boltlabs-inc · becgabri · Oct 16, 2024 · Jul 20, 2024 · Aug 19, 2024 · Aug 21, 2024
diff --git a/examples/threaded_example/threaded.rs b/examples/threaded_example/threaded.rs
@@ -428,7 +428,7 @@ impl Worker {
         let record = self.presign_records.take(&key_id);
 
         let threshold = key_shares.len();
-        let inputs = sign::Input::new(b"hello world", record, key_shares.to_vec(), threshold);
+        let inputs = sign::Input::new(b"hello world", record, key_shares.to_vec(), threshold, None);
         self.new_sub_protocol::<SignParticipant>(sid, inputs, key_id)
     }
 }

diff --git a/src/lib.rs b/src/lib.rs
@@ -221,6 +221,7 @@ pub mod presign;
 mod protocol;
 mod ring_pedersen;
 pub mod sign;
+pub mod slip0010;
 pub mod tshare;
 mod utils;
 mod zkp;

diff --git a/src/messages.rs b/src/messages.rs
@@ -79,11 +79,11 @@ pub enum TshareMessageType {
     R1CommitHash,
     /// The information committed to in Round 1
     R2Decommit,
+    /// The encrypted private share from a participant to another.
+    R2PrivateShare,
     /// A proof of knowledge of the discrete log of the value decommitted in
     /// Round 2
-    R3Proofs,
-    /// The encrypted private share from a participant to another.
-    R3PrivateShare,
+    R3Proof,
 }
 
 /// An enum consisting of all keyrefresh message types

diff --git a/src/presign/record.rs b/src/presign/record.rs
@@ -51,7 +51,7 @@ pub(crate) struct RecordPair {
 /// d_A)`, which is exactly a valid (normal) ECDSA signature.
 ///
 /// [^cite]: [Wikipedia](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Signature_generation_algorithm)
-#[derive(Clone, Zeroize, ZeroizeOnDrop, PartialEq, Eq)]
+#[derive(Zeroize, ZeroizeOnDrop, PartialEq, Eq)]
 pub struct PresignRecord {
     R: CurvePoint,
     k: Scalar,

diff --git a/src/protocol.rs b/src/protocol.rs
@@ -643,10 +643,12 @@ mod tests {
         participant::Status,
         presign,
         sign::{self, InteractiveSignParticipant, SignParticipant},
+        slip0010,
         tshare::{self, CoeffPrivate, TshareParticipant},
         utils::{bn_to_scalar, testing::init_testing},
         PresignParticipant,
     };
+    use core::panic;
     use k256::{ecdsa::signature::DigestVerifier, Scalar};
     use rand::seq::IteratorRandom;
     use sha3::{Digest, Keccak256};
@@ -846,38 +848,45 @@ mod tests {
     #[ignore]
     #[test]
     fn test_full_protocol_execution_with_noninteractive_signing_works_larger_values() {
-        assert!(full_protocol_execution_with_noninteractive_signing_works(5, 5, 5).is_ok());
-        assert!(full_protocol_execution_with_noninteractive_signing_works(5, 4, 5).is_ok());
-        assert!(full_protocol_execution_with_noninteractive_signing_works(4, 4, 5).is_ok());
-        assert!(full_protocol_execution_with_noninteractive_signing_works(5, 3, 5).is_ok());
-        assert!(full_protocol_execution_with_noninteractive_signing_works(4, 3, 5).is_ok());
-        assert!(full_protocol_execution_with_noninteractive_signing_works(3, 3, 5).is_ok());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(5, 5, 5, 42).is_ok());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(5, 4, 5, 42).is_ok());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(4, 4, 5, 42).is_ok());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(5, 3, 5, 42).is_ok());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(4, 3, 5, 42).is_ok());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(3, 3, 5, 42).is_ok());
     }
 
     #[cfg_attr(feature = "flame_it", flame)]
     #[test]
     fn test_full_protocol_execution_with_noninteractive_signing_works() {
-        assert!(full_protocol_execution_with_noninteractive_signing_works(3, 3, 3).is_ok());
-        assert!(full_protocol_execution_with_noninteractive_signing_works(3, 2, 3).is_ok());
-        assert!(full_protocol_execution_with_noninteractive_signing_works(2, 2, 3).is_ok());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(3, 3, 3, 42).is_ok());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(3, 2, 3, 42).is_ok());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(2, 2, 3, 42).is_ok());
+        // 2**31
+        let invalid_index = 1 << 31;
+        assert!(
+            full_protocol_execution_with_noninteractive_signing_works(3, 3, 3, invalid_index)
+                .is_err()
+        );
     }
 
