sonr/crypto/ted25519/frost/round2.go

//
// Copyright Coinbase, Inc. All Rights Reserved.
//
// SPDX-License-Identifier: Apache-2.0
//

package frost

import (
	"bytes"
	"encoding/gob"
	"fmt"

	"github.com/pkg/errors"

	"github.com/onsonr/sonr/crypto/core/curves"
	"github.com/onsonr/sonr/crypto/internal"
)

// Round2Bcast contains values that will be broadcast to other signers after completion of round 2.
type Round2Bcast struct {
	Zi  curves.Scalar
	Vki curves.Point
}

func (result *Round2Bcast) Encode() ([]byte, error) {
	gob.Register(result.Zi)
	gob.Register(result.Vki) // just the point for now
	buf := &bytes.Buffer{}
	enc := gob.NewEncoder(buf)
	if err := enc.Encode(result); err != nil {
		return nil, errors.Wrap(err, "couldn't encode round 1 broadcast")
	}
	return buf.Bytes(), nil
}

func (result *Round2Bcast) Decode(input []byte) error {
	buf := bytes.NewBuffer(input)
	dec := gob.NewDecoder(buf)
	if err := dec.Decode(result); err != nil {
		return errors.Wrap(err, "couldn't encode round 1 broadcast")
	}
	return nil
}

// SignRound2 implements FROST signing round 2.
func (signer *Signer) SignRound2(msg []byte, round2Input map[uint32]*Round1Bcast) (*Round2Bcast, error) {
	// Make sure necessary items of signer are not empty
	if signer == nil || signer.curve == nil || signer.state == nil {
		return nil, internal.ErrNilArguments
	}

	// Make sure those private d is not empty and not zero
	if signer.state.smallD == nil || signer.state.smallD.IsZero() {
		return nil, fmt.Errorf("empty d or d is zero")
	}

	// Make sure those private e is not empty and not zero
	if signer.state.smallE == nil || signer.state.smallE.IsZero() {
		return nil, fmt.Errorf("empty e or e is zero")
	}

	// Make sure msg is not empty
	if len(msg) == 0 {
		return nil, internal.ErrNilArguments
	}

	// Make sure the round number is correct
	if signer.round != 2 {
		return nil, internal.ErrInvalidRound
	}

	// Check length of round2Input
	if uint32(len(round2Input)) != signer.threshold {
		return nil, fmt.Errorf("Invalid length of round2Input")
	}

	// Step 2 - Check Dj, Ej on the curve and Store round2Input
	for id, input := range round2Input {
		if input == nil || input.Di == nil || input.Ei == nil {
			return nil, fmt.Errorf("round2Input is nil from participant with id %d\n", id)
		}
		if !input.Di.IsOnCurve() || input.Di.IsIdentity() {
			return nil, fmt.Errorf("commitment Di is not on the curve with id %d\n", id)
		}
		if !input.Ei.IsOnCurve() || input.Ei.IsIdentity() {
			return nil, fmt.Errorf("commitment Ei is not on the curve with id %d\n", id)
		}
	}
	// Store Dj, Ej for further usage.
	signer.state.commitments = round2Input

	// Step 3-6
	R := signer.curve.NewIdentityPoint()
	var ri curves.Scalar
	Rs := make(map[uint32]curves.Point, signer.threshold)
	for id, data := range round2Input {
		// Construct the blob (j, m, {Dj, Ej})
		blob := concatHashArray(id, msg, round2Input, signer.cosigners)

		// Step 4 - rj = H(j,m,{Dj,Ej}_{j in [1...t]})
		rj := signer.curve.Scalar.Hash(blob)
		if signer.id == id {
			ri = rj
		}

		// Step 5 - R_j = D_j + r_j*E_j
		rjEj := data.Ei.Mul(rj)
		Rj := rjEj.Add(data.Di)
		// assign Rj
		Rs[id] = Rj

		// Step 6 - R = R+Rj
		R = R.Add(Rj)
	}

	// Step 7 - c = H(m, R)
	c, err := signer.challengeDeriver.DeriveChallenge(msg, signer.verificationKey, R)
	if err != nil {
		return nil, err
	}

