frostrb 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: '09af4e893de9e1260635431b1feef84a9eb6273534f0f9e7e2e4bcde82d8788e'
+  data.tar.gz: 66f39e7bff887c34c65844ac42b94d8e77cdd7fb86caedb575d8ae0a7c0b12a1
+SHA512:
+  metadata.gz: ba8c33e24ace6174176ec30bb5afaf0222e6c5046df34960ca28c8772286c236611bdb119c3184448fc308f491d1408e57a7fa1c715e3a7e0036e557a6788c46
+  data.tar.gz: b738d2fe05fa151032e9ff877758f580d6d96153ce179b384a95d6e353ce3e5003638622afbdfd2a4c219825d45f77e78f3e5238484b4cb34de5f8e8de8b768a

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.ruby-gemset

@@ -0,0 +1 @@
+frostrb

data/.ruby-version

@@ -0,0 +1 @@
+ruby-3.3.0

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2024-01-29
+
+- Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,84 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at azuchi@chaintope.com. All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior,  harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0,
+available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.

data/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in frost.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "rspec", "~> 3.0"

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 azuchi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,137 @@
+# FROST for Ruby [![Build Status](https://github.com/azuchi/frostrb/actions/workflows/main.yml/badge.svg?branch=master)](https://github.com/azuchi/frostrb/actions/workflows/main.yml)
+
+This library is ruby implementations of ['Two-Round Threshold Schnorr Signatures with FROST'](https://datatracker.ietf.org/doc/draft-irtf-cfrg-frost/).
+
+Note: This library has not been security audited and tested widely, so should not be used in production.
+
+The cipher suites currently supported by this library are:
+
+* [secp256k1, SHA-256](https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-14.html#name-frostsecp256k1-sha-256)
+* [P-256, SHA-256](https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-14.html#name-frostp-256-sha-256) 
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'frostrb', require: 'frost'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install frostrb
+
+## Usage
+
+```ruby
+require 'frost'
+
+group = ECDSA::Group::Secp256k1
+
+# Dealer generate secret.
+secret = FROST::SigningKey.generate(group)
+group_pubkey = secret.to_point
+
+# Generate polynomial(f(x) = ax + b)
+polynomial = secret.gen_poly(1)
+
+# Calculate secret shares.
+share1 = polynomial.gen_share(1)
+share2 = polynomial.gen_share(2)
+share3 = polynomial.gen_share(3)
+
+# Round 1: Generate nonce and commitment
+## each party generate hiding and binding nonce.
+hiding_nonce1 = FROST::Nonce.gen_from_secret(share1)
+binding_nonce1 = FROST::Nonce.gen_from_secret(share1)
+hiding_nonce3 = FROST::Nonce.gen_from_secret(share3)
+binding_nonce3 = FROST::Nonce.gen_from_secret(share3)
+
+comm1 = FROST::Commitments.new(1, hiding_nonce1.to_point, binding_nonce1.to_point)
+comm3 = FROST::Commitments.new(3, hiding_nonce3.to_point, binding_nonce3.to_point)
+commitment_list = [comm1, comm3]
+
+msg = ["74657374"].pack("H*")
+
+# Round 2: each participant generates their signature share(1 and 3)
+sig_share1 = FROST.sign(share1, group_pubkey, [hiding_nonce1, binding_nonce1], msg, commitment_list)
+sig_share3 = FROST.sign(share3, group_pubkey, [hiding_nonce3, binding_nonce3], msg, commitment_list)
+
+# verify signature share
+FROST.verify_share(1, share1.to_point, sig_share1, commitment_list, group_pubkey, msg)
+FROST.verify_share(3, share3.to_point, sig_share3, commitment_list, group_pubkey, msg)
+
+# Aggregation
+sig = FROST.aggregate(commitment_list, msg, group_pubkey, [sig_share1, sig_share3])
+
+# verify final signature
+FROST.verify(sig, group_pubkey, msg)
+```
+
+### Using DKG
+
+DKG can be run as below.
+
+```ruby
+max_signer = 5
+min_signer = 3
+
+secrets = {}
+round1_outputs = {}
+# Round 1:
+# For each participant, perform the first part of the DKG protocol.
+1.upto(max_signer) do |i|
+  polynomial, package = FROST::DKG.part1(i, min_signer, max_signer, group)
+  secrets[i] = polynomial
+  round1_outputs[i] = package
+end
+
+# Each participant sends their commitments and proof to other participants.
+received_package = {}
+1.upto(max_signer) do |i|
+  received_package[i] = round1_outputs.select {|k, _| k != i}.values
+end
+
+# Each participant verify knowledge of proof in received package.
+received_package.each do |id, packages|
+  packages.each do |package|
+    expect(FROST::DKG.verify_proof_of_knowledge(package)).to be true
+  end
+end
+
+# Round 2:
+# Each participant generate share for other participants and send it.
+received_shares = {}
+1.upto(max_signer) do |i|
+  polynomial = secrets[i] # own secret
+  1.upto(max_signer) do |o|
+    next if i == o
+    received_shares[o] ||= []
+    received_shares[o] << [i, polynomial.gen_share(o)]
+  end
+end
+
+# Each participant verify received shares.
+1.upto(max_signer) do |i|
+  received_shares[i].each do |send_by, share|
+    target_package = received_package[i].find{ |package| package.identifier == send_by }
+    expect(target_package.verify_share(share)).to be true
+  end
+end
+
+# Each participant compute signing share.
+signing_shares = {}
+1.upto(max_signer) do |i|
+  shares = received_shares[i].map{|_, share| share}
+  signing_shares[i] = FROST::DKG.compute_signing_share(secrets[i], shares)
+end
+
+# Participant 1 compute group public key.
+group_pubkey = FROST::DKG.compute_group_pubkey(secrets[1], received_package[1])
+
+# The subsequent signing phase is the same as above with signing_shares as the secret.
+```

