sonr/crypto/dkg/frost/dkg_round1.go

//
// Copyright Coinbase, Inc. All Rights Reserved.
//
// SPDX-License-Identifier: Apache-2.0
//

package frost

import (
	"bytes"
	crand "crypto/rand"
	"encoding/gob"
	"fmt"
	"reflect"

	"github.com/pkg/errors"

	"github.com/onsonr/sonr/crypto/core/curves"
	"github.com/onsonr/sonr/crypto/internal"
	"github.com/onsonr/sonr/crypto/sharing"
)

// Round1Bcast are values that are broadcast to all other participants
// after round1 completes
type Round1Bcast struct {
	Verifiers *sharing.FeldmanVerifier
	Wi, Ci    curves.Scalar
}

type Round1Result struct {
	Broadcast *Round1Bcast
	P2P       *sharing.ShamirShare
}

func (result *Round1Result) Encode() ([]byte, error) {
	gob.Register(result.Broadcast.Verifiers.Commitments[0]) // just the point for now
	gob.Register(result.Broadcast.Ci)
	buf := &bytes.Buffer{}
	enc := gob.NewEncoder(buf)
	if err := enc.Encode(result); err != nil {
		return nil, errors.Wrap(err, "couldn't encode round 1 broadcast")
	}
	return buf.Bytes(), nil
}

func (result *Round1Result) Decode(input []byte) error {
	buf := bytes.NewBuffer(input)
	dec := gob.NewDecoder(buf)
	if err := dec.Decode(result); err != nil {
		return errors.Wrap(err, "couldn't encode round 1 broadcast")
	}
	return nil
}

// Round1P2PSend are values that are P2PSend to all other participants
// after round1 completes
type Round1P2PSend = map[uint32]*sharing.ShamirShare

// Round1 implements dkg round 1 of FROST
func (dp *DkgParticipant) Round1(secret []byte) (*Round1Bcast, Round1P2PSend, error) {
	// Make sure dkg participant is not empty
	if dp == nil || dp.Curve == nil {
		return nil, nil, internal.ErrNilArguments
	}

	// Make sure round number is correct
	if dp.round != 1 {
		return nil, nil, internal.ErrInvalidRound
	}

	// Check number of participants
	if uint32(len(dp.otherParticipantShares)+1) > dp.feldman.Limit || uint32(len(dp.otherParticipantShares)+1) < dp.feldman.Threshold {
		return nil, nil, fmt.Errorf("length of dp.otherParticipantShares + 1 should be equal to feldman limit")
	}

	// If secret is nil, sample a new one
	// If not, check secret is valid
	var s curves.Scalar
	var err error
	if secret == nil {
		s = dp.Curve.Scalar.Random(crand.Reader)
	} else {
		s, err = dp.Curve.Scalar.SetBytes(secret)
		if err != nil {
			return nil, nil, err
		}
		if s.IsZero() {
			return nil, nil, internal.ErrZeroValue
		}
	}

	// Step 1 - (Aj0,...Ajt), (xi1,...,xin) <- FeldmanShare(s)
	// We should validate types of Feldman curve scalar and participant's curve scalar.
	if reflect.TypeOf(dp.feldman.Curve.Scalar) != reflect.TypeOf(dp.Curve.Scalar) {
		return nil, nil, fmt.Errorf("feldman scalar should have the same type as the dkg participant scalar")
	}
	verifiers, shares, err := dp.feldman.Split(s, crand.Reader)
	if err != nil {
		return nil, nil, err
	}

	// Store Verifiers and shares
	dp.verifiers = verifiers
	dp.secretShares = shares

	// Step 2 - Sample ki <- Z_q
	ki := dp.Curve.Scalar.Random(crand.Reader)

	// Step 3 - Compute Ri = ki*G
	Ri := dp.Curve.ScalarBaseMult(ki)

