test coverage for taproot crate

Co-authored by @zebra-lucky and @mimoo

This work sponsored by dlcbtc.com and lightspark.com

Author: conduition

frost-core/src/tests/ciphersuite_generic.rs

@@ -7,9 +7,8 @@ use crate as frost;
 use crate::round2::SignatureShare;
 use crate::{
     keys::PublicKeyPackage, Error, Field, Group, Identifier, Signature, SigningKey, SigningPackage,
-    VerifyingKey,
+    SigningTarget, VerifyingKey,
 };
-use alloc::borrow::ToOwned;
 use alloc::vec::Vec;
 use rand_core::{CryptoRng, RngCore};
 
@@ -103,7 +102,8 @@ pub fn check_share_generation_fails_with_invalid_signers<C: Ciphersuite, R: RngC
 /// Test FROST signing with trusted dealer with a Ciphersuite.
 pub fn check_sign_with_dealer<C: Ciphersuite, R: RngCore + CryptoRng>(
     mut rng: R,
-) -> (Vec<u8>, Signature<C>, VerifyingKey<C>) {
+    signing_target: SigningTarget<C>,
+) -> (SigningTarget<C>, Signature<C>, VerifyingKey<C>) {
     ////////////////////////////////////////////////////////////////////////////
     // Key generation
     ////////////////////////////////////////////////////////////////////////////
@@ -147,10 +147,11 @@ pub fn check_sign_with_dealer<C: Ciphersuite, R: RngCore + CryptoRng>(
             .collect(),
         &mut rng,
         pubkeys.clone(),
+        signing_target.clone(),
     );
     assert_eq!(r, Err(Error::InvalidSignature));
 
-    check_sign(min_signers, key_packages, rng, pubkeys).unwrap()
+    check_sign(min_signers, key_packages, rng, pubkeys, signing_target).unwrap()
 }
 
 /// Test FROST signing with trusted dealer fails with invalid numbers of signers.
@@ -195,7 +196,8 @@ pub fn check_sign<C: Ciphersuite + PartialEq, R: RngCore + CryptoRng>(
     key_packages: BTreeMap<frost::Identifier<C>, frost::keys::KeyPackage<C>>,
     mut rng: R,
     pubkey_package: PublicKeyPackage<C>,
-) -> Result<(Vec<u8>, Signature<C>, VerifyingKey<C>), Error<C>> {
+    signing_target: SigningTarget<C>,
+) -> Result<(SigningTarget<C>, Signature<C>, VerifyingKey<C>), Error<C>> {
     let mut nonces_map: BTreeMap<frost::Identifier<C>, frost::round1::SigningNonces<C>> =
         BTreeMap::new();
     let mut commitments_map: BTreeMap<frost::Identifier<C>, frost::round1::SigningCommitments<C>> =
@@ -223,8 +225,7 @@ pub fn check_sign<C: Ciphersuite + PartialEq, R: RngCore + CryptoRng>(
     // - decide what message to sign
     // - take one (unused) commitment per signing participant
     let mut signature_shares = BTreeMap::new();
-    let message = "message to sign".as_bytes();
-    let signing_package = SigningPackage::new(commitments_map, message);
+    let signing_package = frost::SigningPackage::new(commitments_map, signing_target.clone());
 
     ////////////////////////////////////////////////////////////////////////////
     // Round 2: each participant generates their signature share
@@ -266,11 +267,18 @@ pub fn check_sign<C: Ciphersuite + PartialEq, R: RngCore + CryptoRng>(
     // Aggregate (also verifies the signature shares)
     let group_signature = frost::aggregate(&signing_package, &signature_shares, &pubkey_package)?;
 
+    // Check that the effective verifying key can be verified against the raw message,
+    // without exposing the SigningParameters.
+    pubkey_package
+        .verifying_key
+        .effective_key(signing_target.sig_params())
+        .verify(signing_target.message(), &group_signature)?;
+
     // Check that the threshold signature can be verified by the group public
     // key (the verification key).
     pubkey_package
         .verifying_key
-        .verify(message, &group_signature)?;
+        .verify(signing_target.clone(), &group_signature)?;
 
     // Check that the threshold signature can be verified by the group public
     // key (the verification key) from KeyPackage.verifying_key
@@ -279,11 +287,11 @@ pub fn check_sign<C: Ciphersuite + PartialEq, R: RngCore + CryptoRng>(
 
         key_package
             .verifying_key
-            .verify(message, &group_signature)?;
+            .verify(signing_target.clone(), &group_signature)?;
     }
 