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "frost"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/frost.gemspec

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative "lib/frost/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "frostrb"
+  spec.version = FROST::VERSION
+  spec.authors = ["azuchi"]
+  spec.email = ["azuchi@chaintope.com"]
+
+  spec.summary = "Ruby implementations of Two-Round Threshold Schnorr Signatures with FROST."
+  spec.description = spec.summary
+  spec.homepage = "https://github.com/azuchi/frostrb"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 3.0.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = spec.homepage
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  # Uncomment to register a new dependency of your gem
+  spec.add_dependency "ecdsa_ext", "~> 0.5.1"
+  spec.add_dependency "h2c", "~> 0.2.1"
+
+  # For more information and examples about making a new gem, check out our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

data/lib/frost/commitments.rb

@@ -0,0 +1,36 @@
+module FROST
+  # Participant commitment
+  class Commitments
+
+    attr_reader :identifier
+    attr_reader :hiding
+    attr_reader :binding
+
+    # Constructor
+    # @param [Integer] identifier Identifier of participant.
+    # @param [ECDSA::Point] hiding Commitment point.
+    # @param [ECDSA::Point] binding Commitment point.
+    def initialize(identifier, hiding, binding)
+      raise ArgumentError, "id must be Integer." unless identifier.is_a?(Integer)
+      raise ArgumentError, "id must be greater than 0." if identifier < 1
+      raise ArgumentError, "hiding must be ECDSA::Point." unless hiding.is_a?(ECDSA::Point)
+      raise ArgumentError, "binding must be ECDSA::Point." unless binding.is_a?(ECDSA::Point)
+
+      @identifier = identifier
+      @hiding = hiding
+      @binding = binding
+    end
+
+    def encode
+      id = FROST.encode_identifier(identifier, hiding.group)
+      id + [hiding.to_hex + binding.to_hex].pack("H*")
+    end
+
+    # Encodes a list of participant commitments into a byte string
+    # @param [Array] commitment_list The list of FROST::Commitments
+    # @return [String] The encoded byte string.
+    def self.encode_group_commitment(commitment_list)
+      commitment_list.map(&:encode).join
+    end
+  end
+end

data/lib/frost/dkg/package.rb

@@ -0,0 +1,42 @@
+module FROST
+  module DKG
+    class Package
+      attr_reader :identifier
+      attr_reader :commitments
+      attr_reader :proof
+
+      # Constructor
+      # @param [Integer] identifier
+      # @param [Array] commitments The list of commitment.
+      # @param [FROST::Signature] proof
+      def initialize(identifier, commitments, proof)
+        raise ArgumentError, "identifier must be Integer." unless identifier.is_a?(Integer)
+        raise ArgumentError, "identifier must be greater than 0." if identifier < 1
+        raise ArgumentError, "proof must be FROST::Signature." unless proof.is_a?(FROST::Signature)
+
+        @identifier = identifier
+        @commitments = commitments
+        @proof = proof
+      end
+
+      # Get verification key for this proof.
+      # @return [ECDSA::Point]
+      def verification_key
+        commitments.first
+      end
+
+      # Verify share.
+      # @param [FROST::SecretShare] share
+      # @return [Boolean]
+      def verify_share(share)
+        x = share.identifier
+        result = commitments[1..-1].inject(commitments.first) do |sum, com|
+          tmp = com * x
+          x *= x
+          sum + tmp
+        end
+        result == share.to_point
+      end
+    end
+  end
+end

