypted,
/// * `openings`: openings answering complaints against dealing that could not be decrypted correctly,
/// * `transcript`: the combined commitment to the coefficients of the shared polynomial,
/// * `context_data`: associated data used in encryption and the zero-knowledge proofs,
/// * `receiver_index`: index of the receiver in this specific IDKG instance,
/// * `secret_key`: MEGa secret decryption key of the receiver,
/// * `public_key`: MEGa public encryption key associated to `secret_key`,
///
/// # Errors:
/// * `ComplaintShouldBeIssued`: if a ciphertext decrypts to a share that does not match with the commitment.
/// * `InsufficientOpenings`: if the number of openings answering a complaint is insufficient.
/// * `InvalidCiphertext`: if a ciphertext cannot be decrypted.
/// * `UnableToCombineOpenings`: internal error denoting that the decrypted share cannot be combined.
/// * `UnableToReconstruct`: internal error denoting that the received openings cannot be used to recompute a share.
pub fn compute_secret_shares_with_openings(
verified_dealings: &BTreeMap<NodeIndex, IDkgDealingInternal>,
openings: &BTreeMap<NodeIndex, BTreeMap<NodeIndex, CommitmentOpening>>,
transcript: &IDkgTranscriptInternal,
context_data: &[u8],
receiver_index: NodeIndex,
secret_key: &MEGaPrivateKey,
public_key: &MEGaPublicKey,
) -> Result<CommitmentOpening, IDkgComputeSecretSharesInternalError> {
CommitmentOpening::from_dealings_and_openings(
verified_dealings,
openings,
&transcript.combined_commitment,
context_data,
receiver_index,
secret_key,
public_key,
)
}
#[derive(Clone, Debug, Eq, PartialEq)]
pub enum IDkgVerifyDealingInternalError {
UnsupportedAlgorithm,
InvalidCommitment,
InvalidProof,
InvalidRecipients,
InternalError(String),
}
impl From<ThresholdEcdsaError> for IDkgVerifyDealingInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::InvalidProof => Self::InvalidProof,
ThresholdEcdsaError::InvalidCommitment => Self::InvalidCommitment,
ThresholdEcdsaError::InvalidRecipients => Self::InvalidRecipients,
x => Self::InternalError(format!("{:?}", x)),
}
}
}
impl From<IDkgVerifyDealingInternalError> for IDkgVerifyDealingPrivateError {
fn from(error: IDkgVerifyDealingInternalError) -> Self {
type Vdie = IDkgVerifyDealingInternalError;
type Vdpe = IDkgVerifyDealingPrivateError;
match error {
Vdie::InvalidCommitment | Vdie::InvalidProof | Vdie::InvalidRecipients => {
Vdpe::InvalidDealing(format!("{:?}", error))
}
Vdie::UnsupportedAlgorithm => Vdpe::InvalidArgument(format!("{:?}", error)),
Vdie::InternalError(e) => Vdpe::InternalError(e),
}
}
}
/// Verifies a dealing using public information
///
/// This function checks that the dealing has the expected type of
/// ciphertext and commitment (depending on the type of dealing)
///
/// It also verifies zero knowledge proofs attached to the dealing.
pub fn publicly_verify_dealing(
algorithm_id: AlgorithmId,
dealing: &IDkgDealingInternal,
transcript_type: &IDkgTranscriptOperationInternal,
reconstruction_threshold: NumberOfNodes,
dealer_index: NodeIndex,
number_of_receivers: NumberOfNodes,
associated_data: &[u8],
) -> Result<(), IDkgVerifyDealingInternalError> {
let key_curve = EccCurveType::K256;
let signature_curve = EccCurveType::from_algorithm(algorithm_id)
.ok_or(IDkgVerifyDealingInternalError::UnsupportedAlgorithm)?;
dealing
.publicly_verify(
key_curve,
signature_curve,
transcript_type,
reconstruction_threshold,
dealer_index,
number_of_receivers,
associated_data,
)
.map_err(IDkgVerifyDealingInternalError::from)
}
/// Verify a dealing using private information
///
/// This private verification must be done after the dealing has been publicly
/// verified. This operation decrypts the dealing and verifies that the
/// decrypted value is consistent with the commitment in the dealing.