	// Step 8 - Record c, R, Rjs
	signer.state.c = c
	signer.state.capRs = Rs
	signer.state.sumR = R

	// Step 9 - zi = di + ei*ri + Li*ski*c
	Li := signer.lCoeffs[signer.id]
	Liski := Li.Mul(signer.skShare)

	Liskic := Liski.Mul(c)

	if R.IsNegative() {
		signer.state.smallE = signer.state.smallE.Neg()
		signer.state.smallD = signer.state.smallD.Neg()
	}

	eiri := signer.state.smallE.Mul(ri)

	// Compute zi = di+ei*ri+Li*ski*c
	zi := Liskic.Add(eiri)
	zi = zi.Add(signer.state.smallD)

	// Update round number and store message
	signer.round = 3
	signer.state.msg = msg

	// set smallD and smallE to zero since they are one-time use
	signer.state.smallD = signer.curve.NewScalar()
	signer.state.smallE = signer.curve.NewScalar()

	// Step 10 - Broadcast zi, vki to other participants
	return &Round2Bcast{
		zi,
		signer.vkShare,
	}, nil
}

// concatHashArray puts id, msg and (Dj,Ej), j=1...t into a byte array
func concatHashArray(id uint32, msg []byte, round2Input map[uint32]*Round1Bcast, cosigners []uint32) []byte {
	var blob []byte
	// Append identity id
	blob = append(blob, byte(id))

	// Append message msg
	blob = append(blob, msg...)

	// Append (Dj, Ej) for all j in [1...t]
	for i := 0; i < len(cosigners); i++ {
		id := cosigners[i]
		bytesDi := round2Input[id].Di.ToAffineCompressed()
		bytesEi := round2Input[id].Ei.ToAffineCompressed()

		// Following the spec, we should add each party's identity.
		blob = append(blob, byte(id))
		blob = append(blob, bytesDi...)
		blob = append(blob, bytesEi...)
	}
	return blob
}
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`//`
			`// Copyright Coinbase, Inc. All Rights Reserved.`
			`//`
			`// SPDX-License-Identifier: Apache-2.0`
			`//`