data/lib/frost/dkg.rb

@@ -0,0 +1,80 @@
+module FROST
+  # Distributed Key Generation feature.
+  module DKG
+
+    autoload :Package, "frost/dkg/package"
+
+    module_function
+
+    # Performs the first part of the DKG.
+    # Participant generate key and commitments, proof of knowledge for secret.
+    # @param [Integer] identifier
+    # @param [ECDSA::Group] group Group of elliptic curve.
+    # @return [Array] The triple of polynomial and public package(FROST::DKG::Package)
+    def part1(identifier, min_signers, max_signers, group)
+      raise ArgumentError, "identifier must be Integer" unless identifier.is_a?(Integer)
+      raise ArgumentError, "identifier must be greater than 0." if identifier < 1
+      raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)
+      raise ArgumentError, "max_signers must be greater than or equal to min_signers." if max_signers < min_signers
+
+      secret = FROST::SigningKey.generate(group)
+      # Every participant P_i samples t random values (a_{i0}, ..., a_{i(t−1)}) ← Z_q
+      polynomial = secret.gen_poly(min_signers - 1)
+      [polynomial, Package.new(identifier, polynomial.gen_commitments, polynomial.gen_proof_of_knowledge(identifier))]
+    end
+
+    # Generate proof of knowledge for secret.
+    # @param [Integer] identifier Identifier of the owner of polynomial.
+    # @param [FROST::Polynomial] polynomial Polynomial containing secret.
+    # @return [FROST::Signature]
+    def gen_proof_of_knowledge(identifier, polynomial)
+      raise ArgumentError, "identifier must be Integer." unless identifier.is_a?(Integer)
+      raise ArgumentError, "polynomial must be FROST::Polynomial." unless polynomial.is_a?(FROST::Polynomial)
+
+      k = SecureRandom.random_number(polynomial.group.order - 1)
+      r = polynomial.group.generator * k
+      a0 = polynomial.coefficients.first
+      a0_g = polynomial.group.generator * a0
+      msg = FROST.encode_identifier(identifier, polynomial.group) + [a0_g.to_hex + r.to_hex].pack("H*")
+      challenge = Hash.hdkg(msg, polynomial.group)
+      field = ECDSA::PrimeField.new(polynomial.group.order)
+      s = field.mod(k + a0 * challenge)
+      FROST::Signature.new(r, s)
+    end
+
+    # Verify proof of knowledge for received commitment.
+    # @param [FROST::DKG::Package] package Received package.
+    # @return [Boolean]
+    def verify_proof_of_knowledge(package)
+      raise ArgumentError, "package must be FROST::DKG::Package." unless package.is_a?(FROST::DKG::Package)
+
+      verification_key = package.verification_key
+      msg = FROST.encode_identifier(package.identifier, verification_key.group) +
+        [verification_key.to_hex + package.proof.r.to_hex].pack("H*")
+      challenge = Hash.hdkg(msg, verification_key.group)
+      package.proof.r == verification_key.group.generator * package.proof.s + (verification_key * challenge).negate
+    end
+
+    # Compute signing share using received shares from other participants
+    # @param [FROST::Polynomial] polynomial Own polynomial contains own secret.
+    # @param [Array] received_shares Array of FROST::SecretShare received by other participants.
+    # @return [FROST::SecretShare] Signing share.
+    def compute_signing_share(polynomial, received_shares)
+      raise ArgumentError, "polynomial must be FROST::Polynomial." unless polynomial.is_a?(FROST::Polynomial)
+      identifier = received_shares.first.identifier
+      s_id = received_shares.sum {|share| share.share}
+      field = ECDSA::PrimeField.new(polynomial.group.order)
+      FROST::SecretShare.new(
+        identifier, field.mod(s_id + polynomial.gen_share(identifier).share), polynomial.group)
+    end
+
+    # Compute Group public key.
+    # @param [FROST::Polynomial] polynomial Own polynomial contains own secret.
+    # @param [Array] received_packages Array of FROST::DKG::Package received by other participants.
+    # @return [ECDSA::Point] Group public key.
+    def compute_group_pubkey(polynomial, received_packages)
+      raise ArgumentError, "polynomial must be FROST::Polynomial." unless polynomial.is_a?(FROST::Polynomial)
+      received_packages.inject(polynomial.verification_point) {|sum, package| sum + package.commitments.first }
+    end
+  end
+end