#[allow(clippy::too_many_arguments)]
pub fn privately_verify_dealing(
algorithm_id: AlgorithmId,
dealing: &IDkgDealingInternal,
private_key: &MEGaPrivateKey,
public_key: &MEGaPublicKey,
associated_data: &[u8],
dealer_index: NodeIndex,
recipient_index: NodeIndex,
) -> Result<(), IDkgVerifyDealingInternalError> {
let signature_curve = EccCurveType::from_algorithm(algorithm_id)
.ok_or(IDkgVerifyDealingInternalError::UnsupportedAlgorithm)?;
let key_curve = private_key.curve_type();
dealing
.privately_verify(
key_curve,
signature_curve,
private_key,
public_key,
associated_data,
dealer_index,
recipient_index,
)
.map_err(IDkgVerifyDealingInternalError::from)
}
impl From<&ExtendedDerivationPath> for DerivationPath {
fn from(extended_derivation_path: &ExtendedDerivationPath) -> Self {
// We use generalized derivation for all path bytestrings after prepending
// the caller's principal. It means only big-endian encoded 4-byte values
// less than 2^31 are compatible with BIP-32 non-hardened derivation path.
Self::new(
std::iter::once(extended_derivation_path.caller.to_vec())
.chain(extended_derivation_path.derivation_path.clone())
.map(crate::signing::key_derivation::DerivationIndex)
.collect::<Vec<_>>(),
)
}
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum ThresholdEcdsaGenerateSigShareInternalError {
InvalidArguments(String),
InconsistentCommitments,
InternalError(String),
}
impl From<ThresholdEcdsaError> for ThresholdEcdsaGenerateSigShareInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::CurveMismatch => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidCommitment => Self::InconsistentCommitments,
x => Self::InternalError(format!("{:?}", x)),
}
}
}
/// Create a new threshold ECDSA signature share
///
/// The derivation_path creates a new key relative to the master key
///
/// The nonce should be random and shared by all nodes, for instance
/// by deriving a value from the random tape.
///
/// The presig_transcript is the transcript of the pre-signature (kappa)
///
/// lambda, kappa_times_lambda, and key_times_lambda are our openings
/// of the commitments in the associated transcripts.
///
/// The hashed message must have the same size as the underlying curve
/// order, for instance for P-256 a 256-bit hash function must be
/// used.
#[allow(clippy::too_many_arguments)]
pub fn create_ecdsa_signature_share(
derivation_path: &DerivationPath,
hashed_message: &[u8],
nonce: Randomness,
key_transcript: &IDkgTranscriptInternal,
presig_transcript: &IDkgTranscriptInternal,
lambda: &CommitmentOpening,
kappa_times_lambda: &CommitmentOpening,
key_times_lambda: &CommitmentOpening,
algorithm_id: AlgorithmId,
) -> Result<ThresholdEcdsaSigShareInternal, ThresholdEcdsaGenerateSigShareInternalError> {
let (curve_type, hash_len) = ecdsa_signature_parameters(algorithm_id).ok_or_else(|| {
ThresholdEcdsaGenerateSigShareInternalError::InvalidArguments(format!(
"unsupported algorithm: {algorithm_id:?}"
))
})?;
if hashed_message.len() != hash_len {
return Err(ThresholdEcdsaGenerateSigShareInternalError::InvalidArguments(
format!("length of hashed_message ({}) not matching expected length ({hash_len}) for algorithm_id ({algorithm_id:?})", hashed_message.len()))
);
}
ThresholdEcdsaSigShareInternal::new(
derivation_path,
hashed_message,
nonce,
key_transcript,
presig_transcript,
lambda,
kappa_times_lambda,
key_times_lambda,
curve_type,
)
.map_err(ThresholdEcdsaGenerateSigShareInternalError::from)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum ThresholdEcdsaVerifySigShareInternalError {
InvalidArguments(String),
InconsistentCommitments,
InvalidSignatureShare,
InternalError(String),
}
impl From<ThresholdEcdsaError> for ThresholdEcdsaVerifySigShareInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::CurveMismatch => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidCommitment => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidSignatureShare => Self::InvalidSignatureShare,
x => Self::InternalError(format!("{:?}", x)),
}
}
}
/// Verify a signature share
///
/// The values provided must be consistent with when the signature share
/// was created
#[allow(clippy::too_many_arguments)]
pub fn verify_ecdsa_signature_share(
sig_share: &ThresholdEcdsaSigShareInternal,
derivation_path: &DerivationPath,
hashed_message: &[u8],
randomness: Randomness,
signer_index: NodeIndex,
key_transcript: &IDkgTranscriptInternal,
presig_transcript: &IDkgTranscriptInternal,
lambda: &IDkgTranscriptInternal,
kappa_times_lambda: &IDkgTranscriptInternal,
key_times_lambda: &IDkgTranscriptInternal,
algorithm_id: AlgorithmId,
) -> Result<(), ThresholdEcdsaVerifySigShareInternalError> {
let (curve_type, hash_len) = ecdsa_signature_parameters(algorithm_id).ok_or_else(|| {
ThresholdEcdsaVerifySigShareInternalError::InvalidArguments(format!(
