frosix

frost_high.h (11192B)

---

 /*
   This file is part of Frosix
   Copyright (C) 2022, 2023 Joel Urech
 
   Frosix is free software; you can redistribute it and/or modify it under the
   terms of the GNU Affero General Public License as published by the Free Software
   Foundation; either version 3, or (at your option) any later version.
 
   Frosix is distributed in the hope that it will be useful, but WITHOUT ANY
   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
   A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more details.
 
   You should have received a copy of the GNU Affero General Public License along with
   Frosix; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
 */
 /**
  * @file include/frost_high.h
  * @brief frosix high level api to create a signature share
  * @author Joel Urech
 */
 #ifndef FROST_HIGH_H
 #define FROST_HIGH_H
 
 #include "frost_low.h"
 #include <gnunet/gnunet_util_lib.h>
 
 /**
  * Representation of the PUBLIC KEY
  */
 struct FROST_PublicKey
 {
   /**
    * Our public key is an element on the elliptic curve.
    */
   struct FROST_Point pk;
 };
 
 /**
  * Representation of the KEY MATERIAL every participant needs in order to
  * create a partial signature.
  * Gets generated in a key generation process.
  */
 struct FROST_KeyPair
 {
   /**
    * Unique identifier of the participant, must be greater than 0 and less
    * than 255.
   */
   uint8_t identifier;
   /**
    * The secret key of the participant, a scalar in the range of the elliptic
    * curve.
   */
   struct FROST_Scalar my_sk;
   /**
    * Public key matching the secret key above, as an element on the elliptic
    * curve.
   */
   struct FROST_Point my_pk;
   /**
    * Public key to identify the group and to verify the final signatures.
   */
   struct FROST_PublicKey group_pk;
 };
 
 /**
  * Representation of a HASH over an arbitrary long message.
  */
 struct FROST_MessageHash
 {
   /**
    * The hash of our message.
    */
   struct FROST_HashCode hash;
 };
 
 /**
  * Representation of a NONCE generated by each participant in 'Round 1'.
  */
 struct FROST_Nonce
 {
   /**
    * Secret hiding or blinding value, a random scalar in the range of the elliptic
    * curve.
    */
   struct FROST_Scalar hiding_nonce;
   /**
    * Secret binding value, a random scalar in the range of the elliptic curve.
    */
   struct FROST_Scalar binding_nonce;
 };
 
 /**
  * Representation of a COMMITMENT generated by each participant in 'Round 1'.
  */
 struct FROST_Commitment
 {
   /**
    * ID of the participant issuing the commitment.
    */
   uint8_t identifier;
   /**
    * Public hiding or blinding value, an element on the elliptic curve.
    */
   struct FROST_Point hiding_commitment;
   /**
    * Public binding value, an element on the elliptic curve.
    */
   struct FROST_Point binding_commitment;
 };
 
 /**
  * Representation of a PARTIAL SIGNATURE.
  */
 struct FROST_SignatureShare
 {
   /**
    * Not sure if needed...
    */
   uint8_t identifier;
   /**
    * The resulting signature share, a scalar in the range of the elliptic
    * curve.
    */
   struct FROST_Scalar sig_share;
   /**
    * The partial public key for convenience only.
    * Otherwise the 'SA' has to compute each partial public key to verify the
    * partial signature.
    */
   struct FROST_Point pk_i;
 };
 
 
 /**
  * Representation of a Schnorr SIGNATURE
  */
 struct FROST_Signature
 {
   /**
    * The 'R' value aka group commitment, as an element on the elliptic curve.
    */
   struct FROST_Point r;
   /**
    * The aggregation of all partial signatures, a scalar in the range of the
    * elliptic curve.
    * This is the 's' value in a EdDSA signature scheme.
    */
   struct FROST_Scalar z;
 };
 
 
 /**
  * High entropy value to seed the nonce generation function.
  * If this value gets reused, an attack on the private key is possible!
 */
 struct FROST_CommitmentSeed
 {
   /**
    * The seed is instantiated as a random scalar value from the group.
   */
   struct FROST_Scalar scal;
 };
 
 /**
  * Initializes the underlying libsodium library.Always call this function
  * first, before using libfrost!
  *
  * @result Returns 0 on success, -1 on failure and 1 if the library had already
  * been initialized.
 */
 int
 FROST_init (void);
 
 /**
  * @brief Before a user can start a signing process, he has to convert a message,
  * an arbitrary amount of data, into a hash value that we can use.
  *
  * @param[out] message_hash The resulting hash
  * @param[in] msg The real message, a pointer to an abritrary long datablock
  * @param msg_len Nmber of bytes, the length, of the given datablock
  */
 void
 FROST_message_to_hash (struct FROST_MessageHash *message_hash,
                        const void *msg,
                        size_t msg_len);
 
 
 /**
  * Generates a high entropy and unpredictable random value
  * in the range of [0..L[.  * L is the order of the ristretto255 group.
  * Take care if application runs as a VM, can produce same output if
  * snapshotted and restored!
  *
  * @param[out] seed The returning random and therefore unpredictable bytes.
 */
 void
 FROST_get_random_seed (struct FROST_CommitmentSeed *seed);
 
 /**
  * @brief The Signature Aggregator 'SA' (normally the user) chooses 't' (t = threshold) random participants
  * out of all available participants and asks them to send him a commitment.
  * This function generates a secret nonce- and a public commitment value.
  *
  * @param[out] nonce The resulting secret nonce, which we will use in 'Round 2'
  * @param[out] commitment The resulting public commitment, which we send back to the 'SA'
  * @param[in] message_hash Hash of the message to sign. Is part of the commitment
  * @param[in] seed A high entropy random seed to generate the commitment from.
  * DO NOT USE TWICE!
  */
 void
 FROST_generate_nonce_and_commitment (struct FROST_Nonce *nonce,
                                      struct FROST_Commitment *commitment,
                                      const struct
                                      FROST_MessageHash *message_hash,
                                      const struct FROST_CommitmentSeed *seed);
 