data/lib/frost/hash.rb

@@ -0,0 +1,84 @@
+module FROST
+  # Cryptographic hash function using FROST.
+  # https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-15.html#name-cryptographic-hash-function
+  module Hash
+
+    module_function
+
+    CTX_STRING_SECP256K1 = "FROST-secp256k1-SHA256-v1"
+    CTX_STRING_P256 = "FROST-P256-SHA256-v1"
+
+    # H1 hash function.
+    # @param [String] msg The message to be hashed.
+    # param [ECDSA::Group] group The elliptic curve group.
+    # @return [Integer]
+    def h1(msg, group)
+      hash_to_field(msg, group, "rho")
+    end
+
+    # H3 hash function.
+    # @param [String] msg The message to be hashed.
+    # @param [ECDSA::Group] group The elliptic curve group.
+    # @return [Integer]
+    def h2(msg, group)
+      hash_to_field(msg, group, "chal")
+    end
+
+    # H3 hash function.
+    # @param [String] msg The message to be hashed.
+    # @param [ECDSA::Group] group The elliptic curve group.
+    # @return [Integer]
+    def h3(msg, group)
+      hash_to_field(msg, group, "nonce")
+    end
+
+    # H4 hash function.
+    # @param [String] msg The message to be hashed.
+    # @param [ECDSA::Group] group The elliptic curve group.
+    # @return [String] The hash value.
+    def h4(msg, group)
+      hash(msg, group, "msg")
+    end
+
+    # H5 hash function.
+    # @param [String] msg The message to be hashed.
+    # @param [ECDSA::Group] group The elliptic curve group.
+    # @return [String] The hash value.
+    def h5(msg, group)
+      hash(msg, group, "com")
+    end
+
+    # Hash function for a FROST ciphersuite, used for the DKG.
+    # @param [String] msg The message to be hashed.
+    # @param [ECDSA::Group] group The elliptic curve group.
+    # @return [Integer] The hash value.
+    def hdkg(msg, group)
+      hash_to_field(msg, group, "dkg")
+    end
+
+    def hash_to_field(msg, group, context)
+      h2c = case group
+            when ECDSA::Group::Secp256k1
+              H2C.get(H2C::Suite::SECP256K1_XMDSHA256_SSWU_NU_, CTX_STRING_SECP256K1 + context)
+            when ECDSA::Group::Secp256r1
+              H2C.get(H2C::Suite::P256_XMDSHA256_SSWU_NU_, CTX_STRING_P256 + context)
+            else
+              # TODO support other suite.
+              raise RuntimeError, "group #{group} dose not supported."
+            end
+      h2c.hash_to_field(msg, 1, group.order).first
+    end
+
+    def hash(msg, group, context)
+      case group
+      when ECDSA::Group::Secp256k1
+        Digest::SHA256.digest(CTX_STRING_SECP256K1 + context + msg)
+      when ECDSA::Group::Secp256r1
+        Digest::SHA256.digest(CTX_STRING_P256 + context + msg)
+      else
+        # TODO support other suite.
+        raise RuntimeError, "group #{group} dose not supported."
+      end
+    end
+  end
+end

data/lib/frost/nonce.rb

@@ -0,0 +1,54 @@
+module FROST
+  class Nonce
+
+    attr_reader :value # nonce value
+    attr_reader :group # Group of elliptic curve
+
+    # Generate nonce.
+    # @return [FROST::Nonce]
+    def initialize(nonce, group)
+      raise ArgumentError, "group must by ECDSA::Group." unless group.is_a?(ECDSA::Group)
+      raise ArgumentError, "nonce must by Integer." unless nonce.is_a?(Integer)
+      @value = nonce
+      @group = group
+    end
+
+    # Generate nonce from secret share.
+    # @param [FROST::SigningKey] secret
+    def self.gen_from_secret(secret)
+      gen_from_random_bytes(secret)
+    end
+
+    # Generates a nonce from the given random bytes.
+    # This method allows only testing.
+    # https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-15.html#section-4.1
+    # @param [FROST::SigningKey] secret
+    # @param [String] random_bytes Random bytes.
+    # @return [FROST::Nonce]
+    def self.gen_from_random_bytes(secret, random_bytes = SecureRandom.bytes(32))
+      secret = secret.to_key if secret.is_a?(SecretShare)
+      raise ArgumentError, "secret must be FROST::SigningKey" unless secret.is_a?(FROST::SigningKey)
+      raise ArgumentError, "random_bytes must be 32 bytes." unless random_bytes.bytesize == 32
+
+      secret_bytes = ECDSA::Format::IntegerOctetString.encode(secret.scalar, 32)
+      msg = random_bytes + secret_bytes
+      nonce = FROST::Hash.h3(msg, secret.group)
+      Nonce.new(nonce, secret.group)
+    end
+
+    private_class_method :gen_from_random_bytes
+
+    # Convert nonce as hex string.
+    # @return [String]
+    def to_hex
+      ECDSA::Format::IntegerOctetString.encode(value, 32).unpack1('H*')
+    end
+
+    # Compute public key.
+    # @return [ECDSA::Point]
+    def to_point
+      group.generator * value
+    end
+
+  end
+end