"unsupported algorithm: {algorithm_id:?}"
))
})?;
if hashed_message.len() != hash_len {
return Err(ThresholdEcdsaVerifySigShareInternalError::InvalidArguments(
format!("length of hashed_message ({}) not matching expected length ({hash_len}) for algorithm_id ({algorithm_id:?})", hashed_message.len()))
);
}
sig_share
.verify(
derivation_path,
hashed_message,
randomness,
signer_index,
key_transcript,
presig_transcript,
lambda,
kappa_times_lambda,
key_times_lambda,
curve_type,
)
.map_err(ThresholdEcdsaVerifySigShareInternalError::from)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum ThresholdEcdsaCombineSigSharesInternalError {
UnsupportedAlgorithm,
InconsistentCommitments,
InsufficientShares,
InternalError(String),
}
impl From<ThresholdEcdsaError> for ThresholdEcdsaCombineSigSharesInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::CurveMismatch => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidCommitment => Self::InconsistentCommitments,
ThresholdEcdsaError::InsufficientDealings => Self::InsufficientShares,
x => Self::InternalError(format!("{:?}", x)),
}
}
}
/// Combine sufficient signature shares into an ECDSA signature
///
/// The signature shares must be verified prior to use, and there must
/// be at least reconstruction_threshold many of them.
#[allow(clippy::too_many_arguments)]
pub fn combine_ecdsa_signature_shares(
derivation_path: &DerivationPath,
hashed_message: &[u8],
randomness: Randomness,
key_transcript: &IDkgTranscriptInternal,
presig_transcript: &IDkgTranscriptInternal,
reconstruction_threshold: NumberOfNodes,
sig_shares: &BTreeMap<NodeIndex, ThresholdEcdsaSigShareInternal>,
algorithm_id: AlgorithmId,
) -> Result<ThresholdEcdsaCombinedSigInternal, ThresholdEcdsaCombineSigSharesInternalError> {
let curve = EccCurveType::from_algorithm(algorithm_id)
.ok_or(ThresholdEcdsaCombineSigSharesInternalError::UnsupportedAlgorithm)?;
crate::signing::ecdsa::ThresholdEcdsaCombinedSigInternal::new(
derivation_path,
hashed_message,
randomness,
key_transcript,
presig_transcript,
reconstruction_threshold,
sig_shares,
curve,
)
.map_err(ThresholdEcdsaCombineSigSharesInternalError::from)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum ThresholdEcdsaVerifySignatureInternalError {
InvalidSignature,
InvalidArguments(String),
InconsistentCommitments,
InternalError(String),
}
impl From<ThresholdEcdsaError> for ThresholdEcdsaVerifySignatureInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::CurveMismatch => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidCommitment => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidSignature => Self::InvalidSignature,
x => Self::InternalError(format!("{:?}", x)),
}
}
}
/// Verify a threshold ECDSA signature
///
/// In addition to checking that the ECDSA signature itself is
/// consistent with the provided message and the public key associated
/// with `derivation_path`, this function also verifies that the
/// signature was generated correctly with regards to the provided
/// presignature transcript and randomness.
pub fn verify_ecdsa_threshold_signature(
signature: &ThresholdEcdsaCombinedSigInternal,
derivation_path: &DerivationPath,
hashed_message: &[u8],
randomness: Randomness,
presig_transcript: &IDkgTranscriptInternal,
key_transcript: &IDkgTranscriptInternal,
algorithm_id: AlgorithmId,
) -> Result<(), ThresholdEcdsaVerifySignatureInternalError> {
let (curve_type, hash_len) = ecdsa_signature_parameters(algorithm_id).ok_or_else(|| {
ThresholdEcdsaVerifySignatureInternalError::InvalidArguments(format!(
"unsupported algorithm: {algorithm_id:?}"
))
})?;
if hashed_message.len() != hash_len {
return Err(ThresholdEcdsaVerifySignatureInternalError::InvalidArguments(
format!("length of hashed_message ({}) not matching expected length ({hash_len}) for algorithm_id ({algorithm_id:?})", hashed_message.len())
));
}
signature
.verify(
derivation_path,
hashed_message,
randomness,
presig_transcript,
key_transcript,
curve_type,
)
.map_err(ThresholdEcdsaVerifySignatureInternalError::from)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum ThresholdBip340GenerateSigShareInternalError {
InvalidArguments(String),
InconsistentCommitments,
InternalError(String),
}
impl From<ThresholdEcdsaError> for ThresholdBip340GenerateSigShareInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::CurveMismatch => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidCommitment => Self::InconsistentCommitments,
x => Self::InternalError(format!("{:?}", x)),
}
}
}
/// Create a new threshold BIP340 Schnorr signature share
///
/// The derivation_path creates a new key relative to the master key
///
/// The nonce should be random and shared by all nodes, for instance
/// by deriving a value from the random tape.