	// Step 4 - Compute Ci = H(i, CTX, g^{a_(i,0)}, R_i), where CTX is fixed context string
	var msg []byte
	// Append participant id
	msg = append(msg, byte(dp.Id))
	// Append CTX
	msg = append(msg, dp.ctx)
	// Append a_{i,0}*G
	msg = append(msg, verifiers.Commitments[0].ToAffineCompressed()...)
	// Append Ri
	msg = append(msg, Ri.ToAffineCompressed()...)
	// Hash the message and get Ci
	ci := dp.Curve.Scalar.Hash(msg)

	// Step 5 - Compute Wi = ki+a_{i,0}*c_i mod q. Note that a_{i,0} is the secret.
	// Note: We have to compute scalar in the following way when using ed25519 curve, rather than scalar := dp.Scalar.Mul(s, Ci)
	// there is an invalid encoding error when we compute scalar as above.
	wi := s.MulAdd(ci, ki)

	// Step 6 - Broadcast (Ci, Wi, Ci) to other participants
	round1Bcast := &Round1Bcast{
		verifiers,
		wi,
		ci,
	}

	// Step 7 - P2PSend f_i(j) to each participant Pj and keep (i, f_j(i)) for himself
	p2pSend := make(Round1P2PSend, len(dp.otherParticipantShares))
	for id := range dp.otherParticipantShares {
		p2pSend[id] = shares[id-1]
	}

	// Update internal state
	dp.round = 2

	// return
	return round1Bcast, p2pSend, nil
}
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`//`
			`// Copyright Coinbase, Inc. All Rights Reserved.`
			`//`
			`// SPDX-License-Identifier: Apache-2.0`
			`//`

			`package frost`

			`import (`
			`"bytes"`
			`crand "crypto/rand"`
			`"encoding/gob"`
			`"fmt"`
			`"reflect"`

			`"github.com/pkg/errors"`

feature/1220 origin handle exists method (#1241) * feat: add docs and CI workflow for publishing to onsonr.dev * (refactor): Move hway,motr executables to their own repos * feat: simplify devnet and testnet configurations * refactor: update import path for didcrypto package * docs(networks): Add README with project overview, architecture, and community links * refactor: Move network configurations to deploy directory * build: update golang version to 1.23 * refactor: move logger interface to appropriate package * refactor: Move devnet configuration to networks/devnet * chore: improve release process with date variable * (chore): Move Crypto Library * refactor: improve code structure and readability in DID module * feat: integrate Trunk CI checks * ci: optimize CI workflow by removing redundant build jobs --------- Co-authored-by: Darp Alakun <i@prad.nu> 2025-01-06 12:06:10 -05:00			`"github.com/onsonr/sonr/crypto/core/curves"`
			`"github.com/onsonr/sonr/crypto/internal"`
			`"github.com/onsonr/sonr/crypto/sharing"`
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`)`

			`// Round1Bcast are values that are broadcast to all other participants`
			`// after round1 completes`
			`type Round1Bcast struct {`
			`Verifiers *sharing.FeldmanVerifier`
			`Wi, Ci curves.Scalar`
			`}`

			`type Round1Result struct {`
			`Broadcast *Round1Bcast`
			`P2P *sharing.ShamirShare`
			`}`

			`func (result *Round1Result) Encode() ([]byte, error) {`
			`gob.Register(result.Broadcast.Verifiers.Commitments[0]) // just the point for now`
			`gob.Register(result.Broadcast.Ci)`
			`buf := &bytes.Buffer{}`
			`enc := gob.NewEncoder(buf)`
			`if err := enc.Encode(result); err != nil {`
			`return nil, errors.Wrap(err, "couldn't encode round 1 broadcast")`
			`}`
			`return buf.Bytes(), nil`
			`}`

			`func (result *Round1Result) Decode(input []byte) error {`
			`buf := bytes.NewBuffer(input)`
			`dec := gob.NewDecoder(buf)`
			`if err := dec.Decode(result); err != nil {`
			`return errors.Wrap(err, "couldn't encode round 1 broadcast")`
			`}`
			`return nil`
			`}`