     Ok((
-        message.to_owned(),
+        signing_target,
         group_signature,
         pubkey_package.verifying_key,
     ))
@@ -303,7 +311,7 @@ fn check_sign_errors<C: Ciphersuite + PartialEq>(
         .find(|&&id| id != key_package.identifier)
         .unwrap();
     commitments.remove(&id);
-    let signing_package = frost::SigningPackage::new(commitments, signing_package.message());
+    let signing_package = frost::SigningPackage::new(commitments, signing_package.sig_target);
 
     let r = frost::round2::sign(&signing_package, &signing_nonces, &key_package);
     assert_eq!(r, Err(Error::IncorrectNumberOfCommitments));
@@ -376,7 +384,8 @@ fn check_aggregate_invalid_share_identifier_for_verifying_shares<C: Ciphersuite
 /// Test FROST signing with DKG with a Ciphersuite.
 pub fn check_sign_with_dkg<C: Ciphersuite + PartialEq, R: RngCore + CryptoRng>(
     mut rng: R,
-) -> (Vec<u8>, Signature<C>, VerifyingKey<C>)
+    signing_target: SigningTarget<C>,
+) -> (SigningTarget<C>, Signature<C>, VerifyingKey<C>)
 where
     C::Group: core::cmp::PartialEq,
 {
@@ -533,7 +542,7 @@ where
     let pubkeys = frost::keys::PublicKeyPackage::new(verifying_keys, verifying_key.unwrap());
 
     // Proceed with the signing test.
-    check_sign(min_signers, key_packages, rng, pubkeys).unwrap()
+    check_sign(min_signers, key_packages, rng, pubkeys, signing_target).unwrap()
 }
 
 /// Check that calling dkg::part3() with distinct sets of participants fail.
@@ -577,7 +586,8 @@ fn check_part3_different_participants<C: Ciphersuite>(
 /// Identifiers.
 pub fn check_sign_with_dealer_and_identifiers<C: Ciphersuite, R: RngCore + CryptoRng>(
     mut rng: R,
-) -> (Vec<u8>, Signature<C>, VerifyingKey<C>) {
+    signing_target: SigningTarget<C>,
+) -> (SigningTarget<C>, Signature<C>, VerifyingKey<C>) {
     // Check error cases first
     // Check repeated identifiers
 
@@ -643,7 +653,7 @@ pub fn check_sign_with_dealer_and_identifiers<C: Ciphersuite, R: RngCore + Crypt
         let key_package = frost::keys::KeyPackage::try_from(v).unwrap();
         key_packages.insert(k, key_package);
     }
-    check_sign(min_signers, key_packages, rng, pubkeys).unwrap()
+    check_sign(min_signers, key_packages, rng, pubkeys, signing_target).unwrap()
 }
 
 fn check_part2_error<C: Ciphersuite>(

frost-core/src/tests/refresh.rs

@@ -9,7 +9,7 @@ use crate::keys::refresh::{compute_refreshing_shares, refresh_share};
 use crate::{self as frost};
 use crate::{
     keys::{KeyPackage, PublicKeyPackage, SecretShare},
-    Ciphersuite, Error, Identifier,
+    Ciphersuite, Error, Identifier, SigningTarget,
 };
 
 use super::ciphersuite_generic::check_sign;
@@ -81,7 +81,16 @@ pub fn check_refresh_shares_with_dealer<C: Ciphersuite, R: RngCore + CryptoRng>(
     for (k, v) in new_shares {
         key_packages.insert(k, v.unwrap());
     }
-    check_sign(MIN_SIGNERS, key_packages, rng, new_pub_key_package).unwrap();
+
+    let signing_target = SigningTarget::from_message(b"hello world");
+    check_sign(
+        MIN_SIGNERS,
+        key_packages,
+        rng,
+        new_pub_key_package,
+        signing_target,
+    )
+    .unwrap();
 }
 
 /// We want to check that shares are refreshed with valid signers

frost-ed25519/tests/helpers/samples.json

@@ -1,6 +1,7 @@
 {
     "identifier": "2a00000000000000000000000000000000000000000000000000000000000000",
+    "proof_of_knowledge": "5866666666666666666666666666666666666666666666666666666666666666498d4e9311420c903913a56c94a694b8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0a",
     "element1": "5866666666666666666666666666666666666666666666666666666666666666",
     "element2": "c9a3f86aae465f0e56513864510f3997561fa2c9e85ea21dc2292309f3cd6022",
     "scalar1": "498d4e9311420c903913a56c94a694b8aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0a"
-}
+}

