sonr/crypto/dkg/frost/dkg_round2.go

//
// Copyright Coinbase, Inc. All Rights Reserved.
//
// SPDX-License-Identifier: Apache-2.0
//

package frost

import (
	"fmt"

	"github.com/onsonr/sonr/crypto/core/curves"
	"github.com/onsonr/sonr/crypto/internal"
	"github.com/onsonr/sonr/crypto/sharing"
)

// Round2Bcast are values that are broadcast to all other participants
// after round2 completes
type Round2Bcast struct {
	VerificationKey curves.Point
	VkShare         curves.Point
}

// Round2 implements dkg round 2 of FROST
func (dp *DkgParticipant) Round2(bcast map[uint32]*Round1Bcast, p2psend map[uint32]*sharing.ShamirShare) (*Round2Bcast, error) {
	// Make sure dkg participant is not empty
	if dp == nil || dp.Curve == nil {
		return nil, internal.ErrNilArguments
	}

	// Check dkg participant has the correct dkg round number
	if dp.round != 2 {
		return nil, internal.ErrInvalidRound
	}

	// Check the input is valid
	if bcast == nil || p2psend == nil || len(p2psend) == 0 {
		return nil, internal.ErrNilArguments
	}

	// Check length of bcast and p2psend
	if uint32(len(bcast)) > dp.feldman.Limit || uint32(len(bcast)) < dp.feldman.Threshold-1 {
		return nil, fmt.Errorf("invalid broadcast length")
	}

	if uint32(len(p2psend)) > dp.feldman.Limit-1 || uint32(len(p2psend)) < dp.feldman.Threshold-1 {
		return nil, fmt.Errorf("invalid p2pSend length")
	}

	// We should validate Wi and Ci values in Round1Bcast
	for id := range bcast {
		// ci should be within the range 1 to q-1, q is the group order.
		if bcast[id].Ci.IsZero() {
			return nil, fmt.Errorf("ci should not be zero from participant %d\n", id)
		}
	}
	// Validate each received commitment is on curve
	for id := range bcast {
		for _, com := range bcast[id].Verifiers.Commitments {
			if !com.IsOnCurve() || com.IsIdentity() {
				return nil, fmt.Errorf("some commitment is not on curve from participant %d\n", id)
			}
		}
	}

	var err error

	// Step 2 - for j in 1,...,n
	for id := range bcast {

		// Step 3 - if j == i, continue
		if id == dp.Id {
			continue
		}

		// Step 4 - Check equation c_j = H(j, CTX, A_{j,0}, g^{w_j}*A_{j,0}^{-c_j}
		// Get Aj0
		Aj0 := bcast[id].Verifiers.Commitments[0]
		// Compute g^{w_j}
		prod1 := dp.Curve.ScalarBaseMult(bcast[id].Wi)
		// Compute A_{j,0}^{-c_j}
		prod2 := Aj0.Mul(bcast[id].Ci.Neg())

		// We need to check Aj0 and prod2 are points on the same curve.
		if !Aj0.IsOnCurve() || Aj0.IsIdentity() || !prod2.IsOnCurve() || prod2.IsIdentity() || Aj0.CurveName() != prod2.CurveName() {
			return nil, fmt.Errorf("invalid Aj0 or prod2 which is not on the same curve")
		}
		if prod2 == nil {
			return nil, fmt.Errorf("invalid should not be nil")
		}

		prod := prod1.Add(prod2)
		var msg []byte
		// Append participant id
		msg = append(msg, byte(id))
		// Append CTX
		msg = append(msg, dp.ctx)
		// Append Aj0
		msg = append(msg, Aj0.ToAffineCompressed()...)
		// Append prod
		msg = append(msg, prod.ToAffineCompressed()...)
		// Hash the message and get cj
		cj := dp.Curve.Scalar.Hash(msg)
		// Check equation
		if cj.Cmp(bcast[id].Ci) != 0 {
			return nil, fmt.Errorf("Hash check fails for participant with id %d\n", id)
		}