			`package frost`

			`import (`
			`"bytes"`
			`"encoding/gob"`
			`"fmt"`

			`"github.com/pkg/errors"`

feature/1220 origin handle exists method (#1241) * feat: add docs and CI workflow for publishing to onsonr.dev * (refactor): Move hway,motr executables to their own repos * feat: simplify devnet and testnet configurations * refactor: update import path for didcrypto package * docs(networks): Add README with project overview, architecture, and community links * refactor: Move network configurations to deploy directory * build: update golang version to 1.23 * refactor: move logger interface to appropriate package * refactor: Move devnet configuration to networks/devnet * chore: improve release process with date variable * (chore): Move Crypto Library * refactor: improve code structure and readability in DID module * feat: integrate Trunk CI checks * ci: optimize CI workflow by removing redundant build jobs --------- Co-authored-by: Darp Alakun <i@prad.nu> 2025-01-06 12:06:10 -05:00			`"github.com/onsonr/sonr/crypto/core/curves"`
			`"github.com/onsonr/sonr/crypto/internal"`
feature/1114 implement account interface (#1167) - refactor: move session-related code to middleware package - refactor: update PKL build process and adjust related configurations - feat: integrate base.cosmos.v1 Genesis module - refactor: pass session context to modal rendering functions - refactor: move nebula package to app directory and update templ version - refactor: Move home section video view to dedicated directory - refactor: remove unused views file - refactor: move styles and UI components to global scope - refactor: Rename images.go to cdn.go - feat: Add Empty State Illustrations - refactor: Consolidate Vault Index Logic - fix: References to App.wasm and remove Vault Directory embedded CDN files - refactor: Move CDN types to Models - fix: Correct line numbers in templ error messages for arch_templ.go - refactor: use common types for peer roles - refactor: move common types and ORM to a shared package - fix: Config import dwn - refactor: move nebula directory to app - feat: Rebuild nebula - fix: correct file paths in panels templates - feat: Remove duplicate types - refactor: Move dwn to pkg/core - refactor: Binary Structure - feat: Introduce Crypto Pkg - fix: Broken Process Start - *feat: Update pkg/ structure - feat: Refactor PKL Structure - build: update pkl build process - chore: Remove Empty Files - refactor: remove unused macaroon package - feat: Add WebAwesome Components - refactor: consolidate build and generation tasks into a single taskfile, remove redundant makefile targets - refactor: refactor server and move components to pkg/core/dwn - build: update go modules - refactor: move gateway logic into dedicated hway command - feat: Add KSS (Krawczyk-Song-Song) MPC cryptography module - feat: Implement MPC-based JWT signing and UCAN token generation - feat: add support for MPC-based JWT signing - feat: Implement MPC-based UCAN capabilities for smart accounts - feat: add address field to keyshareSource - feat: Add comprehensive MPC test suite for keyshares, UCAN tokens, and token attenuations - refactor: improve MPC keyshare management and signing process - feat: enhance MPC capability hierarchy documentation - refactor: rename GenerateKeyshares function to NewKeyshareSource for clarity - refactor: remove unused Ethereum address computation - feat: Add HasHandle and IsAuthenticated methods to HTTPContext - refactor: Add context.Context support to session HTTPContext - refactor: Resolve context interface conflicts in HTTPContext - feat: Add session ID context key and helper functions - feat: Update WebApp Page Rendering - refactor: Simplify context management by using single HTTPContext key - refactor: Simplify HTTPContext creation and context management in session middleware - refactor: refactor session middleware to use a single data structure - refactor: Simplify HTTPContext implementation and session data handling - refactor: Improve session context handling and prevent nil pointer errors - refactor: Improve session context handling with nil safety and type support - refactor: improve session data injection - feat: add full-screen modal component and update registration flow - chore: add .air.toml to .gitignore - feat: add Air to devbox and update dependencies** 2024-11-23 01:28:58 -05:00			`)`

			`// Round2Bcast contains values that will be broadcast to other signers after completion of round 2.`
			`type Round2Bcast struct {`
			`Zi curves.Scalar`
			`Vki curves.Point`
			`}`

			`func (result *Round2Bcast) Encode() ([]byte, error) {`
			`gob.Register(result.Zi)`
			`gob.Register(result.Vki) // just the point for now`
			`buf := &bytes.Buffer{}`
			`enc := gob.NewEncoder(buf)`
			`if err := enc.Encode(result); err != nil {`
			`return nil, errors.Wrap(err, "couldn't encode round 1 broadcast")`
			`}`
			`return buf.Bytes(), nil`
			`}`

			`func (result *Round2Bcast) Decode(input []byte) error {`
			`buf := bytes.NewBuffer(input)`
			`dec := gob.NewDecoder(buf)`
			`if err := dec.Decode(result); err != nil {`
			`return errors.Wrap(err, "couldn't encode round 1 broadcast")`
			`}`
			`return nil`
			`}`

			`// SignRound2 implements FROST signing round 2.`
			`func (signer Signer) SignRound2(msg []byte, round2Input map[uint32]Round1Bcast) (*Round2Bcast, error) {`
			`// Make sure necessary items of signer are not empty`
			`if signer == nil \|\| signer.curve == nil \|\| signer.state == nil {`
			`return nil, internal.ErrNilArguments`
			`}`

			`// Make sure those private d is not empty and not zero`
			`if signer.state.smallD == nil \|\| signer.state.smallD.IsZero() {`
			`return nil, fmt.Errorf("empty d or d is zero")`
			`}`

			`// Make sure those private e is not empty and not zero`
			`if signer.state.smallE == nil \|\| signer.state.smallE.IsZero() {`
			`return nil, fmt.Errorf("empty e or e is zero")`
			`}`

			`// Make sure msg is not empty`
			`if len(msg) == 0 {`
			`return nil, internal.ErrNilArguments`
			`}`

			`// Make sure the round number is correct`
			`if signer.round != 2 {`
			`return nil, internal.ErrInvalidRound`
			`}`

			`// Check length of round2Input`
			`if uint32(len(round2Input)) != signer.threshold {`
			`return nil, fmt.Errorf("Invalid length of round2Input")`
			`}`

