modify frost-core traits to enable taproot compatibility

This commit contains changes to the frost-core crate which
allow ciphersuites to better customize how signatures are computed.
This will enable taproot support without requiring major changes
to existing frost ciphersuites.

Co-authored by @zebra-lucky and @mimoo

This work sponsored by dlcbtc.com and lightspark.com

Author: conduition

frost-core/src/batch.rs

@@ -20,6 +20,7 @@ use crate::{scalar_mul::VartimeMultiscalarMul, Ciphersuite, Element, *};
 pub struct Item<C: Ciphersuite> {
     vk: VerifyingKey<C>,
     sig: Signature<C>,
+    sig_params: C::SigningParameters,
     c: Challenge<C>,
 }
 
@@ -33,10 +34,15 @@ where
     where
         M: AsRef<[u8]>,
     {
-        // Compute c now to avoid dependency on the msg lifetime.
-        let c = crate::challenge(&sig.R, &vk, msg.as_ref())?;
-
-        Ok(Self { vk, sig, c })
+        let sig_target = SigningTarget::from_message(msg);
+        let c = <C>::challenge(&sig.R, &vk, &sig_target)?;
+
+        Ok(Self {
+            vk,
+            sig,
+            sig_params: sig_target.sig_params,
+            c,
+        })
     }
 }
 
@@ -52,7 +58,8 @@ where
     /// requires borrowing the message data, the `Item` type is unlinked
     /// from the lifetime of the message.
     pub fn verify_single(self) -> Result<(), Error<C>> {
-        self.vk.verify_prehashed(self.c, &self.sig)
+        self.vk
+            .verify_prehashed(self.c, &self.sig, &self.sig_params)
     }
 }
 
@@ -121,6 +128,7 @@ where
         for item in self.signatures.iter() {
             let z = item.sig.z;
             let R = item.sig.R;
+            let vk = <C>::effective_pubkey_element(&item.vk, &item.sig_params);
 
             let blind = <<C::Group as Group>::Field>::random(&mut rng);
 
@@ -131,7 +139,7 @@ where
             Rs.push(R);
 
             VK_coeffs.push(<<C::Group as Group>::Field>::zero() + (blind * item.c.0));
-            VKs.push(item.vk.to_element());
+            VKs.push(vk);
         }
 
         let scalars = core::iter::once(&P_coeff_acc)

frost-core/src/keys.rs

@@ -119,6 +119,11 @@ where
     pub(crate) fn from_coefficients(coefficients: &[Scalar<C>], peer: Identifier<C>) -> Self {
         Self::new(evaluate_polynomial(peer, coefficients))
     }
+
+    /// Returns negated SigningShare
+    pub fn negate(&mut self) {
+        self.0 .0 = <<C::Group as Group>::Field>::negate(&self.to_scalar());
+    }
 }
 
 impl<C> Debug for SigningShare<C>
@@ -630,6 +635,11 @@ where
             min_signers,
         }
     }
+
+    /// Negate `SigningShare`.
+    pub fn negate_signing_share(&mut self) {
+        self.signing_share.negate();
+    }
 }
 
 #[cfg(feature = "serialization")]

frost-core/src/keys/dkg.rs

@@ -38,7 +38,7 @@ use rand_core::{CryptoRng, RngCore};
 
 use crate::{
     Challenge, Ciphersuite, Element, Error, Field, Group, Header, Identifier, Scalar, Signature,
-    SigningKey, VerifyingKey,
+    SigningKey,
 };
 
 #[cfg(feature = "serialization")]
@@ -322,7 +322,7 @@ pub fn part1<C: Ciphersuite, R: RngCore + CryptoRng>(
 /// Generates the challenge for the proof of knowledge to a secret for the DKG.
 fn challenge<C>(
     identifier: Identifier<C>,
-    verifying_key: &VerifyingKey<C>,
+    verifying_key: &Element<C>,
     R: &Element<C>,
 ) -> Result<Challenge<C>, Error<C>>
 where
@@ -331,7 +331,7 @@ where
     let mut preimage = vec![];
 
     preimage.extend_from_slice(identifier.serialize().as_ref());
-    preimage.extend_from_slice(<C::Group>::serialize(&verifying_key.to_element())?.as_ref());
+    preimage.extend_from_slice(<C::Group>::serialize(&verifying_key)?.as_ref());
     preimage.extend_from_slice(<C::Group>::serialize(R)?.as_ref());
 