		// Step 5 - FeldmanVerify
		fji := p2psend[id]
		if err = bcast[id].Verifiers.Verify(fji); err != nil {
			return nil, fmt.Errorf("feldman verify fails for participant with id %d\n", id)
		}
	}

	sk, err := dp.Curve.Scalar.SetBytes(dp.secretShares[dp.Id-1].Value)
	if err != nil {
		return nil, err
	}
	vk := dp.verifiers.Commitments[0]
	// Step 6 - Compute signing key share ski = \sum_{j=1}^n xji
	for id := range bcast {
		if id == dp.Id {
			continue
		}
		t2, err := dp.Curve.Scalar.SetBytes(p2psend[id].Value)
		if err != nil {
			return nil, err
		}
		sk = sk.Add(t2)
	}

	// Step 8 - Compute verification key vk = sum(A_{j,0}), j = 1,...,n
	for id := range bcast {
		if id == dp.Id {
			continue
		}
		vk = vk.Add(bcast[id].Verifiers.Commitments[0])
	}

	// Store signing key share
	dp.SkShare = sk

	// Step 7 - Compute verification key share vki = ski*G and store
	dp.VkShare = dp.Curve.ScalarBaseMult(sk)

	// Store verification key
	dp.VerificationKey = vk

	// Update round number
	dp.round = 3

	// Broadcast
	return &Round2Bcast{
		vk,
		dp.VkShare,
	}, nil
}
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`//`
			`// Copyright Coinbase, Inc. All Rights Reserved.`
			`//`
			`// SPDX-License-Identifier: Apache-2.0`
			`//`

			`package frost`

			`import (`
			`"fmt"`

feature/1220 origin handle exists method (#1241) * feat: add docs and CI workflow for publishing to onsonr.dev * (refactor): Move hway,motr executables to their own repos * feat: simplify devnet and testnet configurations * refactor: update import path for didcrypto package * docs(networks): Add README with project overview, architecture, and community links * refactor: Move network configurations to deploy directory * build: update golang version to 1.23 * refactor: move logger interface to appropriate package * refactor: Move devnet configuration to networks/devnet * chore: improve release process with date variable * (chore): Move Crypto Library * refactor: improve code structure and readability in DID module * feat: integrate Trunk CI checks * ci: optimize CI workflow by removing redundant build jobs --------- Co-authored-by: Darp Alakun <i@prad.nu> 2025-01-06 12:06:10 -05:00			`"github.com/onsonr/sonr/crypto/core/curves"`
			`"github.com/onsonr/sonr/crypto/internal"`
			`"github.com/onsonr/sonr/crypto/sharing"`
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`)`

			`// Round2Bcast are values that are broadcast to all other participants`
			`// after round2 completes`
			`type Round2Bcast struct {`
			`VerificationKey curves.Point`
			`VkShare curves.Point`
			`}`

			`// Round2 implements dkg round 2 of FROST`
			`func (dp DkgParticipant) Round2(bcast map[uint32]Round1Bcast, p2psend map[uint32]sharing.ShamirShare) (Round2Bcast, error) {`
			`// Make sure dkg participant is not empty`
			`if dp == nil \|\| dp.Curve == nil {`
			`return nil, internal.ErrNilArguments`
			`}`

			`// Check dkg participant has the correct dkg round number`
			`if dp.round != 2 {`
			`return nil, internal.ErrInvalidRound`
			`}`

			`// Check the input is valid`
			`if bcast == nil \|\| p2psend == nil \|\| len(p2psend) == 0 {`
			`return nil, internal.ErrNilArguments`
			`}`

			`// Check length of bcast and p2psend`
			`if uint32(len(bcast)) > dp.feldman.Limit \|\| uint32(len(bcast)) < dp.feldman.Threshold-1 {`
			`return nil, fmt.Errorf("invalid broadcast length")`
			`}`

			`if uint32(len(p2psend)) > dp.feldman.Limit-1 \|\| uint32(len(p2psend)) < dp.feldman.Threshold-1 {`
			`return nil, fmt.Errorf("invalid p2pSend length")`
			`}`

