frost

package module
v0.0.0-...-9a9e30f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 12, 2024 License: MIT Imports: 14 Imported by: 0

README

❄ FROST

frost Go Reference codecov

  import "github.com/bytemare/frost"

This package implements FROST Flexible Round-Optimized Schnorr Threshold and the FROST Distributed Key Generation protocols. FROST provides Two-Round Threshold Schnorr Signatures.

What is frost?

FROST reduces network overhead during threshold signing operations while employing a novel technique to protect against forgery attacks applicable to prior Schnorr-based threshold signature constructions. FROST signatures can be issued after a threshold number of entities cooperate to compute a signature, allowing for improved distribution of trust and redundancy with respect to a secret key.

Supported Ciphersuites
ID Name Backend
1 Edwards25519 filippo.io/edwards25519
2 Ristretto255 github.com/gtank/ristretto255
3 Edwards448 not yet supported
4 P-256 filippo.io/nistec
5 Secp256k1 github.com/bytemare/crypto
References

Documentation Go Reference

You can find the documentation and usage examples in the package doc.

Versioning

SemVer is used for versioning. For the versions available, see the tags on the repository.

Contributing

Please read CONTRIBUTING.md for details on the code of conduct, and the process for submitting pull requests.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Documentation

Overview

Package frost implements FROST, the Flexible Round-Optimized Schnorr Threshold (FROST) signing protocol.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DkgGenerateKeys 

func DkgGenerateKeys(
	conf *Configuration,
	maxSigners, threshold int,
) ([]*secretsharing.KeyShare, *group.Element, error)

dkgGenerateKeys generates sharded keys for maxSigner participant without a trusted dealer, and returns these shares and the group's public key.

func FrostKeyGen 

func FrostKeyGen(maxSigners, threshold int) ([]*secretsharing.KeyShare, *group.Element, error)

func FrostSign 

func FrostSign(conf *Configuration, privateKeyShares []*secretsharing.KeyShare, groupPublicKey *group.Element, message []byte) []byte

func FrostVerify 

func FrostVerify(groupPublicKey []byte, message []byte, signature []byte) bool

func GenerateSaveEd25519 

func GenerateSaveEd25519(keyName string, pub ed25519.PublicKey) error

GenerateSaveEd25519 generates and saves ed25519 keys to disk after encoding into PEM format

func IdFromInt 

func IdFromInt(g group.Group, i int) (*group.Scalar, error)

func LoadPubKeyEd25519 

func LoadPubKeyEd25519(name string) ed25519.PublicKey

func LoadPubKeyFrost 

func LoadPubKeyFrost(name string) *group.Element

func LoadSecretShare 

func LoadSecretShare(keyname string, configuration *Configuration) *secretsharing.KeyShare

func SaveSecretShares 

func SaveSecretShares(configuration *Configuration, privateKeyShares []*secretsharing.KeyShare)

func Sign 

func Sign(configuration *Configuration, privateKeyShares []*secretsharing.KeyShare, groupPublicKey *group.Element, message []byte) []byte

func ToEd25519 

func ToEd25519(pk ed25519.PublicKey) (ed25519.PublicKey, error)

func TrustedDealerKeygen 

func TrustedDealerKeygen(
	g group.Group,
	secret *group.Scalar,
	max, min int,
	coeffs ...*group.Scalar,
) ([]*secretsharing.KeyShare, *group.Element, secretsharing.Commitment, error)

TrustedDealerKeygen uses Shamir and Verifiable Secret Sharing to create secret shares of an input group secret. These shares should be distributed securely to relevant participants. Note that this is centralized and combines the shared secret at some point. To use a decentralized dealer-less key generation, use the dkg package.

func Verify 

func Verify(g group.Group, share *secretsharing.KeyShare, coms secretsharing.Commitment) bool

Verify allows verification of a participant's secret share given a VSS commitment to the secret polynomial.

