Merge pull request #190 from LLFourn/tweak-mutate

[frost] Make "tweaks" mutate
LLFourn · Aug 9, 2024 · 646b969 · 646b969
2 parents 10238b1 + 84ac38b
commit 646b969
Show file tree

Hide file tree

Showing 20 changed files with 1,347 additions and 622 deletions.
diff --git a/ecdsa_fun/src/adaptor/mod.rs b/ecdsa_fun/src/adaptor/mod.rs
@@ -234,9 +234,9 @@ impl<T: Transcript<DLEQ>, NG> Adaptor<T, NG> {
     /// There are two crucial things to understand when calling this:
     ///
     /// 1. You should be certain that the encrypted signature is what you think it is by calling
-    /// [`verify_encrypted_signature`] on it first.
+    ///    [`verify_encrypted_signature`] on it first.
     /// 2. Once you give the decrypted signature to anyone who has seen `encrypted_signature` they will be
-    /// able to learn `decryption_key` by calling [`recover_decryption_key`].
+    ///    able to learn `decryption_key` by calling [`recover_decryption_key`].
     ///
     /// See [synopsis] for an example
     ///

diff --git a/schnorr_fun/Cargo.toml b/schnorr_fun/Cargo.toml
@@ -18,7 +18,7 @@ secp256kfun = { path = "../secp256kfun", version = "0.10",  default-features = f
 bech32 = { version = "0.11", optional = true, default-features = false, features = ["alloc"] }
 
 [dev-dependencies]
-secp256kfun = { path = "../secp256kfun", version = "0.10",  features = ["proptest"] }
+secp256kfun = { path = "../secp256kfun", version = "0.10",  features = ["proptest", "bincode", "alloc"] }
 rand = { version = "0.8" }
 lazy_static = "1.4"
 bincode = "1.0"

diff --git a/schnorr_fun/benches/bench_schnorr.rs b/schnorr_fun/benches/bench_schnorr.rs
@@ -49,7 +49,7 @@ fn verify_schnorr(c: &mut Criterion) {
         });
 
         {
-            let sig = sig.clone().set_secrecy::<Secret>();
+            let sig = sig.set_secrecy::<Secret>();
             group.bench_function("fun::schnorr_verify_ct", |b| {
                 b.iter(|| schnorr.verify(verification_key, message, &sig))
             });

diff --git a/schnorr_fun/src/adaptor/mod.rs b/schnorr_fun/src/adaptor/mod.rs
@@ -153,9 +153,9 @@ pub trait Adaptor {
     /// There are two crucial things to understand when calling this:
     ///
     /// 1. You should be certain that the encrypted signature is what you think it is by calling
-    /// [`verify_encrypted_signature`] on it first.
+    ///    [`verify_encrypted_signature`] on it first.
     /// 2. Once you give the decrypted signature to anyone who has seen `encrypted_signature` they will be
-    /// able to learn `decryption_key` by calling [`recover_decryption_key`].
+    ///    able to learn `decryption_key` by calling [`recover_decryption_key`].
     ///
     /// See [synopsis] for an example
     ///

diff --git a/schnorr_fun/src/binonce.rs b/schnorr_fun/src/binonce.rs
@@ -4,7 +4,7 @@
 //! Your public nonces are derived from scalars which must be kept secret.
 //! Derived binonces should be unique and and must not be reused for signing under any circumstances
 //! as this can leak your secret key.
-use secp256kfun::{g, marker::*, rand_core::RngCore, Point, Scalar, G};
+use secp256kfun::{g, hash::HashInto, marker::*, rand_core::RngCore, Point, Scalar, G};
 
 /// A nonce (pair of points) that each party must share with the others in the first stage of signing.
 ///
@@ -26,7 +26,7 @@ impl<Z: ZeroChoice> Nonce<Z> {
     }
 }
 
-impl<Z> Nonce<Z> {
+impl<Z: ZeroChoice> Nonce<Z> {
     /// Negate the two nonces
     pub fn conditional_negate(&mut self, needs_negation: bool) {
         self.0[0] = self.0[0].conditional_negate(needs_negation);
@@ -42,6 +42,33 @@ impl<Z> Nonce<Z> {
         bytes[33..].copy_from_slice(self.0[1].to_bytes().as_ref());
         bytes
     }
+
+    /// Binds an aggregated binonce to a it's binding coefficient (which is produced differently for
+    /// different schemes) and produces the final nonce (the one that will go into the signature).
+    pub fn bind(&self, binding_coeff: Scalar<Public>) -> (Point<EvenY>, bool) {
+        g!(self.0[0] + binding_coeff * self.0[1])
+            .normalize()
+            .non_zero()
+            .unwrap_or(Point::generator())
+            .into_point_with_even_y()
+    }
+}
+
+impl<Z> HashInto for Nonce<Z> {
+    fn hash_into(self, hash: &mut impl secp256kfun::digest::Digest) {
+        self.0.hash_into(hash)
+    }
+}
+
+impl Nonce<Zero> {
+    /// Adds a bunch of binonces together (one for each party signing usually).
+    pub fn aggregate(nonces: impl IntoIterator<Item = Nonce>) -> Self {
+        let agg = nonces.into_iter().fold([Point::zero(); 2], |acc, nonce| {
+            [g!(acc[0] + nonce.0[0]), g!(acc[1] + nonce.0[1])]
+        });
+
+        Self([agg[0].normalize(), agg[1].normalize()])
+    }
 }
 
 secp256kfun::impl_fromstr_deserialize! {
@@ -52,7 +79,7 @@ secp256kfun::impl_fromstr_deserialize! {
 }
 
 secp256kfun::impl_display_serialize! {
-    fn to_bytes<Z>(nonce: &Nonce<Z>) -> [u8;66] {
+    fn to_bytes<Z: ZeroChoice>(nonce: &Nonce<Z>) -> [u8;66] {
         nonce.to_bytes()
     }
 }