data/lib/frost/polynomial.rb

@@ -0,0 +1,100 @@
+module FROST
+
+  # Polynomial class.
+  class Polynomial
+    attr_reader :coefficients
+    attr_reader :group
+
+    # Generate polynomial.
+    # @param [Array] coefficients Coefficients of polynomial.
+    # The first is the constant term, followed by the coefficients in descending order of order.
+    # @param [ECDSA::Group] group
+    def initialize(coefficients, group)
+      raise ArgumentError, "coefficients must be an Array." unless coefficients.is_a?(Array)
+      raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)
+      raise ArgumentError, "Two or more coefficients are required." if coefficients.length < 2
+
+      @coefficients = coefficients
+      @group = group
+    end
+
+    # Generate random polynomial using secret as constant term.
+    # @param [Integer|FROST::SigningKey] secret Secret value as constant term.
+    # @param [Integer] degree Degree of polynomial.
+    # @return [FROST::Polynomial] Polynomial
+    def self.from_secret(secret, degree, group)
+      secret = secret.scalar if secret.is_a?(FROST::SigningKey)
+      raise ArgumentError, "secret must be Integer." unless secret.is_a?(Integer)
+      raise ArgumentError, "degree must be Integer." unless degree.is_a?(Integer)
+      raise ArgumentError, "degree must be greater than or equal to 1." if degree < 1
+      coeffs = degree.times.map {SecureRandom.random_number(group.order - 1)}
+      Polynomial.new(coeffs.prepend(secret), group)
+    end
+
+    # Generate secret share.
+    # @param [Integer] identifier Identifier for evaluating polynomials.
+    # @return [FROST::SecretShare] Generate share.
+    def gen_share(identifier)
+      raise ArgumentError, "identifiers must be Integer." unless identifier.is_a?(Integer)
+
+      return SecretShare.new(identifier, 0, group) if coefficients.empty?
+      return SecretShare.new(identifier, coefficients.last, group) if identifier == 0
+
+      # Calculate using Horner's method.
+      last = coefficients.last
+      (coefficients.length - 2).step(0, -1) do |i|
+        tmp = last * identifier
+        last = (tmp + coefficients[i]) % group.order
+      end
+      SecretShare.new(identifier, last, group)
+    end
+
+    # Generate coefficient commitments
+    # @return [Array] A list of coefficient commitment (ECDSA::Point).
+    def gen_commitments
+      coefficients.map{|c| group.generator * c }
+    end
+
+    # Generate proof of knowledge for secret.
+    # @param [Integer] identifier Identifier of the owner of this polynomial.
+    # @return [FROST::Signature]
+    def gen_proof_of_knowledge(identifier)
+      FROST::DKG.gen_proof_of_knowledge(identifier, self)
+    end
+
+    # Get secret value in this polynomial.
+    # @return [Integer] secret
+    def secret
+      coefficients.first
+    end
+
+    # Get point to correspond to secret in this polynomial.
+    # @return [ECDSA::Point] secret point
+    def verification_point
+      group.generator * secret
+    end
+
+    # Generates the lagrange coefficient for the i'th participant.
+    # @param [Array] x_coordinates The list of x-coordinates.
+    # @param [Integer] xi an x-coordinate contained in x_coordinates.
+    # @param [ECDSA::Group] group Elliptic curve group.
+    # @return [Integer] The lagrange coefficient.
+    def self.derive_interpolating_value(x_coordinates, xi, group)
+      raise ArgumentError, "xi is not included in x_coordinates." unless x_coordinates.include?(xi)
+      raise ArgumentError, "Duplicate values in x_coordinates." if (x_coordinates.length - x_coordinates.uniq.length) > 0
+      raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)
+
+      field = ECDSA::PrimeField.new(group.order)
+      numerator = 1
+      denominator = 1
+      x_coordinates.each do |xj|
+        next if xi == xj
+        numerator *= xj
+        denominator *= (xj - xi)
+      end
+
+      field.mod(numerator * field.inverse(denominator))
+    end
+  end
+
+end

data/lib/frost/secret_share.rb

@@ -0,0 +1,33 @@
+module FROST
+  # A secret share generated by performing a (t-out-of-n) secret sharing scheme.
+  class SecretShare
+    attr_reader :identifier
+    attr_reader :share
+    attr_reader :group
+
+    # Generate secret share.
+    # @param [Integer] identifier Identifier of this share.
+    # @param [Integer] share A share.
+    def initialize(identifier, share, group)
+      raise ArgumentError, "identifier must be Integer." unless identifier.is_a?(Integer)
+      raise ArgumentError, "share must be Integer." unless share.is_a?(Integer)
+      raise ArgumentError, "group must be ECDSA::Group" unless group.is_a?(ECDSA::Group)
+
+      @identifier = identifier
+      @share = share
+      @group = group
+    end
+
+    # Compute public key.
+    # @return [ECDSA::Point]
+    def to_point
+      group.generator * share
+    end
+
+    # Generate signing share key.
+    # @return [FROST::SigningKey]
+    def to_key
+      FROST::SigningKey.new(share, group)
+    end
+  end
+end

