Merge pull request #93 from nickfarrow/master-pr-prepared

LLFourn · web-flow · commit 1778bc3ad0d9 · 2022-05-11T12:08:57.000+10:00
Make musig nonces usable in FROST
diff --git a/schnorr_fun/src/binonce.rs b/schnorr_fun/src/binonce.rs
@@ -0,0 +1,116 @@
+//! Binonces for Musig and FROST Signature Schemes
+//!
+//! A binonce is a pair of public points used in the MuSig and FROST signature schemes.
+//! Your public nonces are derived from scalars which must be kept secret.
+//! Derived binonces should be unique and and must not be reused for signing under any circumstances
+//! as this can leak your secret key.
+use secp256kfun::{g, marker::*, Point, Scalar, G};
+
+/// A nonce (pair of points) that each party must share with the others in the first stage of signing.
+#[derive(Clone, Copy, PartialEq, Debug)]
+pub struct Nonce(pub [Point; 2]);
+
+impl Nonce {
+    /// Reads the pair of nonces from 66 bytes (two 33-byte serialized points).
+    pub fn from_bytes(bytes: [u8; 66]) -> Option<Self> {
+        let R1 = Point::from_slice(&bytes[..33])?;
+        let R2 = Point::from_slice(&bytes[33..])?;
+        Some(Nonce([R1, R2]))
+    }
+
+    /// Serializes a public nonce as  as 66 bytes (two 33-byte serialized points).
+    pub fn to_bytes(&self) -> [u8; 66] {
+        let mut bytes = [0u8; 66];
+        bytes[..33].copy_from_slice(self.0[0].to_bytes().as_ref());
+        bytes[33..].copy_from_slice(self.0[1].to_bytes().as_ref());
+        bytes
+    }
+
+    /// Negate the two nonces
+    pub fn conditional_negate(&mut self, needs_negation: bool) {
+        self.0[0] = self.0[0].conditional_negate(needs_negation);
+        self.0[1] = self.0[1].conditional_negate(needs_negation);
+    }
+}
+
+secp256kfun::impl_fromstr_deserialize! {
+    name => "public nonce pair",
+    fn from_bytes(bytes: [u8;66]) -> Option<Nonce> {
+        Nonce::from_bytes(bytes)
+    }
+}
+
+secp256kfun::impl_display_serialize! {
+    fn to_bytes(nonce: &Nonce) -> [u8;66] {
+        nonce.to_bytes()
+    }
+}
+
+/// A pair of secret nonces along with the public portion.
+///
+/// A nonce key pair can be created manually with [`from_secrets`]
+///
+/// [`from_secrets`]: Self::from_secrets
+#[derive(Debug, Clone, PartialEq)]
+pub struct NonceKeyPair {
+    /// The public nonce
+    pub public: Nonce,
+    /// The secret nonce
+    pub secret: [Scalar; 2],
+}
+
+impl NonceKeyPair {
+    /// Load nonces from two secret scalars
+    pub fn from_secrets(secret: [Scalar; 2]) -> Self {
+        let [ref r1, ref r2] = secret;
+        let R1 = g!(r1 * G).normalize();
+        let R2 = g!(r2 * G).normalize();
+        NonceKeyPair {
+            public: Nonce([R1, R2]),
+            secret,
+        }
+    }
+    /// Deserializes a nonce key pair from 64-bytes (two 32-byte serialized scalars).
+    pub fn from_bytes(bytes: [u8; 64]) -> Option<Self> {
+        let r1 = Scalar::from_slice(&bytes[..32])?.mark::<NonZero>()?;
+        let r2 = Scalar::from_slice(&bytes[32..])?.mark::<NonZero>()?;
+        let R1 = g!(r1 * G).normalize();
+        let R2 = g!(r2 * G).normalize();
+        let pub_nonce = Nonce([R1, R2]);
+        Some(NonceKeyPair {
+            public: pub_nonce,
+            secret: [r1, r2],
+        })
+    }
+
+    /// Serializes a nonce key pair to 64-bytes (two 32-bytes serialized scalars).