frost-ed25519/tests/helpers/samples.rs

@@ -109,17 +109,12 @@ pub fn public_key_package() -> PublicKeyPackage {
 
 /// Generate a sample round1::Package.
 pub fn round1_package() -> round1::Package {
-    let serialized_scalar = <<C as Ciphersuite>::Group as Group>::Field::serialize(&scalar1());
+    let serialized_signature = Signature::new(element1(), scalar1()).serialize().unwrap();
+    let signature = Signature::deserialize(&serialized_signature).unwrap();
+
     let serialized_element = <C as Ciphersuite>::Group::serialize(&element1()).unwrap();
-    let serialized_signature = serialized_element
-        .as_ref()
-        .iter()
-        .chain(serialized_scalar.as_ref().iter())
-        .cloned()
-        .collect::<Vec<u8>>();
     let vss_commitment =
         VerifiableSecretSharingCommitment::deserialize(vec![serialized_element]).unwrap();
-    let signature = Signature::deserialize(&serialized_signature).unwrap();
 
     round1::Package::new(vss_commitment, signature)
 }

frost-ed25519/tests/integration_tests.rs

@@ -12,7 +12,10 @@ fn check_zero_key_fails() {
 fn check_sign_with_dkg() {
     let rng = thread_rng();
 
-    frost_core::tests::ciphersuite_generic::check_sign_with_dkg::<Ed25519Sha512, _>(rng);
+    frost_core::tests::ciphersuite_generic::check_sign_with_dkg::<Ed25519Sha512, _>(
+        rng,
+        b"message".into(),
+    );
 }
 
 #[test]
@@ -184,7 +187,10 @@ fn check_refresh_shares_with_dealer_fails_with_invalid_identifier() {
 fn check_sign_with_dealer() {
     let rng = thread_rng();
 
-    frost_core::tests::ciphersuite_generic::check_sign_with_dealer::<Ed25519Sha512, _>(rng);
+    frost_core::tests::ciphersuite_generic::check_sign_with_dealer::<Ed25519Sha512, _>(
+        rng,
+        b"message".into(),
+    );
 }
 
 #[test]
@@ -336,7 +342,7 @@ fn check_sign_with_dealer_and_identifiers() {
     frost_core::tests::ciphersuite_generic::check_sign_with_dealer_and_identifiers::<
         Ed25519Sha512,
         _,
-    >(rng);
+    >(rng, b"message".into());
 }
 
 #[test]

frost-ed25519/tests/interoperability_tests.rs

@@ -12,12 +12,13 @@ fn check_interoperability_in_sign_with_dkg() {
     // and the interoperability check. A smaller number of iterations is used
     // because DKG takes longer and otherwise the test would be too slow.
     for _ in 0..32 {
-        let (msg, group_signature, group_pubkey) =
+        let (target, group_signature, group_pubkey) =
             frost_core::tests::ciphersuite_generic::check_sign_with_dkg::<Ed25519Sha512, _>(
                 rng.clone(),
+                b"message".into(),
             );
 
-        helpers::verify_signature(&msg, group_signature, group_pubkey);
+        helpers::verify_signature(target.message(), group_signature, group_pubkey);
     }
 }
 
@@ -28,13 +29,14 @@ fn check_interoperability_in_sign_with_dealer() {
     // Test with multiple keys/signatures to better exercise the key generation
     // and the interoperability check.
     for _ in 0..256 {
-        let (msg, group_signature, group_pubkey) =
+        let (target, group_signature, group_pubkey) =
             frost_core::tests::ciphersuite_generic::check_sign_with_dealer::<Ed25519Sha512, _>(
                 rng.clone(),
+                b"message".into(),
             );
 
         // Check that the threshold signature can be verified by the `ed25519_dalek` crate
         // public key (interoperability test)
-        helpers::verify_signature(&msg, group_signature, group_pubkey);
+        helpers::verify_signature(target.message(), group_signature, group_pubkey);
     }
 }

frost-ed25519/tests/recreation_tests.rs

@@ -41,9 +41,9 @@ fn check_signing_package_recreation() {
     let signing_package = samples::signing_package();
 
     let commitments = signing_package.signing_commitments();
-    let message = signing_package.message();
+    let sig_target = signing_package.sig_target();
 
-    let new_signing_package = SigningPackage::new(commitments.clone(), message);
+    let new_signing_package = SigningPackage::new(commitments.clone(), sig_target.clone());
     assert!(signing_package == new_signing_package);
 }
 

frost-ed448/tests/helpers/samples.json

@@ -1,6 +1,7 @@
 {
     "identifier": "2a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+    "proof_of_knowledge": "14fa30f25b790898adc8d74e2c13bdfdc4397ce61cffd33ad7c2a0051e9c78874098a36c7373ea4b62c7c9563720768824bcb66e71463f69004d83e51cb78150c2380ad9b3a18148166024e4c9db3cdf82466d3153aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa2a00",
     "element1": "14fa30f25b790898adc8d74e2c13bdfdc4397ce61cffd33ad7c2a0051e9c78874098a36c7373ea4b62c7c9563720768824bcb66e71463f6900",
     "element2": "ed8693eacdfbeada6ba0cdd1beb2bcbb98302a3a8365650db8c4d88a726de3b7d74d8835a0d76e03b0c2865020d659b38d04d74a63e905ae80",
     "scalar1": "4d83e51cb78150c2380ad9b3a18148166024e4c9db3cdf82466d3153aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa2a00"
-}
+}