			`// Step 2 - Check Dj, Ej on the curve and Store round2Input`
			`for id, input := range round2Input {`
			`if input == nil \|\| input.Di == nil \|\| input.Ei == nil {`
			`return nil, fmt.Errorf("round2Input is nil from participant with id %d\n", id)`
			`}`
			`if !input.Di.IsOnCurve() \|\| input.Di.IsIdentity() {`
			`return nil, fmt.Errorf("commitment Di is not on the curve with id %d\n", id)`
			`}`
			`if !input.Ei.IsOnCurve() \|\| input.Ei.IsIdentity() {`
			`return nil, fmt.Errorf("commitment Ei is not on the curve with id %d\n", id)`
			`}`
			`}`
			`// Store Dj, Ej for further usage.`
			`signer.state.commitments = round2Input`

			`// Step 3-6`
			`R := signer.curve.NewIdentityPoint()`
			`var ri curves.Scalar`
			`Rs := make(map[uint32]curves.Point, signer.threshold)`
			`for id, data := range round2Input {`
			`// Construct the blob (j, m, {Dj, Ej})`
			`blob := concatHashArray(id, msg, round2Input, signer.cosigners)`

			`// Step 4 - rj = H(j,m,{Dj,Ej}_{j in [1...t]})`
			`rj := signer.curve.Scalar.Hash(blob)`
			`if signer.id == id {`
			`ri = rj`
			`}`

			`// Step 5 - R_j = D_j + r_j*E_j`
			`rjEj := data.Ei.Mul(rj)`
			`Rj := rjEj.Add(data.Di)`
			`// assign Rj`
			`Rs[id] = Rj`

			`// Step 6 - R = R+Rj`
			`R = R.Add(Rj)`
			`}`

			`// Step 7 - c = H(m, R)`
			`c, err := signer.challengeDeriver.DeriveChallenge(msg, signer.verificationKey, R)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Step 8 - Record c, R, Rjs`
			`signer.state.c = c`
			`signer.state.capRs = Rs`
			`signer.state.sumR = R`

			`// Step 9 - zi = di + eiri + Liski*c`
			`Li := signer.lCoeffs[signer.id]`
			`Liski := Li.Mul(signer.skShare)`

			`Liskic := Liski.Mul(c)`

			`if R.IsNegative() {`
			`signer.state.smallE = signer.state.smallE.Neg()`
			`signer.state.smallD = signer.state.smallD.Neg()`
			`}`

			`eiri := signer.state.smallE.Mul(ri)`

			`// Compute zi = di+eiri+Liski*c`
			`zi := Liskic.Add(eiri)`
			`zi = zi.Add(signer.state.smallD)`

			`// Update round number and store message`
			`signer.round = 3`
			`signer.state.msg = msg`

			`// set smallD and smallE to zero since they are one-time use`
			`signer.state.smallD = signer.curve.NewScalar()`
			`signer.state.smallE = signer.curve.NewScalar()`

			`// Step 10 - Broadcast zi, vki to other participants`
			`return &Round2Bcast{`
			`zi,`
			`signer.vkShare,`
			`}, nil`
			`}`

			`// concatHashArray puts id, msg and (Dj,Ej), j=1...t into a byte array`
			`func concatHashArray(id uint32, msg []byte, round2Input map[uint32]*Round1Bcast, cosigners []uint32) []byte {`
			`var blob []byte`
			`// Append identity id`
			`blob = append(blob, byte(id))`

			`// Append message msg`
			`blob = append(blob, msg...)`

			`// Append (Dj, Ej) for all j in [1...t]`
			`for i := 0; i < len(cosigners); i++ {`
			`id := cosigners[i]`
			`bytesDi := round2Input[id].Di.ToAffineCompressed()`
			`bytesEi := round2Input[id].Ei.ToAffineCompressed()`

			`// Following the spec, we should add each party's identity.`
			`blob = append(blob, byte(id))`
			`blob = append(blob, bytesDi...)`
			`blob = append(blob, bytesEi...)`
			`}`
			`return blob`
			`}`