			`// Round1P2PSend are values that are P2PSend to all other participants`
			`// after round1 completes`
			`type Round1P2PSend = map[uint32]*sharing.ShamirShare`

			`// Round1 implements dkg round 1 of FROST`
			`func (dp DkgParticipant) Round1(secret []byte) (Round1Bcast, Round1P2PSend, error) {`
			`// Make sure dkg participant is not empty`
			`if dp == nil \|\| dp.Curve == nil {`
			`return nil, nil, internal.ErrNilArguments`
			`}`

			`// Make sure round number is correct`
			`if dp.round != 1 {`
			`return nil, nil, internal.ErrInvalidRound`
			`}`

			`// Check number of participants`
			`if uint32(len(dp.otherParticipantShares)+1) > dp.feldman.Limit \|\| uint32(len(dp.otherParticipantShares)+1) < dp.feldman.Threshold {`
			`return nil, nil, fmt.Errorf("length of dp.otherParticipantShares + 1 should be equal to feldman limit")`
			`}`

			`// If secret is nil, sample a new one`
			`// If not, check secret is valid`
			`var s curves.Scalar`
			`var err error`
			`if secret == nil {`
			`s = dp.Curve.Scalar.Random(crand.Reader)`
			`} else {`
			`s, err = dp.Curve.Scalar.SetBytes(secret)`
			`if err != nil {`
			`return nil, nil, err`
			`}`
			`if s.IsZero() {`
			`return nil, nil, internal.ErrZeroValue`
			`}`
			`}`

			`// Step 1 - (Aj0,...Ajt), (xi1,...,xin) <- FeldmanShare(s)`
			`// We should validate types of Feldman curve scalar and participant's curve scalar.`
			`if reflect.TypeOf(dp.feldman.Curve.Scalar) != reflect.TypeOf(dp.Curve.Scalar) {`
			`return nil, nil, fmt.Errorf("feldman scalar should have the same type as the dkg participant scalar")`
			`}`
			`verifiers, shares, err := dp.feldman.Split(s, crand.Reader)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`// Store Verifiers and shares`
			`dp.verifiers = verifiers`
			`dp.secretShares = shares`

			`// Step 2 - Sample ki <- Z_q`
			`ki := dp.Curve.Scalar.Random(crand.Reader)`

			`// Step 3 - Compute Ri = ki*G`
			`Ri := dp.Curve.ScalarBaseMult(ki)`

			`// Step 4 - Compute Ci = H(i, CTX, g^{a_(i,0)}, R_i), where CTX is fixed context string`
			`var msg []byte`
			`// Append participant id`
			`msg = append(msg, byte(dp.Id))`
			`// Append CTX`
			`msg = append(msg, dp.ctx)`
			`// Append a_{i,0}*G`
			`msg = append(msg, verifiers.Commitments[0].ToAffineCompressed()...)`
			`// Append Ri`
			`msg = append(msg, Ri.ToAffineCompressed()...)`
			`// Hash the message and get Ci`
			`ci := dp.Curve.Scalar.Hash(msg)`

			`// Step 5 - Compute Wi = ki+a_{i,0}*c_i mod q. Note that a_{i,0} is the secret.`
			`// Note: We have to compute scalar in the following way when using ed25519 curve, rather than scalar := dp.Scalar.Mul(s, Ci)`
			`// there is an invalid encoding error when we compute scalar as above.`
			`wi := s.MulAdd(ci, ki)`

			`// Step 6 - Broadcast (Ci, Wi, Ci) to other participants`
			`round1Bcast := &Round1Bcast{`
			`verifiers,`
			`wi,`
			`ci,`
			`}`

			`// Step 7 - P2PSend f_i(j) to each participant Pj and keep (i, f_j(i)) for himself`
			`p2pSend := make(Round1P2PSend, len(dp.otherParticipantShares))`
			`for id := range dp.otherParticipantShares {`
			`p2pSend[id] = shares[id-1]`
			`}`

			`// Update internal state`
			`dp.round = 2`

			`// return`
			`return round1Bcast, p2pSend, nil`
			`}`