 /**
  * @brief The 'SA' constructs a sorted list out of all commitments and send this commitment list together with the message hash to each chosen participant.
  * Every participant has to verify for each of the received commitments if they are actually two valid encoded points on the curve.
  * If the validation fails, abort the signature process and return to the 'SA' which of the commitment has failed.
  *
  * @param[in] commitment A single commitment to validate
  * @return GNUNET_OK if everything is ok, otherwise GNUNET_NO. Abort the signing process in case its not 1!
  */
 enum GNUNET_GenericReturnValue
 FROST_validate_commitment (
   const struct FROST_Commitment *commitment);
 
 
 /**
  * @brief If the validation has not failed, compute a signature share for the given message hash.
  *
  * Secret key share of participant: \f$s_i\f$
  * Nonce of participant: \f$(d_i, e_i)\f$
  * Lagrange coefficient of participant: \f$\lambda_i\f$
  * Compute binding value of each participant:
  * \f$p_i = H(i || m || B)\f$
  * Compute group commitment:
  * \f$R_i = D_i(E_i)^{p_i}\f$
  * \f$R = \prod R_i\f$
  * Compute challenge:
  * \f$c = H(R || pk || m)\f$
  * Compute signature share:
  * \f$z_i = d_i + (e_i \cdot p_i)\lambda_is_ic\f$
  *
  * @param[out] signature_share The resulting signature share. We have to return this data back to the 'SA' (\f$(z_i,pk_i)\f$)
  * @param[in] message_hash Our message we want to sign (\f$m\f$)
  * @param[in] commitments List of all commitments, the order of the elements is crucial! (\f$B\f$)
  * @param commitments_len Number of commitments, usually corresponds to the number of participants
  * @param my_key_pair Our key material, which was generated by a preliminary key generation process
  * @param my_nonce Our secret random value, matching our commitment that we sent previously to the 'SA'
  * @return #GNUNET_OK
  *         #GNUNET_NO
  */
 enum GNUNET_GenericReturnValue
 FROST_sign_message_hash (struct FROST_SignatureShare *signature_share,
                          const struct FROST_MessageHash *message_hash,
                          const struct FROST_Commitment commitments[],
                          size_t commitments_len,
                          const struct FROST_KeyPair *my_key_pair,
                          const struct FROST_Nonce *my_nonce);
 
 /**
  * @brief Gives the 'SA' the possibility to verify each received signature share
  * against the commitment from round 1.
  *
  * Compute binding value of each participant:
  * \f$p_i = H(i || m || B)\f$
  * Compute group commitment:
  * \f$R_i = D_i(E_i)^{p_i}\f$
  * \f$R = \prod R_i\f$
  * Compute challenge:
  * \f$c = H(R || pk || m)\f$
  * Lagrange coefficient of participant: \f$\lambda_i\f$
  * Verify signature share:
  * \f$g^{z_i} = R_ipk^{c\lambda_i}\f$ ?
  *
  * @param[in] commitment_i The commitment that the participant 'i' has previously sent (\f$(D_i, E_i)\f$)
  * @param[in] signature_share_i The partial signature of the participant 'i' to be verified (\f$z_i\f$)
  * @param[in] commitments List of all commitments. The order of the elements is crucial! (\f$B\f$)
  * @param commitments_len Number of commitments, usually corresponds to the number of participants
  * @param[in] public_key Group public key is needed to compute the group challenge (\f$pk\f$)
  * @param[in] message_hash The hashed message (\f$m\f$)
  * @return GNUNET_OK or GNUNET_NO. Abort the signing process in case its not GNUNET_OK!
  */
 enum GNUNET_GenericReturnValue
 FROST_verify_signature_share (const struct FROST_Commitment *commitment_i,
                               const struct FROST_SignatureShare
                               *signature_share_i,
                               const struct FROST_Commitment commitments[],
                               uint8_t commitments_len,
                               const struct FROST_PublicKey *public_key,
                               const struct FROST_MessageHash *message_hash);
 
 /**
  * @brief Aggregates the signature shares from all participants, computes the group commitment aka 'R' value
  * and returns the final signature over the given message.
  * Sum all singature shares:
  * \f$z = \sum z_i\f$
  * Compute binding value of each participant:
  * \f$p_i = H(i || m || B)\f$
  * Compute group commitment:
  * \f$R_i = D_i(E_i)^{p_i}\f$
  * \f$R = \prod R_i\f$
  * Resulting signature:
  * \f$sig = (R, z)\f$
  *
  * @param[out] signature The resulting signature of the given message (\f$sig = (R, z)\f$)
  * @param[in] commitments List of all commitments. The order of the elements is crucial! (\f$B\f$)
  * @param[in] signature_shares List of all partial signatures. The sorting doesn't matter (\f$z_i\f$)
  * @param commitments_and_sig_shares_len Should correspond to the number of participants
  * @param[in] message_hash The hashed message as an element on the elliptic curve (\f$m\f$)
  */
 void
 FROST_compose_signature (struct FROST_Signature *signature,
                          const struct FROST_Commitment commitments[],
                          const struct FROST_SignatureShare
                          signature_shares[],
                          uint8_t commitments_and_sig_shares_len,
                          const struct FROST_MessageHash *message_hash);
 
 #endif