     #[ignore]
     #[test]
     fn test_full_protocol_execution_with_noninteractive_signing_works_err_larger_values() {
-        assert!(full_protocol_execution_with_noninteractive_signing_works(3, 4, 5).is_err());
-        assert!(full_protocol_execution_with_noninteractive_signing_works(2, 4, 5).is_err());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(3, 4, 5, 42).is_err());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(2, 4, 5, 42).is_err());
     }
 
     #[test]
     fn test_full_protocol_execution_with_noninteractive_signing_works_err() {
-        assert!(full_protocol_execution_with_noninteractive_signing_works(2, 3, 4).is_err());
+        assert!(full_protocol_execution_with_noninteractive_signing_works(2, 3, 4, 42).is_err());
     }
 
     fn full_protocol_execution_with_noninteractive_signing_works(
         r: usize,
         t: usize,
         n: usize,
+        child_index: u32,
     ) -> Result<()> {
         let mut rng = init_testing();
         let QUORUM_REAL = r; // The real quorum size, which is the number of participants that will actually
@@ -1055,11 +1064,13 @@ mod tests {
         let all_participants = configs.first().unwrap().all_participants();
 
         // t-out-of-t conversion
+        let chain_code = keygen_outputs[&configs[0].id()].chain_code();
         let rid = keygen_outputs[&configs[0].id()].rid();
-        let (mut toft_keygen_outputs, toft_public_keys) =
+        let (mut toft_keygen_outputs, _toft_public_keys) =
             TshareParticipant::convert_to_t_out_of_t_shares(
                 tshare_outputs,
                 all_participants.clone(),
+                *chain_code,
                 *rid,
             )?;
 
@@ -1083,6 +1094,11 @@ mod tests {
             );
         }
 
+        let public_key_shares = toft_keygen_outputs
+            .get(&configs.first().unwrap().id())
+            .unwrap()
+            .public_key_shares()
+            .to_vec();
         let saved_public_key = toft_keygen_outputs
             .get(&configs.first().unwrap().id())
             .unwrap()
@@ -1189,8 +1205,13 @@ mod tests {
             .into_iter()
             .map(|config| {
                 let record = presign_outputs.remove(&config.id()).unwrap();
-                let input =
-                    sign::Input::new(message, record, toft_public_keys.clone(), QUORUM_THRESHOLD);
+                let input = sign::Input::new(
+                    message,
+                    record,
+                    public_key_shares.clone(),
+                    QUORUM_THRESHOLD,
+                    Some(shift_scalar),
+                );
                 Participant::<SignParticipant>::from_config(config, sign_sid, input)
             })
             .collect::<Result<Vec<_>>>()?;

diff --git a/src/sign/interactive_sign/participant.rs b/src/sign/interactive_sign/participant.rs
@@ -115,7 +115,7 @@ impl SigningMaterial {
                 // the same as the public keys size
                 let threshold = public_keys.len();
                 let signing_input =
-                    sign::Input::new_from_digest(*digest, record, public_keys, threshold);
+                    sign::Input::new_from_digest(*digest, record, public_keys, threshold, None);
                 // Note: this shouldn't throw an error because the only failure case should have
                 // also been checked by the presign constructor, and computation
                 // halted far before we reach this point.

diff --git a/src/sign/non_interactive_sign/participant.rs b/src/sign/non_interactive_sign/participant.rs
@@ -80,6 +80,7 @@ pub struct Input {
     presign_record: PresignRecord,
     public_key_shares: Vec<KeySharePublic>,
     threshold: usize,
+    shift: Option<Scalar>,
 }
 
 impl Input {
@@ -92,12 +93,14 @@ impl Input {
         record: PresignRecord,
         public_key_shares: Vec<KeySharePublic>,
         threshold: usize,
+        shift: Option<Scalar>,
     ) -> Self {
         Self {
             digest: Keccak256::new_with_prefix(message),
             presign_record: record,
             public_key_shares,
             threshold,
+            shift,
         }
     }
 
@@ -110,12 +113,14 @@ impl Input {
         record: PresignRecord,
         public_key_shares: Vec<KeySharePublic>,
         threshold: usize,
+        shift: Option<Scalar>,
     ) -> Self {
         Self {
             digest,
             presign_record: record,
             public_key_shares,
             threshold,
+            shift,
         }
     }
 