     Ok(Challenge(
@@ -354,13 +354,23 @@ pub(crate) fn compute_proof_of_knowledge<C: Ciphersuite, R: RngCore + CryptoRng>
     // > a_{i0} by calculating σ_i = (R_i, μ_i), such that k ← Z_q, R_i = g^k,
     // > c_i = H(i, Φ, g^{a_{i0}} , R_i), μ_i = k + a_{i0} · c_i, with Φ being
     // > a context string to prevent replay attacks.
-    let k = <<C::Group as Group>::Field>::random(&mut rng);
-    let R_i = <C::Group>::generator() * k;
-    let c_i = challenge::<C>(identifier, &commitment.verifying_key()?, &R_i)?;
+    let mut k = <<C::Group as Group>::Field>::random(&mut rng);
+    let mut R_i = <C::Group>::generator() * k;
+    k = <C>::effective_nonce_secret(k, &R_i);
+    R_i = <C>::effective_nonce_element(R_i);
+
+    let verifying_key = commitment.verifying_key()?;
+    let sig_params = Default::default();
+
+    let phi_ell0 = <C>::effective_pubkey_element(&verifying_key, &sig_params);
+
+    let c_i = challenge::<C>(identifier, &phi_ell0, &R_i)?;
     let a_i0 = *coefficients
         .first()
         .expect("coefficients must have at least one element");
-    let mu_i = k + a_i0 * c_i.0;
+    let a_i0_effective = <C>::effective_secret_key(a_i0, &verifying_key, &sig_params);
+
+    let mu_i = k + a_i0_effective * c_i.0;
     Ok(Signature { R: R_i, z: mu_i })
 }
 
@@ -380,9 +390,12 @@ pub(crate) fn verify_proof_of_knowledge<C: Ciphersuite>(
     let ell = identifier;
     let R_ell = proof_of_knowledge.R;
     let mu_ell = proof_of_knowledge.z;
-    let phi_ell0 = commitment.verifying_key()?;
+
+    let verifying_key = commitment.verifying_key()?;
+    let phi_ell0 = <C>::effective_pubkey_element(&verifying_key, &Default::default());
     let c_ell = challenge::<C>(ell, &phi_ell0, &R_ell)?;
-    if R_ell != <C::Group>::generator() * mu_ell - phi_ell0.to_element() * c_ell.0 {
+
+    if R_ell != <C::Group>::generator() * mu_ell - phi_ell0 * c_ell.0 {
         return Err(Error::InvalidProofOfKnowledge { culprit: ell });
     }
     Ok(())

frost-core/src/lib.rs

@@ -57,18 +57,14 @@ use scalar_mul::VartimeMultiscalarMul;
 pub use serde;
 pub use signature::Signature;
 pub use signing_key::SigningKey;
-pub use traits::{Ciphersuite, Element, Field, Group, Scalar};
+pub use traits::{Ciphersuite, Element, Field, Group, Scalar, SigningParameters};
 pub use verifying_key::VerifyingKey;
 
 /// A type refinement for the scalar field element representing the per-message _[challenge]_.
 ///
 /// [challenge]: https://datatracker.ietf.org/doc/html/rfc9591#name-signature-challenge-computa
 #[derive(Copy, Clone)]
-#[cfg_attr(feature = "internals", visibility::make(pub))]
-#[cfg_attr(docsrs, doc(cfg(feature = "internals")))]
-pub(crate) struct Challenge<C: Ciphersuite>(
-    pub(crate) <<C::Group as Group>::Field as Field>::Scalar,
-);
+pub struct Challenge<C: Ciphersuite>(pub(crate) <<C::Group as Group>::Field as Field>::Scalar);
 
 impl<C> Challenge<C>
 where
@@ -192,9 +188,7 @@ where
 ///
 /// <https://github.com/cfrg/draft-irtf-cfrg-frost/blob/master/draft-irtf-cfrg-frost.md>
 #[derive(Clone, PartialEq, Eq)]
-#[cfg_attr(feature = "internals", visibility::make(pub))]
-#[cfg_attr(docsrs, doc(cfg(feature = "internals")))]
-pub(crate) struct BindingFactor<C: Ciphersuite>(Scalar<C>);
+pub struct BindingFactor<C: Ciphersuite>(Scalar<C>);
 
 impl<C> BindingFactor<C>
 where
@@ -357,6 +351,54 @@ fn derive_interpolating_value<C: Ciphersuite>(
     )
 }
 