///
/// The presig_transcript is the transcript of the pre-signature (kappa)
///
/// The message can be of any length
pub fn create_bip340_signature_share(
derivation_path: &DerivationPath,
message: &[u8],
nonce: Randomness,
key_transcript: &IDkgTranscriptInternal,
presig_transcript: &IDkgTranscriptInternal,
key_opening: &CommitmentOpening,
presig_opening: &CommitmentOpening,
) -> Result<ThresholdBip340SignatureShareInternal, ThresholdBip340GenerateSigShareInternalError> {
ThresholdBip340SignatureShareInternal::new(
derivation_path,
message,
nonce,
key_transcript,
key_opening,
presig_transcript,
presig_opening,
)
.map_err(ThresholdBip340GenerateSigShareInternalError::from)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum ThresholdBip340VerifySigShareInternalError {
InvalidArguments(String),
InconsistentCommitments,
InvalidSignatureShare,
InternalError(String),
}
impl From<ThresholdEcdsaError> for ThresholdBip340VerifySigShareInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::CurveMismatch => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidCommitment => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidSignatureShare => Self::InvalidSignatureShare,
x => Self::InternalError(format!("{:?}", x)),
}
}
}
/// Verify a signature share
///
/// The values provided must be consistent with when the signature share
/// was created
pub fn verify_bip340_signature_share(
sig_share: &ThresholdBip340SignatureShareInternal,
derivation_path: &DerivationPath,
hashed_message: &[u8],
randomness: Randomness,
signer_index: NodeIndex,
key_transcript: &IDkgTranscriptInternal,
presig_transcript: &IDkgTranscriptInternal,
) -> Result<(), ThresholdBip340VerifySigShareInternalError> {
sig_share
.verify(
derivation_path,
hashed_message,
randomness,
signer_index,
key_transcript,
presig_transcript,
)
.map_err(ThresholdBip340VerifySigShareInternalError::from)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum ThresholdBip340CombineSigSharesInternalError {
UnsupportedAlgorithm,
InconsistentCommitments,
InsufficientShares,
InternalError(String),
}
impl From<ThresholdEcdsaError> for ThresholdBip340CombineSigSharesInternalError {
fn from(e: ThresholdEcdsaError) -> Self {
match e {
ThresholdEcdsaError::CurveMismatch => Self::InconsistentCommitments,
ThresholdEcdsaError::InvalidCommitment => Self::InconsistentCommitments,
ThresholdEcdsaError::InsufficientDealings => Self::InsufficientShares,
x => Self::InternalError(format!("{:?}", x)),
}
}
}
/// Combine sufficient signature shares into an BIP340 signature
///
/// The signature shares must be verified prior to use, and there must
/// be at least reconstruction_threshold many of them.
pub fn combine_bip340_signature_shares(
derivation_path: &DerivationPath,
message: &[u8],
randomness: Randomness,
key_transcript: &IDkgTranscriptInternal,
presig_transcript: &IDkgTranscriptInternal,
reconstruction_threshold: NumberOfNodes,
sig_shares: &BTreeMap<NodeIndex, ThresholdBip340SignatureShareInternal>,
) -> Result<ThresholdBip340CombinedSignatureInternal, ThresholdBip340CombineSigSharesInternalError>
{
ThresholdBip340CombinedSignatureInternal::new(
derivation_path,
message,
randomness,
key_transcript,
presig_transcript,
reconstruction_threshold,
sig_shares,
)
.map_err(ThresholdBip340CombineSigSharesInternalError::from)
}
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum ThresholdBip340VerifySignatureInternalError {
InvalidSignature,
UnexpectedCommitmentType,
InternalError(String),
}