sign

package
v0.8.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2023 License: GPL-3.0 Imports: 15 Imported by: 0

Documentation

Overview

Package sign implements the 2-2 threshold signature protocol of [DKLs18](https://eprint.iacr.org/2018/499.pdf). The signing protocol is defined in "Protocol 4" page 9, of the paper. The Zero Knowledge Proof ideal functionalities are realized using schnorr proofs.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Alice

type Alice struct {
	// contains filtered or unexported fields
}

Alice struct encoding Alice's state during one execution of the overall signing algorithm. At the end of the joint computation, Alice will not possess the signature.

func NewAlice

func NewAlice(curve *curves.Curve, hash hash.Hash, dkgOutput *dkg.AliceOutput) *Alice

NewAlice creates a party that can participate in protocol runs of DKLs sign, in the role of Alice.

func (*Alice) Round1GenerateRandomSeed

func (alice *Alice) Round1GenerateRandomSeed() ([simplest.DigestSize]byte, error)

Round1GenerateRandomSeed first step of the generation of the shared random salt `idExt` in this round, Alice flips 32 random bytes and sends them to Bob. Note that this is not _explicitly_ given as part of the protocol in https://eprint.iacr.org/2018/499.pdf, Protocol 1). Rather, it is part of our generation of `idExt`, the shared random salt which both parties must use in cOT. This value introduced in Protocol 9), very top of page 16. it is not indicated how it should be derived. We do it by having each party sample 32 bytes, then by appending _both_ as salts. Secure if either party is honest

func (*Alice) Round3Sign

func (alice *Alice) Round3Sign(message []byte, round2Output *SignRound2Output) (*SignRound3Output, error)

Round3Sign Alice's first message. Alice is the _responder_; she is responding to Bob's initial message. This is Protocol 1 (p. 6), and contains Alice's steps 3) -- 8). these can all be combined into one message. Alice's job here is to finish computing the shared instance key / nonce, as well as multiplication input values; then to invoke the multiplication on these two input values (stashing the outputs in her running result struct), then to use the _output_ of the multiplication (which she already possesses as of the end of her computation), and use that to compute some final values which will help Bob compute the final signature.

type Bob

type Bob struct {
	// Signature is the resulting digital signature and is the output of this protocol.
	Signature *curves.EcdsaSignature
	// contains filtered or unexported fields
}

Bob struct encoding Bob's state during one execution of the overall signing algorithm. At the end of the joint computation, Bob will obtain the signature.

func NewBob

func NewBob(curve *curves.Curve, hash hash.Hash, dkgOutput *dkg.BobOutput) *Bob

NewBob creates a party that can participate in protocol runs of DKLs sign, in the role of Bob. This party receives the signature at the end.

func (*Bob) Round2Initialize

func (bob *Bob) Round2Initialize(aliceSeed [simplest.DigestSize]byte) (*SignRound2Output, error)

Round2Initialize Bob's initial message, which kicks off the signature process. Protocol 1, Bob's steps 1) - 3). Bob's work here entails beginning the Diffie–Hellman-like construction of the instance key / nonce, as well as preparing the inputs which he will feed into the multiplication protocol, and moreover actually initiating the (first respective messages of) the multiplication protocol using these inputs. This latter step in turn amounts to sending the initial message in a new cOT extension. All the resulting data gets packaged and sent to Alice.

func (*Bob) Round4Final

func (bob *Bob) Round4Final(message []byte, round3Output *SignRound3Output) error

Round4Final this is Bob's last portion of the signature computation, and ultimately results in the complete signature corresponds to Protocol 1, Bob's steps 3) -- 10). Bob begins by _finishing_ the OT-based multiplication, using Alice's one and only message to him re: the mult. Bob then move's onto the remainder of Alice's message, which contains extraneous data used to finish the signature. Using this data, Bob completes the signature, which gets stored in `Bob.Sig`. Bob also verifies it.

type MultiplyReceiver

type MultiplyReceiver struct {
	// contains filtered or unexported fields
}

MultiplyReceiver is the party that plays the role of Sender in the multiplication protocol (protocol 5 of the paper).