+/// The data which the group's signature should commit to. Includes
+/// a message byte vector, and a set of ciphersuite-specific parameters.
+#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
+#[cfg_attr(feature = "serde", serde(bound = "C: Ciphersuite"))]
+#[derive(Clone, Debug, PartialEq, Eq, Getters)]
+pub struct SigningTarget<C: Ciphersuite> {
+    #[cfg_attr(
+        feature = "serde",
+        serde(
+            serialize_with = "serdect::slice::serialize_hex_lower_or_bin",
+            deserialize_with = "serdect::slice::deserialize_hex_or_bin_vec"
+        )
+    )]
+    message: Vec<u8>,
+
+    #[cfg_attr(feature = "serde", serde(default))]
+    sig_params: C::SigningParameters,
+}
+
+impl<C: Ciphersuite> SigningTarget<C> {
+    /// Construct a signing target from a message and additional signing parameters.
+    pub fn new<T: AsRef<[u8]>, P: Into<C::SigningParameters>>(
+        message: T,
+        sig_params: P,
+    ) -> SigningTarget<C> {
+        SigningTarget {
+            message: message.as_ref().to_vec(),
+            sig_params: sig_params.into(),
+        }
+    }
+
+    /// Constructs a signing target from an arbitrary message.
+    /// This populates [the `sig_params` field][SigningTarget::sig_params] with
+    /// the [`Default`] instance of the [`Ciphersuite::SigningParameters`].
+    pub fn from_message<T: AsRef<[u8]>>(message: T) -> SigningTarget<C> {
+        SigningTarget {
+            message: message.as_ref().to_vec(),
+            sig_params: C::SigningParameters::default(),
+        }
+    }
+}
+
+impl<C: Ciphersuite, T: AsRef<[u8]>> From<T> for SigningTarget<C> {
+    fn from(message: T) -> Self {
+        Self::from_message(message)
+    }
+}
+
 /// Generated by the coordinator of the signing operation and distributed to
 /// each signing party
 #[derive(Clone, Debug, PartialEq, Eq, Getters)]
@@ -370,18 +412,9 @@ pub struct SigningPackage<C: Ciphersuite> {
     /// The set of commitments participants published in the first round of the
     /// protocol.
     signing_commitments: BTreeMap<Identifier<C>, round1::SigningCommitments<C>>,
-    /// Message which each participant will sign.
-    ///
-    /// Each signer should perform protocol-specific verification on the
-    /// message.
-    #[cfg_attr(
-        feature = "serde",
-        serde(
-            serialize_with = "serdect::slice::serialize_hex_lower_or_bin",
-            deserialize_with = "serdect::slice::deserialize_hex_or_bin_vec"
-        )
-    )]
-    message: Vec<u8>,
+    /// The message and parameters which each participant will use to sign.
+    /// Each signer should perform protocol-specific verification on the signing target.
+    sig_target: SigningTarget<C>,
 }
 
 impl<C> SigningPackage<C>
@@ -391,14 +424,19 @@ where
     /// Create a new `SigningPackage`
     ///
     /// The `signing_commitments` are sorted by participant `identifier`.
+    ///
+    /// The `sig_target` can be any bytes-like type that implements `AsRef<[u8]>`.
+    /// Some ciphersuites like `frost-secp256k1-tr` allow customization of the signing
+    /// process by embedding additional parameters into a [`SigningTarget`], but this
+    /// is optional and not required by most ciphersuites.
     pub fn new(
         signing_commitments: BTreeMap<Identifier<C>, round1::SigningCommitments<C>>,
-        message: &[u8],
+        sig_target: impl Into<SigningTarget<C>>,
     ) -> SigningPackage<C> {
         SigningPackage {
             header: Header::default(),
             signing_commitments,
-            message: message.to_vec(),
+            sig_target: sig_target.into(),
         }
     }
 
@@ -410,6 +448,11 @@ where
         self.signing_commitments.get(identifier).copied()
     }
 
+    /// Returns the message to be signed.
+    pub fn message(&self) -> &[u8] {
+        &self.sig_target.message
+    }
+
     /// Compute the preimages to H1 to compute the per-signer binding factors
     // We separate this out into its own method so it can be tested
     #[cfg_attr(feature = "internals", visibility::make(pub))]
@@ -430,7 +473,7 @@ where
         // The message is hashed with H4 to force the variable-length message
         // into a fixed-length byte string, same for hashing the variable-sized
         // (between runs of the protocol) set of group commitments, but with H5.
-        binding_factor_input_prefix.extend_from_slice(C::H4(self.message.as_slice()).as_ref());
+        binding_factor_input_prefix.extend_from_slice(C::H4(self.message()).as_ref());
         binding_factor_input_prefix.extend_from_slice(
             C::H5(&round1::encode_group_commitments(self.signing_commitments())?[..]).as_ref(),
         );
@@ -469,9 +512,7 @@ where
 /// The product of all signers' individual commitments, published as part of the
 /// final signature.
 #[derive(Clone, PartialEq, Eq)]
-#[cfg_attr(feature = "internals", visibility::make(pub))]
-#[cfg_attr(docsrs, doc(cfg(feature = "internals")))]
-pub(crate) struct GroupCommitment<C: Ciphersuite>(pub(crate) Element<C>);
+pub struct GroupCommitment<C: Ciphersuite>(pub(crate) Element<C>);
 
 impl<C> GroupCommitment<C>
 where
@@ -482,6 +523,12 @@ where
     pub fn to_element(self) -> <C::Group as Group>::Element {
         self.0
     }
+
+    /// Check if group commitment is odd
+    #[cfg(feature = "internals")]
+    pub fn y_is_odd(&self) -> bool {
+        <C::Group as Group>::y_is_odd(&self.0)
+    }
 }
 
 /// Generates the group commitment which is published as part of the joint
@@ -589,6 +636,7 @@ where
         compute_binding_factor_list(signing_package, &pubkeys.verifying_key, &[])?;
     // Compute the group commitment from signing commitments produced in round one.
     let group_commitment = compute_group_commitment(signing_package, &binding_factor_list)?;
+    let R = <C>::effective_nonce_element(group_commitment.0);
 
     // The aggregation of the signature shares by summing them up, resulting in
     // a plain Schnorr signature.
@@ -602,15 +650,13 @@ where
         z = z + signature_share.to_scalar();
     }
 
-    let signature = Signature {
-        R: group_commitment.0,
-        z,
-    };
+    let signature: Signature<C> =
+        <C>::aggregate_sig_finalize(z, R, &pubkeys.verifying_key, &signing_package.sig_target)?;
 
     // Verify the aggregate signature
     let verification_result = pubkeys
         .verifying_key
-        .verify(signing_package.message(), &signature);
+        .verify(signing_package.sig_target.clone(), &signature);
 
     // Only if the verification of the aggregate signature failed; verify each share to find the cheater.
     // This approach is more efficient since we don't need to verify all shares
@@ -619,6 +665,7 @@ where
     if verification_result.is_err() {
         detect_cheater(
             group_commitment,
+            &R,
             pubkeys,
             signing_package,
             signature_shares,
@@ -631,21 +678,21 @@ where
 
     Ok(signature)
 }
-
 /// Optional cheater detection feature
 /// Each share is verified to find the cheater
 fn detect_cheater<C: Ciphersuite>(
     group_commitment: GroupCommitment<C>,
+    effective_group_commitment: &Element<C>,
     pubkeys: &keys::PublicKeyPackage<C>,
     signing_package: &SigningPackage<C>,
     signature_shares: &BTreeMap<Identifier<C>, round2::SignatureShare<C>>,
     binding_factor_list: &BindingFactorList<C>,
 ) -> Result<(), Error<C>> {
     // Compute the per-message challenge.
-    let challenge = crate::challenge::<C>(
-        &group_commitment.0,
+    let challenge = <C>::challenge(
+        effective_group_commitment,
         &pubkeys.verifying_key,
-        signing_package.message().as_slice(),
+        &signing_package.sig_target,
     )?;
 
     // Verify the signature shares.
@@ -677,6 +724,9 @@ fn detect_cheater<C: Ciphersuite>(
             signer_pubkey,
             lambda_i,
             &challenge,
+            &group_commitment,
+            &pubkeys.verifying_key,
+            &signing_package.sig_target.sig_params,
         )?;
     }