+    pub fn to_bytes(&self) -> [u8; 64] {
+        let mut bytes = [0u8; 64];
+        bytes[..32].copy_from_slice(self.secret[0].to_bytes().as_ref());
+        bytes[32..].copy_from_slice(self.secret[1].to_bytes().as_ref());
+        bytes
+    }
+
+    /// Get the secret portion of the nonce key pair (don't share this!)
+    pub fn secret(&self) -> &[Scalar; 2] {
+        &self.secret
+    }
+
+    /// Get the public portion of the nonce key pair (share this!)
+    pub fn public(&self) -> Nonce {
+        self.public
+    }
+}
+
+secp256kfun::impl_fromstr_deserialize! {
+    name => "secret nonce pair",
+    fn from_bytes(bytes: [u8;64]) -> Option<NonceKeyPair> {
+        NonceKeyPair::from_bytes(bytes)
+    }
+}
+
+secp256kfun::impl_display_serialize! {
+    fn to_bytes(nkp: &NonceKeyPair) -> [u8;64] {
+        nkp.to_bytes()
+    }
+}
diff --git a/schnorr_fun/src/lib.rs b/schnorr_fun/src/lib.rs
@@ -22,6 +22,8 @@ extern crate serde_crate as serde;
 pub use secp256kfun as fun;
 pub use secp256kfun::nonce;
 
+/// binonces for Musig and FROST
+mod binonce;
 // musig needs vecs
 #[cfg(feature = "alloc")]
 pub mod musig;
diff --git a/schnorr_fun/src/musig.rs b/schnorr_fun/src/musig.rs
@@ -67,6 +67,7 @@
 //!
 //! [the excellent paper]: https://eprint.iacr.org/2020/1261.pdf
 //! [secp256k1-zkp]: https://github.com/ElementsProject/secp256k1-zkp/pull/131
+pub use crate::binonce::{Nonce, NonceKeyPair};
 use crate::{adaptor::EncryptedSignature, KeyPair, Message, Schnorr, Signature, Vec};
 use secp256kfun::{
     derive_nonce,
@@ -300,123 +301,6 @@ impl<H: Digest<OutputSize = U32> + Clone, S> MuSig<H, S> {
     }
 }
 
-/// A nonce (pair of points) that each party must share with the others in the first stage of signing.
-#[derive(Clone, Copy, PartialEq, Debug)]
-pub struct Nonce(pub [Point; 2]);
-
-impl Nonce {
-    /// Reads the pair of nonces from 66 bytes (two 33-byte serialized points).
-    pub fn from_bytes(bytes: [u8; 66]) -> Option<Self> {
-        let R1 = Point::from_slice(&bytes[..33])?;
-        let R2 = Point::from_slice(&bytes[33..])?;
-        Some(Nonce([R1, R2]))
-    }
-
-    /// Serializes a public nonce as  as 66 bytes (two 33-byte serialized points).
-    pub fn to_bytes(&self) -> [u8; 66] {
-        let mut bytes = [0u8; 66];
-        bytes[..33].copy_from_slice(self.0[0].to_bytes().as_ref());
-        bytes[33..].copy_from_slice(self.0[1].to_bytes().as_ref());
-        bytes
-    }
-}
-
-secp256kfun::impl_fromstr_deserialize! {
-    name => "MuSig2 public nonce pair",
-    fn from_bytes(bytes: [u8;66]) -> Option<Nonce> {
-        Nonce::from_bytes(bytes)
-    }
-}
-
-secp256kfun::impl_display_serialize! {
-    fn to_bytes(nonce: &Nonce) -> [u8;66] {
-        nonce.to_bytes()
-    }
-}
-
-/// A pair of secret nonces along with the public portion.
-///
-/// A nonce key pair can be created manually with [`from_secrets`] or with [`MuSig::gen_nonces`].