frost-ed448/tests/helpers/samples.rs

@@ -109,17 +109,12 @@ pub fn public_key_package() -> PublicKeyPackage {
 
 /// Generate a sample round1::Package.
 pub fn round1_package() -> round1::Package {
-    let serialized_scalar = <<C as Ciphersuite>::Group as Group>::Field::serialize(&scalar1());
+    let serialized_signature = Signature::new(element1(), scalar1()).serialize().unwrap();
+    let signature = Signature::deserialize(&serialized_signature).unwrap();
+
     let serialized_element = <C as Ciphersuite>::Group::serialize(&element1()).unwrap();
-    let serialized_signature = serialized_element
-        .as_ref()
-        .iter()
-        .chain(serialized_scalar.as_ref().iter())
-        .cloned()
-        .collect::<Vec<u8>>();
     let vss_commitment =
         VerifiableSecretSharingCommitment::deserialize(vec![serialized_element]).unwrap();
-    let signature = Signature::deserialize(&serialized_signature).unwrap();
 
     round1::Package::new(vss_commitment, signature)
 }

frost-ed448/tests/integration_tests.rs

@@ -12,7 +12,10 @@ fn check_zero_key_fails() {
 fn check_sign_with_dkg() {
     let rng = thread_rng();
 
-    frost_core::tests::ciphersuite_generic::check_sign_with_dkg::<Ed448Shake256, _>(rng);
+    frost_core::tests::ciphersuite_generic::check_sign_with_dkg::<Ed448Shake256, _>(
+        rng,
+        b"message".into(),
+    );
 }
 
 #[test]
@@ -184,7 +187,10 @@ fn check_refresh_shares_with_dealer_fails_with_invalid_identifier() {
 fn check_sign_with_dealer() {
     let rng = thread_rng();
 
-    frost_core::tests::ciphersuite_generic::check_sign_with_dealer::<Ed448Shake256, _>(rng);
+    frost_core::tests::ciphersuite_generic::check_sign_with_dealer::<Ed448Shake256, _>(
+        rng,
+        b"message".into(),
+    );
 }
 
 #[test]
@@ -336,7 +342,7 @@ fn check_sign_with_dealer_and_identifiers() {
     frost_core::tests::ciphersuite_generic::check_sign_with_dealer_and_identifiers::<
         Ed448Shake256,
         _,
-    >(rng);
+    >(rng, b"message".into());
 }
 
 #[test]

frost-ed448/tests/recreation_tests.rs

@@ -41,9 +41,9 @@ fn check_signing_package_recreation() {
     let signing_package = samples::signing_package();
 
     let commitments = signing_package.signing_commitments();
-    let message = signing_package.message();
+    let sig_target = signing_package.sig_target();
 
-    let new_signing_package = SigningPackage::new(commitments.clone(), message);
+    let new_signing_package = SigningPackage::new(commitments.clone(), sig_target.clone());
     assert!(signing_package == new_signing_package);
 }
 

frost-p256/tests/helpers/samples.json

@@ -1,6 +1,7 @@
 {
     "identifier": "000000000000000000000000000000000000000000000000000000000000002a",
+    "proof_of_knowledge": "036b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296aaaaaaaa00000000aaaaaaaaaaaaaaaa7def51c91a0fbf034d26872ca84218e1",
     "element1": "036b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
     "element2": "037cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978",
     "scalar1": "aaaaaaaa00000000aaaaaaaaaaaaaaaa7def51c91a0fbf034d26872ca84218e1"
-}
+}

frost-p256/tests/helpers/samples.rs

@@ -109,17 +109,12 @@ pub fn public_key_package() -> PublicKeyPackage {
 
 /// Generate a sample round1::Package.
 pub fn round1_package() -> round1::Package {
-    let serialized_scalar = <<C as Ciphersuite>::Group as Group>::Field::serialize(&scalar1());
+    let serialized_signature = Signature::new(element1(), scalar1()).serialize().unwrap();
+    let signature = Signature::deserialize(&serialized_signature).unwrap();
+
     let serialized_element = <C as Ciphersuite>::Group::serialize(&element1()).unwrap();
-    let serialized_signature = serialized_element
-        .as_ref()
-        .iter()
-        .chain(serialized_scalar.as_ref().iter())
-        .cloned()
-        .collect::<Vec<u8>>();
     let vss_commitment =
         VerifiableSecretSharingCommitment::deserialize(vec![serialized_element]).unwrap();
-    let signature = Signature::deserialize(&serialized_signature).unwrap();
 
     round1::Package::new(vss_commitment, signature)
 }