data/lib/frost/signature.rb

@@ -0,0 +1,42 @@
+module FROST
+  # A Schnorr signature over some prime order group (or subgroup).
+  class Signature
+    attr_reader :r
+    attr_reader :s
+
+    # Constructor
+    # @param [ECDSA::Point] r Public nonce of signature.
+    # @param [Integer] s Scalar value of signature.
+    def initialize(r, s)
+      raise ArgumentError, "r must be ECDSA::Point" unless r.is_a?(ECDSA::Point)
+      raise ArgumentError, "s must be Integer" unless s.is_a?(Integer)
+
+      @r = r
+      @s = s
+    end
+
+    # Encode signature to hex string.
+    # @return [String]
+    def to_hex
+      encode.unpack1("H*")
+    end
+
+    # Encode signature to byte string.
+    # @return [String]
+    def encode
+      ECDSA::Format::PointOctetString.encode(r, compression: true) +
+        ECDSA::Format::IntegerOctetString.encode(s, 32)
+    end
+
+    # Decode hex value to FROST::Signature.
+    # @param [String] hex_value Hex value of signature.
+    # @param [ECDSA::Group] group Group of elliptic curve.
+    # @return [FROST::Signature]
+    def self.decode(hex_value, group)
+      data = [hex_value].pack("H*")
+      r = ECDSA::Format::PointOctetString.decode(data[0...33], group)
+      s = ECDSA::Format::IntegerOctetString.decode(data[33..-1])
+      Signature.new(r,s )
+    end
+  end
+end

data/lib/frost/signing_key.rb

@@ -0,0 +1,39 @@
+module FROST
+  # A signing key for a Schnorr signature on a FROST.
+  class SigningKey
+    attr_reader :scalar
+    attr_reader :group
+
+    # Constructor
+    # @param [Integer] scalar secret key value.
+    # @param [ECDSA::Group] group Group of elliptic curve.
+    def initialize(scalar, group = ECDSA::Group::Secp256k1)
+      raise ArgumentError, "scalar must be integer." unless scalar.is_a?(Integer)
+      raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)
+      raise ArgumentError, "Invalid scalar range." if scalar < 1 || group.order - 1 < scalar
+
+      @scalar = scalar
+      @group = group
+    end
+
+    # Generate signing key.
+    # @param [ECDSA::Group] group Group of elliptic curve.
+    def self.generate(group)
+      scalar = 1 + SecureRandom.random_number(group.order - 1)
+      SigningKey.new(scalar, group)
+    end
+
+    # Generate random polynomial using this secret.
+    # @param [Integer] degree Degree of polynomial.
+    # @return [FROST::Polynomial] A polynomial
+    def gen_poly(degree)
+      Polynomial.from_secret(scalar, degree, group)
+    end
+
+    # Compute public key.
+    # @return [ECDSA::Point]
+    def to_point
+      group.generator * scalar
+    end
+  end
+end

data/lib/frost/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module FROST
+  VERSION = "0.1.1"
+end