-///
-/// [`from_secrets`]: Self::from_secrets
-/// [`MuSig::gen_nonces`]: MuSig::gen_nonces
-#[derive(Debug, Clone, PartialEq)]
-pub struct NonceKeyPair {
-    /// The public nonce
-    public: Nonce,
-    /// The secret nonce
-    secret: [Scalar; 2],
-}
-
-impl NonceKeyPair {
-    /// Creates a keypair from two secret scalars.
-    ///
-    /// ## Security
-    ///
-    /// You must never use the same `NonceKeyPair` into two signing sessions.
-    ///
-    /// ## Example
-    /// ```
-    /// use schnorr_fun::{fun::Scalar, musig::NonceKeyPair};
-    /// let nkp = NonceKeyPair::from_secrets([
-    ///     Scalar::random(&mut rand::thread_rng()),
-    ///     Scalar::random(&mut rand::thread_rng()),
-    /// ]);
-    /// ```
-    pub fn from_secrets(secret: [Scalar; 2]) -> Self {
-        let [ref r1, ref r2] = secret;
-        let R1 = g!(r1 * G).normalize();
-        let R2 = g!(r2 * G).normalize();
-        NonceKeyPair {
-            public: Nonce([R1, R2]),
-            secret,
-        }
-    }
-    /// Deserializes a nonce key pair from 64-bytes (two 32-byte serialized scalars).
-    pub fn from_bytes(bytes: [u8; 64]) -> Option<Self> {
-        let r1 = Scalar::from_slice(&bytes[..32])?.mark::<NonZero>()?;
-        let r2 = Scalar::from_slice(&bytes[32..])?.mark::<NonZero>()?;
-        let R1 = g!(r1 * G).normalize();
-        let R2 = g!(r2 * G).normalize();
-        let pub_nonce = Nonce([R1, R2]);
-        Some(NonceKeyPair {
-            public: pub_nonce,
-            secret: [r1, r2],
-        })
-    }
-
-    /// Serializes a nonce key pair to 64-bytes (two 32-bytes serialized scalars).
-    pub fn to_bytes(&self) -> [u8; 64] {
-        let mut bytes = [0u8; 64];
-        bytes[..32].copy_from_slice(self.secret[0].to_bytes().as_ref());
-        bytes[32..].copy_from_slice(self.secret[1].to_bytes().as_ref());
-        bytes
-    }
-
-    /// Get the secret portion of the nonce key pair (don't share this!)
-    pub fn secret(&self) -> &[Scalar; 2] {
-        &self.secret
-    }
-
-    /// Get the public portion of the nonce key pair (share this!)
-    pub fn public(&self) -> Nonce {
-        self.public
-    }
-}
-
-secp256kfun::impl_fromstr_deserialize! {
-    name => "MuSig secret nonce pair",
-    fn from_bytes(bytes: [u8;64]) -> Option<NonceKeyPair> {
-        NonceKeyPair::from_bytes(bytes)
-    }
-}
-
-secp256kfun::impl_display_serialize! {
-    fn to_bytes(nkp: &NonceKeyPair) -> [u8;64] {
-        nkp.to_bytes()
-    }
-}
-
 impl<H: Digest<OutputSize = U32> + Clone, NG: NonceGen> MuSig<H, Schnorr<H, NG>> {
     /// Generate nonces for your local keys in keylist.
     ///
@@ -441,6 +325,7 @@ impl<H: Digest<OutputSize = U32> + Clone, NG: NonceGen> MuSig<H, Schnorr<H, NG>>
     /// [`Deterministic`]: secp256kfun::nonce::Deterministic
     /// [`start_sign_session`]: Self::start_sign_session
     /// [`start_sign_session_deterministic`]: Self::start_sign_session_deterministic
+    /// [`NonceKeyPair`]: schnorr_fun::binonce::NonceKeyPair
     pub fn gen_nonces(&self, keylist: &KeyList, sid: &[u8]) -> Vec<NonceKeyPair> {
         keylist
             .parties
