forked from coinbase/kryptology
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dkg_round2.go
158 lines (134 loc) · 4.11 KB
/
dkg_round2.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
//
// Copyright Coinbase, Inc. All Rights Reserved.
//
// SPDX-License-Identifier: Apache-2.0
//
package frost
import (
"fmt"
"github.com/coinbase/kryptology/internal"
"github.com/coinbase/kryptology/pkg/core/curves"
"github.com/coinbase/kryptology/pkg/sharing"
)
// Round2Bcast are values that are broadcast to all other participants
// after round2 completes
type Round2Bcast struct {
VerificationKey curves.Point
VkShare curves.Point
}
// Round2 implements dkg round 2 of FROST
func (dp *DkgParticipant) Round2(bcast map[uint32]*Round1Bcast, p2psend map[uint32]*sharing.ShamirShare) (*Round2Bcast, error) {
// Make sure dkg participant is not empty
if dp == nil || dp.Curve == nil {
return nil, internal.ErrNilArguments
}
// Check dkg participant has the correct dkg round number
if dp.round != 2 {
return nil, internal.ErrInvalidRound
}
// Check the input is valid
if bcast == nil || p2psend == nil || len(p2psend) == 0 {
return nil, internal.ErrNilArguments
}
// Check length of bcast and p2psend
if uint32(len(bcast)) > dp.feldman.Limit || uint32(len(bcast)) < dp.feldman.Threshold-1 {
return nil, fmt.Errorf("invalid broadcast length")
}
if uint32(len(p2psend)) > dp.feldman.Limit-1 || uint32(len(p2psend)) < dp.feldman.Threshold-1 {
return nil, fmt.Errorf("invalid p2pSend length")
}
// We should validate Wi and Ci values in Round1Bcast
for id := range bcast {
// ci should be within the range 1 to q-1, q is the group order.
if bcast[id].Ci.IsZero() {
return nil, fmt.Errorf("ci should not be zero from participant %d\n", id)
}
}
// Validate each received commitment is on curve
for id := range bcast {
for _, com := range bcast[id].Verifiers.Commitments {
if !com.IsOnCurve() || com.IsIdentity() {
return nil, fmt.Errorf("some commitment is not on curve from participant %d\n", id)
}
}
}
var err error
// Step 2 - for j in 1,...,n
for id := range bcast {
// Step 3 - if j == i, continue
if id == dp.Id {
continue
}
// Step 4 - Check equation c_j = H(j, CTX, A_{j,0}, g^{w_j}*A_{j,0}^{-c_j}
// Get Aj0
Aj0 := bcast[id].Verifiers.Commitments[0]
// Compute g^{w_j}
prod1 := dp.Curve.ScalarBaseMult(bcast[id].Wi)
// Compute A_{j,0}^{-c_j}
prod2 := Aj0.Mul(bcast[id].Ci.Neg())
// We need to check Aj0 and prod2 are points on the same curve.
if !Aj0.IsOnCurve() || Aj0.IsIdentity() || !prod2.IsOnCurve() || prod2.IsIdentity() || Aj0.CurveName() != prod2.CurveName() {
return nil, fmt.Errorf("invalid Aj0 or prod2 which is not on the same curve")
}
if prod2 == nil {
return nil, fmt.Errorf("invalid should not be nil")
}
prod := prod1.Add(prod2)
var msg []byte
// Append participant id
msg = append(msg, byte(id))
// Append CTX
msg = append(msg, dp.ctx)
// Append Aj0
msg = append(msg, Aj0.ToAffineCompressed()...)
// Append prod
msg = append(msg, prod.ToAffineCompressed()...)
// Hash the message and get cj
cj := dp.Curve.Scalar.Hash(msg)
// Check equation
if cj.Cmp(bcast[id].Ci) != 0 {
return nil, fmt.Errorf("Hash check fails for participant with id %d\n", id)
}
// Step 5 - FeldmanVerify
fji := p2psend[id]
if err = bcast[id].Verifiers.Verify(fji); err != nil {
return nil, fmt.Errorf("feldman verify fails for participant with id %d\n", id)
}
}
sk, err := dp.Curve.Scalar.SetBytes(dp.secretShares[dp.Id-1].Value)
if err != nil {
return nil, err
}
vk := dp.verifiers.Commitments[0]
// Step 6 - Compute signing key share ski = \sum_{j=1}^n xji
for id := range bcast {
if id == dp.Id {
continue
}
t2, err := dp.Curve.Scalar.SetBytes(p2psend[id].Value)
if err != nil {
return nil, err
}
sk = sk.Add(t2)
}
// Step 8 - Compute verification key vk = sum(A_{j,0}), j = 1,...,n
for id := range bcast {
if id == dp.Id {
continue
}
vk = vk.Add(bcast[id].Verifiers.Commitments[0])
}
// Store signing key share
dp.SkShare = sk
// Step 7 - Compute verification key share vki = ski*G and store
dp.VkShare = dp.Curve.ScalarBaseMult(sk)
// Store verification key
dp.VerificationKey = vk
// Update round number
dp.round = 3
// Broadcast
return &Round2Bcast{
vk,
dp.VkShare,
}, nil
}