Types

type Ciphersuite 

type Ciphersuite byte

Ciphersuite identifies the group and hash to use for FROST. 

const (
	// Ed25519 uses Edwards25519 and SHA-512, producing Ed25519-compliant signatures as specified in RFC8032.
	Ed25519 Ciphersuite = 1 + iota

	// Ristretto255 uses Ristretto255 and SHA-512.
	Ristretto255

	// P256 uses P-256 and SHA-256.
	P256

	// Secp256k1 uses Secp256k1 and SHA-256.
	Secp256k1
)

func (Ciphersuite) Available 

func (c Ciphersuite) Available() bool

Available returns whether the selected ciphersuite is available.

func (Ciphersuite) Configuration 

func (c Ciphersuite) Configuration() *Configuration

Configuration returns a configuration created for the ciphersuite.

type Commitment 

type Commitment []*group.Element

Commitment is the tuple defining a commitment.

func DeriveGroupInfo 

func DeriveGroupInfo(g group.Group, max int, coms secretsharing.Commitment) (*group.Element, Commitment)

DeriveGroupInfo returns the group public key as well those from all participants.

type Configuration 

type Configuration struct {
	GroupPublicKey *group.Element
	Ciphersuite    internal.Ciphersuite
}

Configuration holds long term configuration information.

func (Configuration) Participant 

func (c Configuration) Participant(id, keyShare *group.Scalar) *Participant

Participant returns a new participant of the protocol instantiated from the configuration an input.

type Participant 

type Participant struct {
	ParticipantInfo
	Nonce         [2]*group.Scalar
	HidingRandom  []byte
	BindingRandom []byte
	Configuration
}

Participant is a signer of a group.

func RecoverParticipant 

func RecoverParticipant(c Ciphersuite, backup []byte) (*Participant, error)

RecoverParticipant attempts to deserialize the encoded backup into a Participant.

func (*Participant) Aggregate 

func (p *Participant) Aggregate(
	list internal.CommitmentList,
	msg []byte,
	sigShares []*group.Scalar,
) *schnorr.Signature

Aggregate allows the coordinator to produce the final signature given all signature shares.

Before aggregation, each signature share must be a valid deserialized element. If that validation fails the coordinator must abort the protocol, as the resulting signature will be invalid. The CommitmentList must be sorted in ascending order by identifier.

The coordinator should verify this signature using the group public key before publishing or releasing the signature. This aggregate signature will verify if and only if all signature shares are valid. If an invalid share is identified a reasonable approach is to remove the participant from the set of allowed participants in future runs of FROST.

func (*Participant) Backup 

func (p *Participant) Backup() []byte

Backup serializes the client with its long term values, containing its secret share.

func (*Participant) Commit 

func (p *Participant) Commit() *internal.Commitment

Commit generates a participants nonce and commitment, to be used in the second FROST round. The nonce must be kept secret, and the commitment sent to the coordinator.

func (*Participant) Sign 

func (p *Participant) Sign(msg []byte, list internal.CommitmentList) (*group.Scalar, error)

Sign produces a participant's signature share of the message msg.

Each participant MUST validate the inputs before processing the Coordinator's request. In particular, the Signer MUST validate commitment_list, deserializing each group Element in the list using DeserializeElement from {{dep-pog}}. If deserialization fails, the Signer MUST abort the protocol. Moreover, each participant MUST ensure that its identifier and commitments (from the first round) appear in commitment_list.

func (*Participant) VerifySignatureShare 

func (p *Participant) VerifySignatureShare(
	id *group.Scalar,
	pki *group.Element,
	commi [2]*group.Element,
	sigShareI *group.Scalar,
	coms internal.CommitmentList,
	msg []byte,
) bool

VerifySignatureShare verifies a signature share. id, pki, commi, and sigShareI are, respectively, the identifier, public key, commitment, and signature share of the participant whose share is to be verified.

The CommitmentList must be sorted in ascending order by identifier.

type ParticipantInfo 

type ParticipantInfo struct {
	KeyShare *secretsharing.KeyShare
	Lambda   *group.Scalar // lamba can be computed once and reused across FROST signing operations
}

ParticipantInfo holds the participant specific long-term values.

type ParticipantList 

type ParticipantList []*Participant

func (ParticipantList) Get 

func (p ParticipantList) Get(id *group.Scalar) *Participant

Source Files

View all Source files

Directories

Path Synopsis
Package dkg implements the Distributed Key Generation described in FROST, using zero-knowledge proofs in Schnorr signatures.
 Package dkg implements the Distributed Key Generation described in FROST, using zero-knowledge proofs in Schnorr signatures.
Package internal provides values, structures, and functions to operate FROST that are not part of the public API.
 Package internal provides values, structures, and functions to operate FROST that are not part of the public API.
schnorr
Package schnorr provides Schnorr signature operations.
 Package schnorr provides Schnorr signature operations.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.