@@ -597,6 +602,7 @@ mod test {
                 record,
                 keygen.public_key_shares().to_vec(),
                 quorum_size,
+                None,
             )
         });
         let mut quorum = std::iter::zip(configs, inputs)
@@ -719,6 +725,7 @@ mod test {
             presign_record,
             keygen_output.public_key_shares().to_vec(),
             threshold,
+            None,
         );
 
         let participant = SignParticipant::new(sid, id, other_participant_ids, input);

diff --git a/src/sign/non_interactive_sign/share.rs b/src/sign/non_interactive_sign/share.rs
@@ -49,17 +49,3 @@ impl std::ops::Add<SignatureShare> for Scalar {
         self + rhs.0
     }
 }
-
-impl std::ops::Mul<SignatureShare> for SignatureShare {
-    type Output = Scalar;
-    fn mul(self, rhs: SignatureShare) -> Self::Output {
-        self.0 * rhs.0
-    }
-}
-
-impl std::ops::Mul<SignatureShare> for Scalar {
-    type Output = Scalar;
-    fn mul(self, rhs: SignatureShare) -> Self::Output {
-        self * rhs.0
-    }
-}
diff --git a/src/tshare/commit.rs b/src/tshare/commit.rs
@@ -39,7 +39,7 @@ pub(crate) struct TshareDecommit {
     u_i: [u8; 32], // The blinding factor is never read but it is included in the commitment.
     pub rid: [u8; 32],
     pub coeff_publics: Vec<CoeffPublic>,
-    pub As: Vec<CurvePoint>,
+    pub precom: CurvePoint,
 }
 
 impl TshareDecommit {
@@ -48,8 +48,8 @@ impl TshareDecommit {
         rng: &mut R,
         sid: &Identifier,
         sender: &ParticipantIdentifier,
-        coeff_publics: Vec<CoeffPublic>,
-        sch_precoms: Vec<CurvePoint>,
+        coeff_publics: &[CoeffPublic],
+        sch_precom: CurvePoint,
     ) -> Self {
         let mut rid = [0u8; 32];
         let mut u_i = [0u8; 32];
@@ -60,20 +60,16 @@ impl TshareDecommit {
             sender: *sender,
             rid,
             u_i,
-            coeff_publics,
-            As: sch_precoms,
+            coeff_publics: coeff_publics.to_vec(),
+            precom: sch_precom,
         }
     }
 
     /// Deserialize a TshareDecommit from a message and verify it.
-    pub(crate) fn from_message(
-        message: &Message,
-        com: &TshareCommit,
-        threshold: usize,
-    ) -> Result<Self> {
+    pub(crate) fn from_message(message: &Message, com: &TshareCommit) -> Result<Self> {
         message.check_type(MessageType::Tshare(TshareMessageType::R2Decommit))?;
         let tshare_decommit: TshareDecommit = deserialize!(&message.unverified_bytes)?;
-        tshare_decommit.verify(message.id(), message.from(), com, threshold)?;
+        tshare_decommit.verify(message.id(), message.from(), com)?;
         Ok(tshare_decommit)
     }
 
@@ -92,7 +88,6 @@ impl TshareDecommit {
         sid: Identifier,
         sender: ParticipantIdentifier,
         com: &TshareCommit,
-        threshold: usize,
     ) -> Result<()> {
         // Check the commitment.
         let rebuilt_com = self.commit()?;
@@ -111,18 +106,6 @@ impl TshareDecommit {
             return Err(InternalError::ProtocolError(Some(sender)));
         }
 
-        // Check the number of commitments As.
-        if self.As.len() < threshold {
-            error!("Incorrect number of As");
-            return Err(InternalError::ProtocolError(Some(sender)));
-        }
-
-        // Check the set of coefficients.
-        if self.coeff_publics.len() < threshold {
-            error!("Incorrect number of public shares");
-            return Err(InternalError::ProtocolError(Some(sender)));
-        }
-
         Ok(())
     }
 }

diff --git a/src/tshare/output.rs b/src/tshare/output.rs
@@ -69,9 +69,8 @@ impl Output {
     /// should not try to form public and private key shares independently.
     ///
     /// The provided components must satisfy the following properties:
-    /// - Validity of private key share can be checked using Feldman's VSS,
-    /// but since the id is not known, it must be tested by the caller
-    /// - The public key shares must be from a unique set of participants
+    /// - Validity of private key share can be checked using Feldman's VSS.
+    /// - The public key shares must be from a unique set of participants.
     pub fn from_parts(
         public_coeffs: Vec<CoeffPublic>,
         public_keys: Vec<KeySharePublic>,