			`// We should validate Wi and Ci values in Round1Bcast`
			`for id := range bcast {`
			`// ci should be within the range 1 to q-1, q is the group order.`
			`if bcast[id].Ci.IsZero() {`
			`return nil, fmt.Errorf("ci should not be zero from participant %d\n", id)`
			`}`
			`}`
			`// Validate each received commitment is on curve`
			`for id := range bcast {`
			`for _, com := range bcast[id].Verifiers.Commitments {`
			`if !com.IsOnCurve() \|\| com.IsIdentity() {`
			`return nil, fmt.Errorf("some commitment is not on curve from participant %d\n", id)`
			`}`
			`}`
			`}`

			`var err error`

			`// Step 2 - for j in 1,...,n`
			`for id := range bcast {`

			`// Step 3 - if j == i, continue`
			`if id == dp.Id {`
			`continue`
			`}`

			`// Step 4 - Check equation c_j = H(j, CTX, A_{j,0}, g^{w_j}*A_{j,0}^{-c_j}`
			`// Get Aj0`
			`Aj0 := bcast[id].Verifiers.Commitments[0]`
			`// Compute g^{w_j}`
			`prod1 := dp.Curve.ScalarBaseMult(bcast[id].Wi)`
			`// Compute A_{j,0}^{-c_j}`
			`prod2 := Aj0.Mul(bcast[id].Ci.Neg())`

			`// We need to check Aj0 and prod2 are points on the same curve.`
			`if !Aj0.IsOnCurve() \|\| Aj0.IsIdentity() \|\| !prod2.IsOnCurve() \|\| prod2.IsIdentity() \|\| Aj0.CurveName() != prod2.CurveName() {`
			`return nil, fmt.Errorf("invalid Aj0 or prod2 which is not on the same curve")`
			`}`
			`if prod2 == nil {`
			`return nil, fmt.Errorf("invalid should not be nil")`
			`}`

			`prod := prod1.Add(prod2)`
			`var msg []byte`
			`// Append participant id`
			`msg = append(msg, byte(id))`
			`// Append CTX`
			`msg = append(msg, dp.ctx)`
			`// Append Aj0`
			`msg = append(msg, Aj0.ToAffineCompressed()...)`
			`// Append prod`
			`msg = append(msg, prod.ToAffineCompressed()...)`
			`// Hash the message and get cj`
			`cj := dp.Curve.Scalar.Hash(msg)`
			`// Check equation`
			`if cj.Cmp(bcast[id].Ci) != 0 {`
			`return nil, fmt.Errorf("Hash check fails for participant with id %d\n", id)`
			`}`

			`// Step 5 - FeldmanVerify`
			`fji := p2psend[id]`
			`if err = bcast[id].Verifiers.Verify(fji); err != nil {`
			`return nil, fmt.Errorf("feldman verify fails for participant with id %d\n", id)`
			`}`
			`}`

			`sk, err := dp.Curve.Scalar.SetBytes(dp.secretShares[dp.Id-1].Value)`
			`if err != nil {`
			`return nil, err`
			`}`
			`vk := dp.verifiers.Commitments[0]`
			`// Step 6 - Compute signing key share ski = \sum_{j=1}^n xji`
			`for id := range bcast {`
			`if id == dp.Id {`
			`continue`
			`}`
			`t2, err := dp.Curve.Scalar.SetBytes(p2psend[id].Value)`
			`if err != nil {`
			`return nil, err`
			`}`
			`sk = sk.Add(t2)`
			`}`

			`// Step 8 - Compute verification key vk = sum(A_{j,0}), j = 1,...,n`
			`for id := range bcast {`
			`if id == dp.Id {`
			`continue`
			`}`
			`vk = vk.Add(bcast[id].Verifiers.Commitments[0])`
			`}`

			`// Store signing key share`
			`dp.SkShare = sk`

			`// Step 7 - Compute verification key share vki = ski*G and store`
			`dp.VkShare = dp.Curve.ScalarBaseMult(sk)`

			`// Store verification key`
			`dp.VerificationKey = vk`

			`// Update round number`
			`dp.round = 3`

			`// Broadcast`
			`return &Round2Bcast{`
			`vk,`
			`dp.VkShare,`
			`}, nil`
			`}`