Frost keygen with dealer (ZcashFoundation#47)

Implements FROST (Flexible Round Optimized Schnorr Threshold Signatures, https://eprint.iacr.org/2020/852) where key generation is performed by a trusted dealer. 

Future work will include implementing distributed key generation and re-randomizability. 

Co-authored-by: Chelsea Komlo <[email protected]>
Co-authored-by: Isis Lovecruft <[email protected]>

Author: 3 people

Cargo.toml

@@ -6,7 +6,7 @@ edition = "2018"
 # - Update CHANGELOG.md
 # - Create git tag.
 version = "0.2.2"
-authors = ["Henry de Valence <[email protected]>", "Deirdre Connolly <[email protected]>"]
+authors = ["Henry de Valence <[email protected]>", "Deirdre Connolly <[email protected]>", "Chelsea Komlo <[email protected]>"]
 readme = "README.md"
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/ZcashFoundation/redjubjub"
@@ -25,6 +25,7 @@ jubjub = "0.3"
 rand_core = "0.5"
 serde = { version = "1", optional = true, features = ["derive"] }
 thiserror = "1.0"
+zeroize = { version = "1", default-features = false, features = ["zeroize_derive"] }
 
 [dev-dependencies]
 bincode = "1"

LICENCE

@@ -0,0 +1,43 @@
+This software is licensed optionally under either the MIT license or Apache 2.0
+license, the full text of which may be found respectively in the LICENCE.MIT and
+LICENCE.Apache-2.0 files contained within this software distribution.
+
+==============================================================================
+
+Portions of redjubjub are taken from curve25519-dalek, which can be found at
+<https://github.com/dalek-cryptography/curve25519-dalek>, under the following
+license.  This implementation does NOT use the portions of curve25519-dalek
+which were originally derived from Adam Langley's Go edwards25519
+implementation, and, as such, that portion of the curve25519-dalek license is
+omitted here.
+
+==============================================================================
+
+Copyright (c) 2016-2021 Isis Agora Lovecruft, Henry de Valence. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

LICENCE.MIT

@@ -0,0 +1,18 @@
+Copyright 2019-2021 Zcash Foundation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

LICENSE.Apache-2.0

@@ -0,0 +1,13 @@
+Copyright 2019-2021 Zcash Foundation
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

src/batch.rs

@@ -1,3 +1,13 @@
+// -*- mode: rust; -*-
+//
+// This file is part of redjubjub.
+// Copyright (c) 2019-2021 Zcash Foundation
+// See LICENSE for licensing information.
+//
+// Authors:
+// - Deirdre Connolly <[email protected]>
+// - Henry de Valence <[email protected]>
+
 //! Performs batch RedJubjub signature verification.
 //!
 //! Batch verification asks whether *all* signatures in some set are valid,
@@ -136,11 +146,11 @@ impl Verifier {
     ///
     /// The batch verification equation is:
     ///
-    /// h_G * -[sum(z_i * s_i)]P_G + sum([z_i]R_i + [z_i * c_i]VK_i) = 0_G
+    /// h_G * -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i + [z_i * c_i]VK_i) = 0_G
     ///
     /// which we split out into:
     ///
-    /// h_G * -[sum(z_i * s_i)]P_G + sum([z_i]R_i) + sum([z_i * c_i]VK_i) = 0_G
+    /// h_G * -[sum(z_i * s_i)]P_G + sum(\[z_i\]R_i) + sum([z_i * c_i]VK_i) = 0_G
     ///
     /// so that we can use multiscalar multiplication speedups.
     ///
@@ -159,7 +169,7 @@ impl Verifier {
     /// signatures of each type in our batch, but we can still
     /// amortize computation nicely in one multiscalar multiplication:
     ///
-    /// h_G * ( [-sum(z_i * s_i): i_type == SpendAuth]P_SpendAuth + [-sum(z_i * s_i): i_type == Binding]P_Binding + sum([z_i]R_i) + sum([z_i * c_i]VK_i) ) = 0_G
+    /// h_G * ( [-sum(z_i * s_i): i_type == SpendAuth]P_SpendAuth + [-sum(z_i * s_i): i_type == Binding]P_Binding + sum(\[z_i\]R_i) + sum([z_i * c_i]VK_i) ) = 0_G
     ///
     /// As follows elliptic curve scalar multiplication convention,
     /// scalar variables are lowercase and group point variables

src/constants.rs

@@ -1,3 +1,12 @@
+// -*- mode: rust; -*-
+//
+// This file is part of redjubjub.
+// Copyright (c) 2019-2021 Zcash Foundation
+// See LICENSE for licensing information.
+//
+// Authors:
+// - Henry de Valence <[email protected]>
+
 /// The byte-encoding of the basepoint for `SpendAuthSig`.
 // Extracted ad-hoc from librustzcash
 // XXX add tests for this value.

src/error.rs

@@ -1,3 +1,13 @@
+// -*- mode: rust; -*-
+//
+// This file is part of redjubjub.
+// Copyright (c) 2019-2021 Zcash Foundation
+// See LICENSE for licensing information.
+//
+// Authors:
+// - Deirdre Connolly <[email protected]>
+// - Henry de Valence <[email protected]>
+
 use thiserror::Error;
 
 /// An error related to RedJubJub signatures.