data/lib/frost.rb

@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+
+require_relative "frost/version"
+require 'ecdsa_ext'
+require 'securerandom'
+require 'digest'
+require 'h2c'
+
+module FROST
+  class Error < StandardError; end
+
+  autoload :Signature, "frost/signature"
+  autoload :Commitments, "frost/commitments"
+  autoload :Hash, "frost/hash"
+  autoload :Nonce, "frost/nonce"
+  autoload :SecretShare, "frost/secret_share"
+  autoload :Polynomial, "frost/polynomial"
+  autoload :SigningKey, "frost/signing_key"
+  autoload :DKG, "frost/dkg"
+
+  module_function
+
+  # Encode identifier
+  # @param [Integer] identifier
+  # @param [ECDSA::Group] group
+  # @return [String] The encoded identifier
+  def encode_identifier(identifier, group)
+    case group
+    when ECDSA::Group::Secp256k1, ECDSA::Group::Secp256r1
+      ECDSA::Format::IntegerOctetString.encode(identifier, 32)
+    else
+      raise RuntimeError, "group #{group} dose not supported."
+    end
+  end
+
+  # Compute binding factors.
+  # https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-15.html#name-binding-factors-computation
+  # @param [ECDSA::Point] group_pubkey
+  # @param [Array] commitment_list The list of commitments issued by each participants.
+  # This list must be sorted in ascending order by identifier.
+  # @param [String] msg The message to be signed.
+  # @return [Hash] The hash of binding factor.
+  def compute_binding_factors(group_pubkey, commitment_list, msg)
+    raise ArgumentError, "group_pubkey must be ECDSA::Point." unless group_pubkey.is_a?(ECDSA::Point)
+    raise ArgumentError, "msg must be String." unless msg.is_a?(String)
+
+    msg_hash = Hash.h4(msg, group_pubkey.group)
+    encoded_commitment = Commitments.encode_group_commitment(commitment_list)
+    encoded_commitment_hash = Hash.h5(encoded_commitment, group_pubkey.group)
+    rho_input_prefix = [group_pubkey.to_hex].pack("H*") + msg_hash + encoded_commitment_hash
+    binding_factors = {}
+    commitment_list.each do |commitments|
+      preimage = rho_input_prefix + encode_identifier(commitments.identifier, group_pubkey.group)
+      binding_factors[commitments.identifier] = Hash.h1(preimage, group_pubkey.group)
+    end
+    binding_factors
+  end
+
+  # Compute the group commitment
+  # @param [Array] commitment_list The list of commitments.
+  # @param [Hash] binding_factors The map of binding factors.
+  # @return [ECDSA::Point]
+  def compute_group_commitment(commitment_list, binding_factors)
+    commitment_list.inject(commitment_list.first.hiding.group.infinity) do |sum, commitments|
+      binding_factor = binding_factors[commitments.identifier]
+      binding_nonce = commitments.binding * binding_factor
+      binding_nonce + commitments.hiding + sum
+    end
+  end
+
+  # Create the per-message challenge.
+  # @param [ECDSA::Point] group_commitment The group commitment.
+  # @param [ECDSA::Point] group_pubkey The public key corresponding to the group signing key.
+  # @param [String] msg The message to be signed.
+  def compute_challenge(group_commitment, group_pubkey, msg)
+    raise ArgumentError, "group_commitment must be ECDSA::Point." unless group_commitment.is_a?(ECDSA::Point)
+    raise ArgumentError, "group_pubkey must be ECDSA::Point." unless group_pubkey.is_a?(ECDSA::Point)
+    raise ArgumentError, "msg must be String." unless msg.is_a?(String)
+
+    input = [group_commitment.to_hex + group_pubkey.to_hex].pack("H*") + msg
+    Hash.h2(input, group_commitment.group)
+  end
+
+  # Generate signature share.
+  # @param [FROST::SecretShare] secret_share Signer secret key share.
+  # @param [ECDSA::Point] group_pubkey Public key corresponding to the group signing key.
+  # @param [Array] nonces Pair of nonce values (hiding_nonce, binding_nonce) for signer_i.
+  # @param [String] msg The message to be signed
+  # @param [Array] commitment_list A list of commitments issued by each participant.
+  # @return [Integer] A signature share.
+  def sign(secret_share, group_pubkey, nonces, msg, commitment_list)
+    identifier = secret_share.identifier
+    # Compute binding factors
+    binding_factors = compute_binding_factors(group_pubkey, commitment_list, msg)
+    binding_factor = binding_factors[identifier]
+
+    # Compute group commitment
+    group_commitment = compute_group_commitment(commitment_list, binding_factors)
+
+    # Compute Lagrange coefficient
+    identifiers = commitment_list.map(&:identifier)
+    lambda_i = Polynomial.derive_interpolating_value(identifiers, identifier, group_pubkey.group)
+
+    # Compute the per-message challenge
+    challenge = compute_challenge(group_commitment, group_pubkey, msg)
+
+    # Compute the signature share
+    hiding_nonce, binding_nonce = nonces
+    field = ECDSA::PrimeField.new(group_pubkey.group.order)
+    field.mod(hiding_nonce.value +
+                field.mod(binding_nonce.value * binding_factor) + field.mod(lambda_i * secret_share.share * challenge))
+  end
+
+  # Aggregates the signature shares to produce a final signature that can be verified with the group public key.
+  # @param [Array] commitment_list A list of commitments issued by each participant.
+  # @param [String] msg The message to be signed.
+  # @param [ECDSA::Point] group_pubkey Public key corresponding to the group signing key.
+  # @param [Array] sig_shares A set of signature shares z_i, integer values.
+  # @return [FROST::Signature] Schnorr signature.
+  def aggregate(commitment_list, msg, group_pubkey, sig_shares)
+    raise ArgumentError, "msg must be String." unless msg.is_a?(String)
+    raise ArgumentError, "group_pubkey must be ECDSA::Point." unless group_pubkey.is_a?(ECDSA::Point)
+    raise ArgumentError, "The numbers of commitment_list and sig_shares do not match." unless commitment_list.length == sig_shares.length
+
+    binding_factors = compute_binding_factors(group_pubkey, commitment_list, msg)
+    group_commitment = compute_group_commitment(commitment_list, binding_factors)
+
+    field = ECDSA::PrimeField.new(group_pubkey.group.order)
+    s = sig_shares.inject(0) do |sum, z_i|
+      raise ArgumentError, "sig_shares must be array of integer" unless z_i.is_a?(Integer)
+      field.mod(sum + z_i)
+    end
+
+    Signature.new(group_commitment, field.mod(s))
+  end
+
+  # Verify signature share.
+  # @param [Integer] identifier Identifier i of the participant.
+  # @param [ECDSA::Point] pubkey_i The public key for the i-th participant
+  # @param [Integer] sig_share_i Integer value indicating the signature share as produced
+  # in round two from the i-th participant.
+  # @param [Array] commitment_list A list of commitments issued by each participant.
+  # @param [ECDSA::Point] group_pubkey Public key corresponding to the group signing key.
+  # @param [String] msg The message to be signed.
+  # @return [Boolean] Verification result.
+  def verify_share(identifier, pubkey_i, sig_share_i, commitment_list, group_pubkey, msg)
+    raise ArgumentError, "identifier must be Integer." unless identifier.is_a?(Integer)
+    raise ArgumentError, "sig_share_i must be Integer." unless sig_share_i.is_a?(Integer)
+    raise ArgumentError, "pubkey_i must be ECDSA::Point." unless pubkey_i.is_a?(ECDSA::Point)
+    raise ArgumentError, "group_pubkey must be ECDSA::Point." unless group_pubkey.is_a?(ECDSA::Point)
+
+    binding_factors = compute_binding_factors(group_pubkey, commitment_list, msg)
+    binding_factor = binding_factors[identifier]
+    group_commitment = compute_group_commitment(commitment_list, binding_factors)
+    comm_i = commitment_list.find{|c| c.identifier == identifier}
+    hiding_commitment = comm_i.hiding
+    binding_commitment = comm_i.binding
+    raise ArgumentError, "hiding_commitment must be ECDSA::Point." unless hiding_commitment.is_a?(ECDSA::Point)
+    raise ArgumentError, "binding_commitment must be ECDSA::Point." unless binding_commitment.is_a?(ECDSA::Point)
+
+    comm_share = hiding_commitment + binding_commitment * binding_factor
+    challenge = compute_challenge(group_commitment, group_pubkey, msg)
+    identifiers = commitment_list.map(&:identifier)
+    lambda_i = Polynomial.derive_interpolating_value(identifiers, identifier, group_pubkey.group)
+    l = group_pubkey.group.generator * sig_share_i
+    r = comm_share + pubkey_i * (challenge * lambda_i)
+    l == r
+  end
+
+  # Verify signature.
+  # @param [FROST::Signature] signature
+  # @param [ECDSA::Point] public_key
+  # @param [String] msg
+  # @return [Boolean] Verification result.
+  def verify(signature, public_key, msg)
+    raise ArgumentError, "signature must be FROST::Signature" unless signature.is_a?(FROST::Signature)
+    raise ArgumentError, "public_key must be ECDSA::Point" unless public_key.is_a?(ECDSA::Point)
+    raise ArgumentError, "msg must be String." unless msg.is_a?(String)
+
+    # Compute challenge
+    challenge = compute_challenge(signature.r, public_key, msg)
+
+    s_g = public_key.group.generator * signature.s
+    c_p = public_key * challenge
+    result = (s_g + signature.r.negate + c_p.negate) * public_key.group.cofactor
+    result.infinity?
+  end
+end

data/sig/frost.rbs

@@ -0,0 +1,4 @@
+module FROST
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification
+name: frostrb
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- azuchi
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2024-02-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ecdsa_ext
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.1
+- !ruby/object:Gem::Dependency
+  name: h2c
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.1
+description: Ruby implementations of Two-Round Threshold Schnorr Signatures with FROST.
+email:
+- azuchi@chaintope.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".ruby-gemset"
+- ".ruby-version"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- frost.gemspec
+- lib/frost.rb
+- lib/frost/commitments.rb
+- lib/frost/dkg.rb
+- lib/frost/dkg/package.rb
+- lib/frost/hash.rb
+- lib/frost/nonce.rb
+- lib/frost/polynomial.rb
+- lib/frost/secret_share.rb
+- lib/frost/signature.rb
+- lib/frost/signing_key.rb
+- lib/frost/version.rb
+- sig/frost.rbs
+homepage: https://github.com/azuchi/frostrb
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/azuchi/frostrb
+  source_code_uri: https://github.com/azuchi/frostrb
+  changelog_uri: https://github.com/azuchi/frostrb
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.3
+signing_key: 
+specification_version: 4
+summary: Ruby implementations of Two-Round Threshold Schnorr Signatures with FROST.
+test_files: []