func NewMultiplyReceiver

func NewMultiplyReceiver(seedOtResults *simplest.SenderOutput, curve *curves.Curve, uniqueSessionId [simplest.DigestSize]byte) (*MultiplyReceiver, error)

NewMultiplyReceiver generates a `MultiplyReceiver` instance, ready to take part in multiplication as the "receiver". You must supply it the _output_ of a seed OT, from the sender's point of view, as well as params and a unique ID. That is, the mult sender must run the base OT as the sender; note the (apparent) reversal of roles.

func (*MultiplyReceiver) Round1Initialize

func (receiver *MultiplyReceiver) Round1Initialize(beta curves.Scalar) (*kos.Round1Output, error)

Round1Initialize Protocol 5., Multiplication, 3). Bob (receiver) encodes beta and initiates the cOT extension

func (*MultiplyReceiver) Round3Multiply

func (receiver *MultiplyReceiver) Round3Multiply(round2Output *MultiplyRound2Output) error

Round3Multiply Protocol 5., Multiplication, 3) and 6). Bob finalizes the cOT extension. using that and Alice's multiplication message, Bob completes the multiplication protocol, including checks. At the end, Bob's values tB_j are populated.

type MultiplyRound2Output

type MultiplyRound2Output struct {
	COTRound2Output *kos.Round2Output
	R               [kos.L]curves.Scalar
	U               curves.Scalar
}

MultiplyRound2Output is the output of the second round of the multiplication protocol.

type MultiplySender

type MultiplySender struct {
	// contains filtered or unexported fields
}

MultiplySender is the party that plays the role of Sender in the multiplication protocol (protocol 5 of the paper).

func NewMultiplySender

func NewMultiplySender(seedOtResults *simplest.ReceiverOutput, curve *curves.Curve, uniqueSessionId [simplest.DigestSize]byte) (*MultiplySender, error)

NewMultiplySender generates a `MultiplySender` instance, ready to take part in multiplication as the "sender". You must supply it the _output_ of a seed OT, from the receiver's point of view, as well as params and a unique ID. That is, the mult sender must run the base OT as the receiver; note the (apparent) reversal of roles.

func (*MultiplySender) Round2Multiply

func (sender *MultiplySender) Round2Multiply(alpha curves.Scalar, round1Output *kos.Round1Output) (*MultiplyRound2Output, error)

Round2Multiply Protocol 5., steps 3) 5), 7). Alice _responds_ to Bob's initial cOT message, using alpha as input. Doesn't actually send the message yet, only stashes it and moves onto the next steps of the multiplication protocol specifically, Alice can then do step 5) (compute the outputs of the multiplication protocol), also stashes this. Finishes by taking care of 7), after that, Alice is totally done with multiplication and has stashed the outputs.

type SignRound2Output

type SignRound2Output struct {
	// KosRound1Outputs is the output of the first round of OT Extension, stored for future rounds.
	KosRound1Outputs [multiplicationCount]*kos.Round1Output

	// DB is D_{B} = k_{B} . G from the paper.
	DB curves.Point

	// Seed is the random value used to derive the joint unique session id.
	Seed [simplest.DigestSize]byte
}

SignRound2Output is the output of the 3rd round of the protocol.

type SignRound3Output

type SignRound3Output struct {
	// MultiplyRound2Outputs is the output of the second round of multiply sub-protocol. Stored to use in future rounds.
	MultiplyRound2Outputs [multiplicationCount]*MultiplyRound2Output

	// RSchnorrProof is ZKP for the value R = k_{A} . D_{B} from the paper.
	RSchnorrProof *schnorr.Proof

	// RPrime is R' = k'_{A} . D_{B} from the paper.
	RPrime curves.Point

	// EtaPhi is the Eta_{Phi} from the paper.
	EtaPhi curves.Scalar

	// EtaSig is the Eta_{Sig} from the paper.
	EtaSig curves.Scalar
}

SignRound3Output is the output of the 3rd round of the protocol.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL