frostrb 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0660ec6fbd998b152bdb359276284fd64e00d89ed19e783dbd72e04cac3fad67
-  data.tar.gz: c01bd20b7f10d10e0362d6ee4c3722c8849f748ed8899c06efd2cfcaee2dcefa
+  metadata.gz: 6ec10bec048f4bbf00419a36f27e901afb7ca0b12ae20140d827e1e2eaba107e
+  data.tar.gz: 13bce5e0d48b971619c698224e0051162b57b0e08dcc9dabad7eef8a770ecda5
 SHA512:
-  metadata.gz: 5cadf1d9b254ac672aad430dae0c27ec7f45878886bbf600cd250a8c4a405f5d89201de96b5bd145ff3fc59ae2384d227a5fe7e73c3abcf002b36a6fbd2d5098
-  data.tar.gz: 71c14b38913bf8471436979fb8d69a99ad7ad763a79d28f1f738435999ad5b485ba7e09d5e43083bbd2edec5ade02c189076e53678c44a4512a71c86e0883a42
+  metadata.gz: 21d11540bbb90c3f3e0e4e96b17204140b40ee52b783da59d12de0898e64d11ed7a4feefc937fd08dff87c001592c14eed39f4d06757211198581047045aa98f
+  data.tar.gz: ca60c7fd06432c8c8d6b72fd2a5fb77b42e6184f892af8496c1d540d4215c36ca074fef9c5b495ea8bbcd1e675649a166d41a07b8ab64257f520490ae4ffd869

data/.ruby-version

@@ -1 +1 @@
-ruby-3.3.0
+ruby-3.4.1

data/README.md

@@ -7,7 +7,11 @@ Note: This library has not been security audited and tested widely, so should no
 The cipher suites currently supported by this library are:
 
 * [secp256k1, SHA-256](https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-14.html#name-frostsecp256k1-sha-256)
-* [P-256, SHA-256](https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-14.html#name-frostp-256-sha-256) 
+* [P-256, SHA-256](https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-14.html#name-frostp-256-sha-256)
+* secp256k1, Taproot
+
+Note: The implementation for Taproot is based on [frost-secp256k1-tr](https://github.com/ZcashFoundation/frost/tree/main/frost-secp256k1-tr),
+but since it is not an official BIP, it may change in the future.
 
 ## Installation
 
@@ -30,10 +34,11 @@ Or install it yourself as:
 ```ruby
 require 'frost'
 
-group = ECDSA::Group::Secp256k1
+# Setup context.
+ctx = FROST::Context.new(ECDSA::Group::Secp256k1, FROST::Type::RFC9591)
 
 # Dealer generate secret.
-secret = FROST::SigningKey.generate(group)
+secret = FROST::SigningKey.generate(ctx)
 group_pubkey = secret.to_point
 
 # Generate polynomial(f(x) = ax + b)
@@ -58,48 +63,60 @@ commitment_list = [comm1, comm3]
 msg = ["74657374"].pack("H*")
 
 # Round 2: each participant generates their signature share(1 and 3)
-sig_share1 = FROST.sign(share1, group_pubkey, [hiding_nonce1, binding_nonce1], msg, commitment_list)
-sig_share3 = FROST.sign(share3, group_pubkey, [hiding_nonce3, binding_nonce3], msg, commitment_list)
+sig_share1 = FROST.sign(ctx, share1, group_pubkey, [hiding_nonce1, binding_nonce1], msg, commitment_list)
+sig_share3 = FROST.sign(ctx, share3, group_pubkey, [hiding_nonce3, binding_nonce3], msg, commitment_list)
 
 # verify signature share
 FROST.verify_share(1, share1.to_point, sig_share1, commitment_list, group_pubkey, msg)
 FROST.verify_share(3, share3.to_point, sig_share3, commitment_list, group_pubkey, msg)
 
 # Aggregation
-sig = FROST.aggregate(commitment_list, msg, group_pubkey, [sig_share1, sig_share3])
+sig = FROST.aggregate(ctx, commitment_list, msg, group_pubkey, [sig_share1, sig_share3])
 
 # verify final signature
 FROST.verify(sig, group_pubkey, msg)
 ```
 
+### Bitcoin support
+
+When using Bitcoin(taproot), the context type must be `FROST::Type::Taproot` instead of `FROST::Type::RFC9591`.
+
+```ruby
+ctx = FROST::Context.new(ECDSA::Group::Secp256k1, FROST::Type::TAPROOT)
+```
+
 ### Using DKG
 
 DKG can be run as below.
 
 ```ruby
+# Setup context.
+ctx = FROST::Context.new(ECDSA::Group::Secp256k1, FROST::Type::RFC9591)
+
 max_signer = 5
 min_signer = 3
 
-secrets = {}
+secret_packages = {}
 round1_outputs = {}
 # Round 1:
 # For each participant, perform the first part of the DKG protocol.
 1.upto(max_signer) do |i|
-  polynomial, package = FROST::DKG.generate_secret(i, min_signer, max_signer, group)
-  secrets[i] = polynomial
-  round1_outputs[i] = package
+  secret_package = FROST::DKG.generate_secret(ctx, i, min_signer, max_signer)
+  secret_packages[i] = secret_package
+  round1_outputs[i] = secret_package.public_package
 end
 
-# Each participant sends their commitments and proof to other participants.
+# Each participant send their commitments and proof to other participants.
 received_package = {}
 1.upto(max_signer) do |i|
-  received_package[i] = round1_outputs.select { |k, _| k != i }.values
+  received_package[i] = round1_outputs.select {|k, _| k != i}.values
 end
 
 # Each participant verify knowledge of proof in received package.
 received_package.each do |id, packages|
+  secret_package = secret_packages[id]
   packages.each do |package|
-    expect(FROST::DKG.verify_proof_of_knowledge(package)).to be true
+    expect(FROST::DKG.verify_proof_of_knowledge(secret_package, package)).to be true
   end
 end
 
@@ -107,31 +124,31 @@ end
 # Each participant generate share for other participants and send it.
 received_shares = {}
 1.upto(max_signer) do |i|
-  polynomial = secrets[i] # own secret
+  secret_package = secret_packages[i] # own secret
   1.upto(max_signer) do |o|
     next if i == o
     received_shares[o] ||= []
-    received_shares[o] << [i, polynomial.gen_share(o)]
+    received_shares[o] << [i, secret_package.gen_share(o)]
   end
 end
 
 # Each participant verify received shares.
 1.upto(max_signer) do |i|
   received_shares[i].each do |send_by, share|
-    target_package = received_package[i].find { |package| package.identifier == send_by }
+    target_package = received_package[i].find{ |package| package.identifier == send_by }
     expect(target_package.verify_share(share)).to be true
   end
 end
 
-# Each participant compute signing share.
+# Each participant computes signing share.
 signing_shares = {}
 1.upto(max_signer) do |i|
-  shares = received_shares[i].map { |_, share| share }
-  signing_shares[i] = FROST::DKG.compute_signing_share(secrets[i], shares)
+  shares = received_shares[i].map{|_, share| share}
+  signing_shares[i] = FROST::DKG.compute_signing_share(secret_packages[i], received_package[i], shares)
 end
 
 # Participant 1 compute group public key.
-group_pubkey = FROST::DKG.compute_group_pubkey(secrets[1], received_package[1])
+group_pubkey = FROST::DKG.compute_group_pubkey(secret_packages[1], received_package[1])
 
 # The subsequent signing phase is the same as above with signing_shares as the secret.
 ```
@@ -141,8 +158,10 @@ group_pubkey = FROST::DKG.compute_group_pubkey(secrets[1], received_package[1])
 Using `FROST::Repairable` module, you can repair existing (or new) participant's share with the cooperation of T participants.
 
 ```ruby
+ctx = FROST::Context.new(ECDSA::Group::Secp256k1, FROST::Type::RFC9591)
+dealer = FROST::SigningKey.generate(ctx)
+
 # Dealer generate shares.
-FROST::SigningKey.generate(ECDSA::Group::Secp256k1)
 polynomial = dealer.gen_poly(min_signers - 1)
 shares = 1.upto(max_signers).map {|identifier| polynomial.gen_share(identifier) }
 
@@ -168,9 +187,9 @@ end
 # Each helper send sum value to participant.
 participant_received_values = []
 received_values.each do |_, values|
-  participant_received_values << FROST::Repairable.step2(values, ECDSA::Group::Secp256k1)
+  participant_received_values << FROST::Repairable.step2(ctx, values)
 end
 
-# Participant can obtain his share.
-repair_share = FROST::Repairable.step3(2, participant_received_values, ECDSA::Group::Secp256k1)
+# Participant can get his share.
+repair_share = FROST::Repairable.step3(ctx, 2, participant_received_values)
 ```

data/lib/frost/context.rb

@@ -0,0 +1,87 @@
+module FROST
+  class Context
+
+    CTX_STRING_SECP256K1 = "FROST-secp256k1-SHA256-v1"
+    CTX_STRING_SECP256K1_TR = "FROST-secp256k1-SHA256-TR-v1"
+    CTX_STRING_P256 = "FROST-P256-SHA256-v1"
+
+    attr_reader :group
+    attr_reader :type
+
+    # Constructor
+    # @param [ECDSA::Group] group The elliptic curve group.
+    # @param [Symbol] type FROST::Type
+    # @raise [ArgumentError]
+    def initialize(group, type)
+      raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)
+      FROST::Type.validate!(type)
+      @group = group
+      @type = type
+    end
+
+    # Check this context is taproot or not?
+    # @return [Boolean]
+    def taproot?
+      type == FROST::Type::TAPROOT
+    end
+
+    # Get context string.
+    # @return [String] context string.
+    # @raise [ArgumentError]
+    def ctx_string
+      case group
+      when ECDSA::Group::Secp256k1
+        type == FROST::Type::RFC9591 ? CTX_STRING_SECP256K1 : CTX_STRING_SECP256K1_TR
+      when ECDSA::Group::Secp256r1
+        CTX_STRING_P256
+      else
+        # TODO support other suite.
+        raise RuntimeError, "group #{group} dose not supported."
+      end
+    end
+
+    # Normalize elliptic curve point.
+    # If type is BIP-340, return as x-only public key.
+    # @param [ECDSA::Point] point
+    # @return [String] Normalized point string with binary format.
+    def normalize(point)
+      if taproot?
+        ECDSA::Format::FieldElementOctetString.encode(point.x, group.field)
+      else
+        [point.to_hex].pack("H*")
+      end
+    end
+
+    # Negate nonces depending on context.
+    # @param [ECDSA::Point] group_commitment
+    # @param [Array] nonces Pair of nonce values (hiding_nonce, binding_nonce) for signer_i.
+    # @return [Array] Converted nonces.
+    def convert_signer_nocnes(group_commitment, nonces)
+      return nonces unless taproot?
+      group_commitment.y.even? ? nonces : nonces.map(&:to_negate)
+    end
+
+    # Convert commitment share depending on context.
+    # @param [ECDSA::Point] group_commitment
+    # @param [ECDSA::Point] commitment_share
+    # @return [ECDSA::Point] Converted commitment share.
+    def convert_commitment_share(group_commitment, commitment_share)
+      return commitment_share unless taproot?
+      group_commitment.y.even? ? commitment_share : commitment_share.negate
+    end
+
+    # Preprocess verify inputs, negating the VerifyingKey and `signature.R` if required by BIP-340.
+    # @param [ECDSA::Point] public_key
+    # @param [FROST::Signature] signature
+    # @return [Array] An array of public_key and signature.
+    def pre_verify(public_key, signature)
+      if taproot?
+        public_key = public_key.y.even? ? public_key : public_key.negate
+        r = signature.r.y.even? ? signature.r : signature.r.negate
+        [public_key, FROST::Signature.new(self, r, signature.s)]
+      else
+        [public_key, signature]
+      end
+    end
+  end
+end

data/lib/frost/dkg/{package.rb → public_package.rb}

@@ -1,6 +1,6 @@
 module FROST
   module DKG
-    class Package
+    class PublicPackage
       attr_reader :identifier
       attr_reader :commitments
       attr_reader :proof

data/lib/frost/dkg/secret_package.rb

@@ -0,0 +1,59 @@
+module FROST
+  module DKG
+    # Package to hold participants' secret share.
+    class SecretPackage
+
+      attr_reader :identifier
+      attr_reader :polynomial
+      attr_reader :public_package
+      attr_reader :min_signers
+      attr_reader :max_signers
+
+      # Constructor.
+      # @param [Integer] identifier The identifier of this owner.
+      # @param [Integer] min_signers Minimum number of signers.
+      # @param [Integer] max_signers Maximum number of signers.
+      # @param [FROST::Polynomial] polynomial Polynomial with secret share.
+      def initialize(identifier, min_signers, max_signers, polynomial)
+        raise ArgumentError, "identifier must be Integer." unless identifier.is_a?(Integer)
+        raise ArgumentError, "identifier must be greater than 0." if identifier < 1
+        raise ArgumentError, "min_signers must be Integer." unless min_signers.is_a?(Integer)
+        raise ArgumentError, "max_signers must be Integer." unless max_signers.is_a?(Integer)
+        raise ArgumentError, "polynomial must be FROST::Polynomial." unless polynomial.is_a?(FROST::Polynomial)
+        raise ArgumentError, "max_signers must be greater than or equal to min_signers." if max_signers < min_signers
+        raise ArgumentError, "Number of coefficients of polynomial and min_signers do not match." unless min_signers == polynomial.coefficients.length
+
+        @identifier = identifier
+        @min_signers = min_signers
+        @max_signers = max_signers
+        @polynomial = polynomial
+        @public_package = PublicPackage.new(identifier, polynomial.gen_commitments, polynomial.gen_proof_of_knowledge(identifier))
+      end
+
+      # Generate secret share for identifier.
+      # @param [Integer] identifier
+      # @return [FROST::SecretShare] Generate share.
+      def gen_share(identifier)
+        polynomial.gen_share(identifier)
+      end
+
+      # Get group.
+      # @return [ECDSA::Group]
+      def group
+        polynomial.group
+      end
+
+      # Get FROST context.
+      # @return [FROST::Context]
+      def context
+        polynomial.context
+      end
+
+      # Get verification point.
+      # @return [ECDSA::Point]
+      def verification_point
+        polynomial.verification_point
+      end
+    end
+  end
+end

data/lib/frost/dkg.rb

@@ -2,25 +2,28 @@ module FROST
   # Distributed Key Generation feature.
   module DKG
 
-    autoload :Package, "frost/dkg/package"
+    autoload :SecretPackage, "frost/dkg/secret_package"
+    autoload :PublicPackage, "frost/dkg/public_package"
 
     module_function
 
     # Performs the first part of the DKG.
     # Participant generate key and commitments, proof of knowledge for secret.
-    # @param [Integer] identifier
-    # @param [ECDSA::Group] group Group of elliptic curve.
-    # @return [Array] The triple of polynomial and public package(FROST::DKG::Package)
-    def generate_secret(identifier, min_signers, max_signers, group)
+    # @param [FROST::Context] context
+    # @param [Integer] identifier Party's identifier.
+    # @param [Integer] min_signers The number of min signers.
+    # @return [FROST::DKG::SecretPackage] Secret received_package for owner.
+    def generate_secret(context, identifier, min_signers, max_signers)
       raise ArgumentError, "identifier must be Integer" unless identifier.is_a?(Integer)
       raise ArgumentError, "identifier must be greater than 0." if identifier < 1
-      raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)
+      raise ArgumentError, "context must be FROST::Context." unless context.is_a?(FROST::Context)
+      raise ArgumentError, "min_signers must be Integer." unless min_signers.is_a?(Integer)
+      raise ArgumentError, "max_singers must be Integer." unless max_signers.is_a?(Integer)
       raise ArgumentError, "max_signers must be greater than or equal to min_signers." if max_signers < min_signers
 
-      secret = FROST::SigningKey.generate(group)
-      # Every participant P_i samples t random values (a_{i0}, ..., a_{i(t−1)}) ← Z_q
+      secret = FROST::SigningKey.generate(context)
       polynomial = secret.gen_poly(min_signers - 1)
-      [polynomial, Package.new(identifier, polynomial.gen_commitments, polynomial.gen_proof_of_knowledge(identifier))]
+      SecretPackage.new(identifier, min_signers, max_signers, polynomial)
     end
 
     # Generate proof of knowledge for secret.
@@ -36,45 +39,86 @@ module FROST
       a0 = polynomial.coefficients.first
       a0_g = polynomial.group.generator * a0
       msg = FROST.encode_identifier(identifier, polynomial.group) + [a0_g.to_hex + r.to_hex].pack("H*")
-      challenge = Hash.hdkg(msg, polynomial.group)
+      challenge = Hash.hdkg(msg, polynomial.context)
       field = ECDSA::PrimeField.new(polynomial.group.order)
       s = field.mod(k + a0 * challenge)
-      FROST::Signature.new(r, s)
+      FROST::Signature.new(polynomial.context, r, s)
     end
 
     # Verify proof of knowledge for received commitment.
-    # @param [FROST::DKG::Package] package Received package.
+    # @param [FROST::DKG::SecretPackage] secret_package Verifier's secret package.
+    # @param [FROST::DKG::PublicPackage] received_package Received received_package.
     # @return [Boolean]
-    def verify_proof_of_knowledge(package)
-      raise ArgumentError, "package must be FROST::DKG::Package." unless package.is_a?(FROST::DKG::Package)
+    def verify_proof_of_knowledge(secret_package, received_package)
+      raise ArgumentError, "secret_package must be FROST::DKG::SecretPackage." unless secret_package.is_a?(FROST::DKG::SecretPackage)
+      raise ArgumentError, "received_package must be FROST::DKG::Package." unless received_package.is_a?(FROST::DKG::PublicPackage)
+      raise FROST::Error, "Invalid number of commitments in package." unless secret_package.min_signers == received_package.commitments.length
 
-      verification_key = package.verification_key
-      msg = FROST.encode_identifier(package.identifier, verification_key.group) +
-        [verification_key.to_hex + package.proof.r.to_hex].pack("H*")
-      challenge = Hash.hdkg(msg, verification_key.group)
-      package.proof.r == verification_key.group.generator * package.proof.s + (verification_key * challenge).negate
+      verification_key = received_package.verification_key
+      msg = FROST.encode_identifier(received_package.identifier, verification_key.group) +
+        [verification_key.to_hex + received_package.proof.r.to_hex].pack("H*")
+      challenge = Hash.hdkg(msg, secret_package.polynomial.context)
+      received_package.proof.r == verification_key.group.generator * received_package.proof.s + (verification_key * challenge).negate
     end
 
-    # Compute signing share using received shares from other participants
-    # @param [FROST::Polynomial] polynomial Own polynomial contains own secret.
+    # Compute signing share using received shares from other participants.
+    #
+    # @param [FROST::DKG::SecretPackage] secret_package Own secret received_package.
+    # @param [Array] received_packages Array of FROST::DKG::Package received by other participants.
     # @param [Array] received_shares Array of FROST::SecretShare received by other participants.
     # @return [FROST::SecretShare] Signing share.
-    def compute_signing_share(polynomial, received_shares)
-      raise ArgumentError, "polynomial must be FROST::Polynomial." unless polynomial.is_a?(FROST::Polynomial)
+    # @raise [ArgumentError]
+    def compute_signing_share(secret_package, received_packages, received_shares)
+      raise ArgumentError, "polynomial must be FROST::DKG::SecretPackage." unless secret_package.is_a?(FROST::DKG::SecretPackage)
+      raise FROST::Error, "Invalid number of received_shares." unless secret_package.max_signers - 1 == received_shares.length
+      raise ArgumentError, "The number of received_packages and received_shares does not match." unless received_packages.length == received_shares.length
+
       identifier = received_shares.first.identifier
-      s_id = received_shares.sum {|share| share.share}
-      field = ECDSA::PrimeField.new(polynomial.group.order)
-      FROST::SecretShare.new(
-        identifier, field.mod(s_id + polynomial.gen_share(identifier).share), polynomial.group)
+      signing_share = received_shares.sum {|share| share.share}
+      field = ECDSA::PrimeField.new(secret_package.group.order)
+      signing_share = field.mod(signing_share + secret_package.gen_share(identifier).share)
+      ctx = secret_package.polynomial.context
+      if ctx.taproot?
+        # Post-process the DKG output. Add an unusable taproot tweak to the group key computed by a DKG run,
+        # to prevent peers from inserting rogue tapscript tweaks into the group's joint public key.
+        # From BIP-341:
+        # > If the spending conditions do not require a script path, the output key should commit to
+        # > an unspendable script path instead of having no script path.
+        # > This can be achieved by computing the output key  point as Q = P + int(hashTapTweak(bytes(P)))G.
+        verification_key = compute_group_pubkey(secret_package, received_packages, apply_even: false)
+        has_even = verification_key.y.even?
+        unless has_even
+          verification_key = verification_key.negate
+          signing_share = field.mod(-signing_share)
+        end
+        signing_share = field.mod(signing_share + tap_tweak(verification_key))
+      end
+      FROST::SecretShare.new(secret_package.context, identifier, signing_share)
     end
 
     # Compute Group public key.
-    # @param [FROST::Polynomial] polynomial Own polynomial contains own secret.
+    # @param [FROST::DKG::SecretPackage] secret_package Own secret received_package.
     # @param [Array] received_packages Array of FROST::DKG::Package received by other participants.
+    # @param [Boolean] apply_even In taproot context, whether tweak to public key or not.
     # @return [ECDSA::Point] Group public key.
-    def compute_group_pubkey(polynomial, received_packages)
-      raise ArgumentError, "polynomial must be FROST::Polynomial." unless polynomial.is_a?(FROST::Polynomial)
-      received_packages.inject(polynomial.verification_point) {|sum, package| sum + package.commitments.first }
+    def compute_group_pubkey(secret_package, received_packages, apply_even: true)
+      raise ArgumentError, "polynomial must be FROST::DKG::SecretPackage." unless secret_package.is_a?(FROST::DKG::SecretPackage)
+      raise FROST::Error, "Invalid number of received_packages." unless secret_package.max_signers - 1 == received_packages.length
+
+      verification_key = received_packages.inject(secret_package.verification_point) {|sum, package| sum + package.commitments.first }
+      if secret_package.polynomial.context.taproot? && apply_even
+        verification_key = verification_key.negate unless verification_key.y.even?
+        verification_key + (verification_key.group.generator * tap_tweak(verification_key))
+      else
+        verification_key
+      end
+    end
+
+    def tap_tweak(point)
+      x_only = ECDSA::Format::IntegerOctetString.encode(point.x, 32)
+      FROST::Hash.tagged_hash('TapTweak', x_only)
     end
+
+    private_class_method :tap_tweak
   end
 end

data/lib/frost/hash.rb

@@ -5,80 +5,77 @@ module FROST
 
     module_function
 
-    CTX_STRING_SECP256K1 = "FROST-secp256k1-SHA256-v1"
-    CTX_STRING_P256 = "FROST-P256-SHA256-v1"
-
     # H1 hash function.
     # @param [String] msg The message to be hashed.
-    # param [ECDSA::Group] group The elliptic curve group.
+    # @param [FROST::Context] context FROST context.
     # @return [Integer]
-    def h1(msg, group)
-      hash_to_field(msg, group, "rho")
+    def h1(msg, context)
+      hash_to_field(msg, context, "rho")
     end
 
-    # H3 hash function.
+    # H2 hash function.
     # @param [String] msg The message to be hashed.
-    # @param [ECDSA::Group] group The elliptic curve group.
+    # @param [FROST::Context] context FROST context.
     # @return [Integer]
-    def h2(msg, group)
-      hash_to_field(msg, group, "chal")
+    def h2(msg, context)
+      if context.taproot?
+        tagged_hash('BIP0340/challenge', msg)
+      else
+        hash_to_field(msg, context, "chal")
+      end
     end
 
     # H3 hash function.
     # @param [String] msg The message to be hashed.
-    # @param [ECDSA::Group] group The elliptic curve group.
+    # @param [FROST::Context] context FROST context.
     # @return [Integer]
-    def h3(msg, group)
-      hash_to_field(msg, group, "nonce")
+    def h3(msg, context)
+      hash_to_field(msg, context, "nonce")
     end
 
     # H4 hash function.
     # @param [String] msg The message to be hashed.
-    # @param [ECDSA::Group] group The elliptic curve group.
+    # @param [FROST::Context] context FROST context.
     # @return [String] The hash value.
-    def h4(msg, group)
-      hash(msg, group, "msg")
+    def h4(msg, context)
+      hash(msg, context, "msg")
     end
 
     # H5 hash function.
     # @param [String] msg The message to be hashed.
-    # @param [ECDSA::Group] group The elliptic curve group.
+    # @param [FROST::Context] context FROST context.
     # @return [String] The hash value.
-    def h5(msg, group)
-      hash(msg, group, "com")
+    def h5(msg, context)
+      hash(msg, context, "com")
     end
 
     # Hash function for a FROST ciphersuite, used for the DKG.
     # @param [String] msg The message to be hashed.
-    # @param [ECDSA::Group] group The elliptic curve group.
+    # @param [FROST::Context] context FROST context.
     # @return [Integer] The hash value.
-    def hdkg(msg, group)
-      hash_to_field(msg, group, "dkg")
+    def hdkg(msg, context)
+      hash_to_field(msg, context, "dkg")
     end
 
-    def hash_to_field(msg, group, context)
-      h2c = case group
+    def hash_to_field(msg, context, tag)
+      raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
+      h2c = case context.group
             when ECDSA::Group::Secp256k1
-              H2C.get(H2C::Suite::SECP256K1_XMDSHA256_SSWU_NU_, CTX_STRING_SECP256K1 + context)
+              H2C.get(H2C::Suite::SECP256K1_XMDSHA256_SSWU_NU_, context.ctx_string + tag)
             when ECDSA::Group::Secp256r1
-              H2C.get(H2C::Suite::P256_XMDSHA256_SSWU_NU_, CTX_STRING_P256 + context)
-            else
-              # TODO support other suite.
-              raise RuntimeError, "group #{group} dose not supported."
+              H2C.get(H2C::Suite::P256_XMDSHA256_SSWU_NU_, context.ctx_string + tag)
             end
-      h2c.hash_to_field(msg, 1, group.order).first
+      h2c.hash_to_field(msg, 1, context.group.order).first
     end
 
-    def hash(msg, group, context)
-      case group
-      when ECDSA::Group::Secp256k1
-        Digest::SHA256.digest(CTX_STRING_SECP256K1 + context + msg)
-      when ECDSA::Group::Secp256r1
-        Digest::SHA256.digest(CTX_STRING_P256 + context + msg)
-      else
-        # TODO support other suite.
-        raise RuntimeError, "group #{group} dose not supported."
-      end
+    def hash(msg, context, tag)
+      raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
+      Digest::SHA256.digest(context.ctx_string + tag + msg)
+    end
+
+    def tagged_hash(tag, msg)
+      tag_hash = Digest::SHA256.digest(tag)
+      Digest::SHA256.hexdigest(tag_hash + tag_hash + msg).to_i(16)
     end
   end
 end

data/lib/frost/nonce.rb

@@ -2,15 +2,23 @@ module FROST
   class Nonce
 
     attr_reader :value # nonce value
-    attr_reader :group # Group of elliptic curve
+    attr_reader :context # Group of elliptic curve
 
     # Generate nonce.
+    # @param [FROST::Context] context
+    # @param [Integer] nonce
     # @return [FROST::Nonce]
-    def initialize(nonce, group)
-      raise ArgumentError, "group must by ECDSA::Group." unless group.is_a?(ECDSA::Group)
-      raise ArgumentError, "nonce must by Integer." unless nonce.is_a?(Integer)
+    def initialize(context, nonce)
+      raise ArgumentError, "context must be FROST::Context." unless context.is_a?(FROST::Context)
+      raise ArgumentError, "nonce must be Integer." unless nonce.is_a?(Integer)
       @value = nonce
-      @group = group
+      @context = context
+    end
+
+    # Get group
+    # @return [ECDSA::Group]
+    def group
+      context.group
     end
 
     # Generate nonce from secret share.
@@ -32,8 +40,8 @@ module FROST
 
       secret_bytes = ECDSA::Format::IntegerOctetString.encode(secret.scalar, 32)
       msg = random_bytes + secret_bytes
-      nonce = FROST::Hash.h3(msg, secret.group)
-      Nonce.new(nonce, secret.group)
+      k = FROST::Hash.h3(msg, secret.context)
+      Nonce.new(secret.context, k)
     end
 
     private_class_method :gen_from_random_bytes
@@ -50,5 +58,11 @@ module FROST
       group.generator * value
     end
 
+    # Generate negated nonce.
+    # @return [FROST::Nonce] Negated nonce.
+    def to_negate
+      Nonce.new(context, group.order - value)
+    end
+
   end
 end

data/lib/frost/polynomial.rb

@@ -3,32 +3,44 @@ module FROST
   # Polynomial class.
   class Polynomial
     attr_reader :coefficients
-    attr_reader :group
+    attr_reader :context
 
     # Generate polynomial.
+    # @param [FROST::Context] context
     # @param [Array] coefficients Coefficients of polynomial.
     # The first is the constant term, followed by the coefficients in descending order of order.
-    # @param [ECDSA::Group] group
-    def initialize(coefficients, group)
+    # @raise [ArgumentError]
+    #
+    def initialize(context, coefficients)
+      raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
       raise ArgumentError, "coefficients must be an Array." unless coefficients.is_a?(Array)
-      raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)
       raise ArgumentError, "Two or more coefficients are required." if coefficients.length < 2
+      coefficients.each do |coefficient|
+        raise ArgumentError "coefficient must be Integer." unless coefficient.is_a?(Integer)
+      end
 
       @coefficients = coefficients
-      @group = group
+      @context = context
+    end
+
+    # Get group
+    # @return [ECDSA::Group]
+    def group
+      context.group
     end
 
     # Generate random polynomial using secret as constant term.
+    # @param [FROST::Context] context
     # @param [Integer|FROST::SigningKey] secret Secret value as constant term.
     # @param [Integer] degree Degree of polynomial.
     # @return [FROST::Polynomial] Polynomial
-    def self.from_secret(secret, degree, group)
+    def self.from_secret(context, secret, degree)
       secret = secret.scalar if secret.is_a?(FROST::SigningKey)
       raise ArgumentError, "secret must be Integer." unless secret.is_a?(Integer)
       raise ArgumentError, "degree must be Integer." unless degree.is_a?(Integer)
       raise ArgumentError, "degree must be greater than or equal to 1." if degree < 1
-      coeffs = degree.times.map {SecureRandom.random_number(group.order - 1)}
-      Polynomial.new(coeffs.prepend(secret), group)
+      coeffs = degree.times.map {SecureRandom.random_number(context.group.order - 1)}
+      Polynomial.new(context, coeffs.prepend(secret))
     end
 
     # Generate secret share.
@@ -37,8 +49,8 @@ module FROST
     def gen_share(identifier)
       raise ArgumentError, "identifiers must be Integer." unless identifier.is_a?(Integer)
 
-      return SecretShare.new(identifier, 0, group) if coefficients.empty?
-      return SecretShare.new(identifier, coefficients.last, group) if identifier == 0
+      return SecretShare.new(context, identifier, 0) if coefficients.empty?
+      return SecretShare.new(context, identifier, coefficients.last) if identifier == 0
 
       # Calculate using Horner's method.
       last = coefficients.last
@@ -46,7 +58,7 @@ module FROST
         tmp = last * identifier
         last = (tmp + coefficients[i]) % group.order
       end
-      SecretShare.new(identifier, last, group)
+      SecretShare.new(context, identifier, last)
     end
 
     # Generate coefficient commitments

data/lib/frost/repairable.rb

@@ -31,26 +31,26 @@ module FROST
 
     # Step 2 for RTS.
     # Each helper sum received delta values from other helpers.
+    # @param [FROST::Context] context
     # @param [Array] step1_values Array of delta values.
-    # @param [ECDSA::Group] group
     # @return [Integer] Sum of delta values.
-    def step2(step1_values, group)
-      raise ArgumentError, "group must be ECDSA::Group" unless group.is_a?(ECDSA::Group)
+    def step2(context, step1_values)
+      raise ArgumentError, "context must be FROST::Context." unless context.is_a?(FROST::Context)
 
-      field = ECDSA::PrimeField.new(group.order)
+      field = ECDSA::PrimeField.new(context.group.order)
       field.mod(step1_values.sum)
     end
 
     # Participant compute own share with received sum of delta value.
+    # @param [FROST::Context] context
     # @param [Integer] identifier Identifier of the participant whose shares you want to restore.
     # @param [Array] step2_results Array of Step 2 results received from other helpers.
-    # @param [ECDSA::Group] group
     # @return
-    def step3(identifier, step2_results, group)
-      raise ArgumentError, "group must be ECDSA::Group" unless group.is_a?(ECDSA::Group)
+    def step3(context, identifier, step2_results)
+      raise ArgumentError, "context must be FROST::Context." unless context.is_a?(FROST::Context)
 
-      field = ECDSA::PrimeField.new(group.order)
-      FROST::SecretShare.new(identifier, field.mod(step2_results.sum), group)
+      field = ECDSA::PrimeField.new(context.group.order)
+      FROST::SecretShare.new(context, identifier, field.mod(step2_results.sum))
     end
   end
 end

data/lib/frost/secret_share.rb

@@ -3,19 +3,26 @@ module FROST
   class SecretShare
     attr_reader :identifier
     attr_reader :share
-    attr_reader :group
+    attr_reader :context
 
     # Generate secret share.
+    # @param [FROST::Context] context
     # @param [Integer] identifier Identifier of this share.
     # @param [Integer] share A share.
-    def initialize(identifier, share, group)
+    def initialize(context, identifier, share)
       raise ArgumentError, "identifier must be Integer." unless identifier.is_a?(Integer)
       raise ArgumentError, "share must be Integer." unless share.is_a?(Integer)
-      raise ArgumentError, "group must be ECDSA::Group" unless group.is_a?(ECDSA::Group)
+      raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
 
       @identifier = identifier
       @share = share
-      @group = group
+      @context = context
+    end
+
+    # Get group
+    # @return [ECDSA::Group]
+    def group
+      context.group
     end
 
     # Compute public key.
@@ -27,7 +34,7 @@ module FROST
     # Generate signing share key.
     # @return [FROST::SigningKey]
     def to_key
-      FROST::SigningKey.new(share, group)
+      FROST::SigningKey.new(context, share)
     end
   end
 end

data/lib/frost/signature.rb

@@ -3,16 +3,20 @@ module FROST
   class Signature
     attr_reader :r
     attr_reader :s
+    attr_reader :context
 
     # Constructor
+    # @param [FROST::Context] context
     # @param [ECDSA::Point] r Public nonce of signature.
     # @param [Integer] s Scalar value of signature.
-    def initialize(r, s)
+    def initialize(context, r, s)
       raise ArgumentError, "r must be ECDSA::Point" unless r.is_a?(ECDSA::Point)
       raise ArgumentError, "s must be Integer" unless s.is_a?(Integer)
+      raise ArgumentError, "context must be FROST::Context" unless context.is_a?(FROST::Context)
 
       @r = r
       @s = s
+      @context = context
     end
 
     # Encode signature to hex string.
@@ -24,19 +28,31 @@ module FROST
     # Encode signature to byte string.
     # @return [String]
     def encode
-      ECDSA::Format::PointOctetString.encode(r, compression: true) +
-        ECDSA::Format::IntegerOctetString.encode(s, 32)
+      if context.taproot?
+        ECDSA::Format::IntegerOctetString.encode(r.x, context.group.byte_length) +
+          ECDSA::Format::IntegerOctetString.encode(s, context.group.byte_length)
+      else
+        ECDSA::Format::PointOctetString.encode(r, compression: true) +
+          ECDSA::Format::IntegerOctetString.encode(s, context.group.byte_length)
+      end
     end
 
     # Decode hex value to FROST::Signature.
+    # @param [FROST::Context] context
     # @param [String] hex_value Hex value of signature.
-    # @param [ECDSA::Group] group Group of elliptic curve.
     # @return [FROST::Signature]
-    def self.decode(hex_value, group)
+    # @raise [ArgumentError]
+    def self.decode(context, hex_value)
+      raise ArgumentError, "context must be FROST::Context" unless context.is_a?(FROST::Context)
+      raise ArgumentError, "hex value must be String" unless hex_value.is_a?(String)
+
       data = [hex_value].pack("H*")
-      r = ECDSA::Format::PointOctetString.decode(data[0...33], group)
-      s = ECDSA::Format::IntegerOctetString.decode(data[33..-1])
-      Signature.new(r,s )
+      data = [0x02].pack('C') + data if context.taproot?
+      len = context.group.byte_length + 1
+
+      r = ECDSA::Format::PointOctetString.decode(data[0...len], context.group)
+      s = ECDSA::Format::IntegerOctetString.decode(data[len..-1])
+      Signature.new(context, r, s)
     end
   end
 end

data/lib/frost/signing_key.rb

@@ -2,32 +2,44 @@ module FROST
   # A signing key for a Schnorr signature on a FROST.
   class SigningKey
     attr_reader :scalar
-    attr_reader :group
+    attr_reader :context
 
     # Constructor
+    # @param [FROST::Context] context Frost context.
     # @param [Integer] scalar secret key value.
-    # @param [ECDSA::Group] group Group of elliptic curve.
-    def initialize(scalar, group = ECDSA::Group::Secp256k1)
+    def initialize(context, scalar)
+      raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
       raise ArgumentError, "scalar must be integer." unless scalar.is_a?(Integer)
-      raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)
-      raise ArgumentError, "Invalid scalar range." if scalar < 1 || group.order - 1 < scalar
+      raise ArgumentError, "Invalid scalar range." if scalar < 1 || context.group.order - 1 < scalar
 
       @scalar = scalar
-      @group = group
+      @context = context
+    end
+
+    # Get group
+    # @return [ECDSA::Group]
+    def group
+      context.group
     end
 
     # Generate signing key.
-    # @param [ECDSA::Group] group Group of elliptic curve.
-    def self.generate(group)
-      scalar = 1 + SecureRandom.random_number(group.order - 1)
-      SigningKey.new(scalar, group)
+    # @param [FROST::Context] context
+    def self.generate(context)
+      raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
+      scalar = 1 + SecureRandom.random_number(context.group.order - 1)
+      key = SigningKey.new(context, scalar)
+      if context.taproot? && !key.to_point.y.even?
+        self.generate(context)
+      else
+        key
+      end
     end
 
     # Generate random polynomial using this secret.
     # @param [Integer] degree Degree of polynomial.
     # @return [FROST::Polynomial] A polynomial
     def gen_poly(degree)
-      Polynomial.from_secret(scalar, degree, group)
+      Polynomial.from_secret(context, scalar, degree)
     end
 
     # Compute public key.

data/lib/frost/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module FROST
-  VERSION = "0.2.0"
+  VERSION = "0.4.0"
 end

data/lib/frost.rb

@@ -9,6 +9,7 @@ require 'h2c'
 module FROST
   class Error < StandardError; end
 
+  autoload :Context, 'frost/context'
   autoload :Signature, "frost/signature"
   autoload :Commitments, "frost/commitments"
   autoload :Hash, "frost/hash"
@@ -19,6 +20,27 @@ module FROST
   autoload :DKG, "frost/dkg"
   autoload :Repairable, "frost/repairable"
 
+  module Type
+    RFC9591 = :rfc9591
+    TAPROOT = :taproot
+
+    module_function
+
+    # Check whether valid type or not.
+    # @param [Symbol] type
+    # @return [Boolean]
+    def supported?(type)
+      [RFC9591, TAPROOT].include?(type)
+    end
+
+    # Validate type
+    # @param [Symbol] type
+    # @raise [ArgumentError]
+    def validate!(type)
+      raise ArgumentError, "Unsupported type: #{type}." unless supported?(type)
+    end
+  end
+
   module_function
 
   # Encode identifier
@@ -36,23 +58,26 @@ module FROST
 
   # Compute binding factors.
   # https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-15.html#name-binding-factors-computation
+  # @param [FROST::Context] context
   # @param [ECDSA::Point] group_pubkey
   # @param [Array] commitment_list The list of commitments issued by each participants.
   # This list must be sorted in ascending order by identifier.
   # @param [String] msg The message to be signed.
   # @return [Hash] The hash of binding factor.
-  def compute_binding_factors(group_pubkey, commitment_list, msg)
+  def compute_binding_factors(context, group_pubkey, commitment_list, msg)
+    raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
     raise ArgumentError, "group_pubkey must be ECDSA::Point." unless group_pubkey.is_a?(ECDSA::Point)
     raise ArgumentError, "msg must be String." unless msg.is_a?(String)
+    raise ArgumentError, "group_pubkey and context groups are different." unless context.group == group_pubkey.group
 
-    msg_hash = Hash.h4(msg, group_pubkey.group)
+    msg_hash = Hash.h4(msg, context)
     encoded_commitment = Commitments.encode_group_commitment(commitment_list)
-    encoded_commitment_hash = Hash.h5(encoded_commitment, group_pubkey.group)
+    encoded_commitment_hash = Hash.h5(encoded_commitment, context)
     rho_input_prefix = [group_pubkey.to_hex].pack("H*") + msg_hash + encoded_commitment_hash
     binding_factors = {}
     commitment_list.each do |commitments|
-      preimage = rho_input_prefix + encode_identifier(commitments.identifier, group_pubkey.group)
-      binding_factors[commitments.identifier] = Hash.h1(preimage, group_pubkey.group)
+      preimage = rho_input_prefix + encode_identifier(commitments.identifier, context.group)
+      binding_factors[commitments.identifier] = Hash.h1(preimage, context)
     end
     binding_factors
   end
@@ -70,29 +95,39 @@ module FROST
   end
 
   # Create the per-message challenge.
+  # If context type is BIP-340(taproot), only the X coordinate of R and group_pubkey are hashed, unlike vanilla FROST.
   # @param [ECDSA::Point] group_commitment The group commitment.
   # @param [ECDSA::Point] group_pubkey The public key corresponding to the group signing key.
   # @param [String] msg The message to be signed.
-  def compute_challenge(group_commitment, group_pubkey, msg)
+  # @return [Integer] challenge
+  def compute_challenge(context, group_commitment, group_pubkey, msg)
+    raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
     raise ArgumentError, "group_commitment must be ECDSA::Point." unless group_commitment.is_a?(ECDSA::Point)
     raise ArgumentError, "group_pubkey must be ECDSA::Point." unless group_pubkey.is_a?(ECDSA::Point)
     raise ArgumentError, "msg must be String." unless msg.is_a?(String)
+    raise ArgumentError, "group_pubkey and context groups are different." unless context.group == group_pubkey.group
 
-    input = [group_commitment.to_hex + group_pubkey.to_hex].pack("H*") + msg
-    Hash.h2(input, group_commitment.group)
+    preimage = context.normalize(group_commitment) + context.normalize(group_pubkey) + msg
+    Hash.h2(preimage, context)
   end
 
   # Generate signature share.
+  # @param [FROST::Context] context FROST context.
   # @param [FROST::SecretShare] secret_share Signer secret key share.
   # @param [ECDSA::Point] group_pubkey Public key corresponding to the group signing key.
   # @param [Array] nonces Pair of nonce values (hiding_nonce, binding_nonce) for signer_i.
   # @param [String] msg The message to be signed
   # @param [Array] commitment_list A list of commitments issued by each participant.
   # @return [Integer] A signature share.
-  def sign(secret_share, group_pubkey, nonces, msg, commitment_list)
+  def sign(context, secret_share, group_pubkey, nonces, msg, commitment_list)
+    raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
+    raise ArgumentError, "msg must be String." unless msg.is_a?(String)
+    raise ArgumentError, "group_pubkey must be ECDSA::Point." unless group_pubkey.is_a?(ECDSA::Point)
+    raise ArgumentError, "group_pubkey and context groups are different." unless context.group == group_pubkey.group
+
     identifier = secret_share.identifier
     # Compute binding factors
-    binding_factors = compute_binding_factors(group_pubkey, commitment_list, msg)
+    binding_factors = compute_binding_factors(context, group_pubkey, commitment_list, msg)
     binding_factor = binding_factors[identifier]
 
     # Compute group commitment
@@ -100,42 +135,46 @@ module FROST
 
     # Compute Lagrange coefficient
     identifiers = commitment_list.map(&:identifier)
-    lambda_i = Polynomial.derive_interpolating_value(identifiers, identifier, group_pubkey.group)
+    lambda_i = Polynomial.derive_interpolating_value(identifiers, identifier, context.group)
 
     # Compute the per-message challenge
-    challenge = compute_challenge(group_commitment, group_pubkey, msg)
+    challenge = compute_challenge(context, group_commitment, group_pubkey, msg)
 
     # Compute the signature share
-    hiding_nonce, binding_nonce = nonces
+    hiding_nonce, binding_nonce = context.convert_signer_nocnes(group_commitment, nonces)
     field = ECDSA::PrimeField.new(group_pubkey.group.order)
     field.mod(hiding_nonce.value +
                 field.mod(binding_nonce.value * binding_factor) + field.mod(lambda_i * secret_share.share * challenge))
   end
 
   # Aggregates the signature shares to produce a final signature that can be verified with the group public key.
+  # @param [FROST::Context] context FROST context.
   # @param [Array] commitment_list A list of commitments issued by each participant.
   # @param [String] msg The message to be signed.
   # @param [ECDSA::Point] group_pubkey Public key corresponding to the group signing key.
   # @param [Array] sig_shares A set of signature shares z_i, integer values.
   # @return [FROST::Signature] Schnorr signature.
-  def aggregate(commitment_list, msg, group_pubkey, sig_shares)
+  def aggregate(context, commitment_list, msg, group_pubkey, sig_shares)
+    raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
     raise ArgumentError, "msg must be String." unless msg.is_a?(String)
     raise ArgumentError, "group_pubkey must be ECDSA::Point." unless group_pubkey.is_a?(ECDSA::Point)
+    raise ArgumentError, "group_pubkey and context groups are different." unless context.group == group_pubkey.group
     raise ArgumentError, "The numbers of commitment_list and sig_shares do not match." unless commitment_list.length == sig_shares.length
 
-    binding_factors = compute_binding_factors(group_pubkey, commitment_list, msg)
+    binding_factors = compute_binding_factors(context, group_pubkey, commitment_list, msg)
     group_commitment = compute_group_commitment(commitment_list, binding_factors)
 
-    field = ECDSA::PrimeField.new(group_pubkey.group.order)
+    field = ECDSA::PrimeField.new(context.group.order)
     s = sig_shares.inject(0) do |sum, z_i|
       raise ArgumentError, "sig_shares must be array of integer" unless z_i.is_a?(Integer)
       field.mod(sum + z_i)
     end
 
-    Signature.new(group_commitment, field.mod(s))
+    Signature.new(context, group_commitment, field.mod(s))
   end
 
   # Verify signature share.
+  # @param [FROST::Context] context FROST context.
   # @param [Integer] identifier Identifier i of the participant.
   # @param [ECDSA::Point] pubkey_i The public key for the i-th participant
   # @param [Integer] sig_share_i Integer value indicating the signature share as produced
@@ -144,13 +183,15 @@ module FROST
   # @param [ECDSA::Point] group_pubkey Public key corresponding to the group signing key.
   # @param [String] msg The message to be signed.
   # @return [Boolean] Verification result.
-  def verify_share(identifier, pubkey_i, sig_share_i, commitment_list, group_pubkey, msg)
+  def verify_share(context, identifier, pubkey_i, sig_share_i, commitment_list, group_pubkey, msg)
+    raise ArgumentError "context must be FROST::Context." unless context.is_a?(FROST::Context)
     raise ArgumentError, "identifier must be Integer." unless identifier.is_a?(Integer)
     raise ArgumentError, "sig_share_i must be Integer." unless sig_share_i.is_a?(Integer)
     raise ArgumentError, "pubkey_i must be ECDSA::Point." unless pubkey_i.is_a?(ECDSA::Point)
     raise ArgumentError, "group_pubkey must be ECDSA::Point." unless group_pubkey.is_a?(ECDSA::Point)
+    raise ArgumentError, "group_pubkey and context groups are different." unless context.group == group_pubkey.group
 
-    binding_factors = compute_binding_factors(group_pubkey, commitment_list, msg)
+    binding_factors = compute_binding_factors(context, group_pubkey, commitment_list, msg)
     binding_factor = binding_factors[identifier]
     group_commitment = compute_group_commitment(commitment_list, binding_factors)
     comm_i = commitment_list.find{|c| c.identifier == identifier}
@@ -159,11 +200,11 @@ module FROST
     raise ArgumentError, "hiding_commitment must be ECDSA::Point." unless hiding_commitment.is_a?(ECDSA::Point)
     raise ArgumentError, "binding_commitment must be ECDSA::Point." unless binding_commitment.is_a?(ECDSA::Point)
 
-    comm_share = hiding_commitment + binding_commitment * binding_factor
-    challenge = compute_challenge(group_commitment, group_pubkey, msg)
+    comm_share = context.convert_commitment_share(group_commitment, hiding_commitment + binding_commitment * binding_factor)
+    challenge = compute_challenge(context, group_commitment, group_pubkey, msg)
     identifiers = commitment_list.map(&:identifier)
-    lambda_i = Polynomial.derive_interpolating_value(identifiers, identifier, group_pubkey.group)
-    l = group_pubkey.group.generator * sig_share_i
+    lambda_i = Polynomial.derive_interpolating_value(identifiers, identifier, context.group)
+    l = context.group.generator * sig_share_i
     r = comm_share + pubkey_i * (challenge * lambda_i)
     l == r
   end
@@ -176,10 +217,14 @@ module FROST
   def verify(signature, public_key, msg)
     raise ArgumentError, "signature must be FROST::Signature" unless signature.is_a?(FROST::Signature)
     raise ArgumentError, "public_key must be ECDSA::Point" unless public_key.is_a?(ECDSA::Point)
+    raise ArgumentError, "public_key and context groups are different." unless signature.context.group == public_key.group
     raise ArgumentError, "msg must be String." unless msg.is_a?(String)
 
+    context = signature.context
+    public_key, signature = context.pre_verify(public_key, signature)
+
     # Compute challenge
-    challenge = compute_challenge(signature.r, public_key, msg)
+    challenge = compute_challenge(context, signature.r, public_key, msg)
 
     s_g = public_key.group.generator * signature.s
     c_p = public_key * challenge

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: frostrb
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
 - azuchi
-autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-02-19 00:00:00.000000000 Z
+date: 2025-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ecdsa_ext
@@ -59,8 +58,10 @@ files:
 - frost.gemspec
 - lib/frost.rb
 - lib/frost/commitments.rb
+- lib/frost/context.rb
 - lib/frost/dkg.rb
-- lib/frost/dkg/package.rb
+- lib/frost/dkg/public_package.rb
+- lib/frost/dkg/secret_package.rb
 - lib/frost/hash.rb
 - lib/frost/nonce.rb
 - lib/frost/polynomial.rb
@@ -77,7 +78,6 @@ metadata:
   homepage_uri: https://github.com/azuchi/frostrb
   source_code_uri: https://github.com/azuchi/frostrb
   changelog_uri: https://github.com/azuchi/frostrb
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -92,8 +92,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key: 
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Ruby implementations of Two-Round Threshold Schnorr Signatures with FROST.
 test_files: []