frostrb 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '09af4e893de9e1260635431b1feef84a9eb6273534f0f9e7e2e4bcde82d8788e'
-  data.tar.gz: 66f39e7bff887c34c65844ac42b94d8e77cdd7fb86caedb575d8ae0a7c0b12a1
+  metadata.gz: 0660ec6fbd998b152bdb359276284fd64e00d89ed19e783dbd72e04cac3fad67
+  data.tar.gz: c01bd20b7f10d10e0362d6ee4c3722c8849f748ed8899c06efd2cfcaee2dcefa
 SHA512:
-  metadata.gz: ba8c33e24ace6174176ec30bb5afaf0222e6c5046df34960ca28c8772286c236611bdb119c3184448fc308f491d1408e57a7fa1c715e3a7e0036e557a6788c46
-  data.tar.gz: b738d2fe05fa151032e9ff877758f580d6d96153ce179b384a95d6e353ce3e5003638622afbdfd2a4c219825d45f77e78f3e5238484b4cb34de5f8e8de8b768a
+  metadata.gz: 5cadf1d9b254ac672aad430dae0c27ec7f45878886bbf600cd250a8c4a405f5d89201de96b5bd145ff3fc59ae2384d227a5fe7e73c3abcf002b36a6fbd2d5098
+  data.tar.gz: 71c14b38913bf8471436979fb8d69a99ad7ad763a79d28f1f738435999ad5b485ba7e09d5e43083bbd2edec5ade02c189076e53678c44a4512a71c86e0883a42

data/README.md

@@ -85,7 +85,7 @@ round1_outputs = {}
 # Round 1:
 # For each participant, perform the first part of the DKG protocol.
 1.upto(max_signer) do |i|
-  polynomial, package = FROST::DKG.part1(i, min_signer, max_signer, group)
+  polynomial, package = FROST::DKG.generate_secret(i, min_signer, max_signer, group)
   secrets[i] = polynomial
   round1_outputs[i] = package
 end
@@ -93,7 +93,7 @@ end
 # Each participant sends their commitments and proof to other participants.
 received_package = {}
 1.upto(max_signer) do |i|
-  received_package[i] = round1_outputs.select {|k, _| k != i}.values
+  received_package[i] = round1_outputs.select { |k, _| k != i }.values
 end
 
 # Each participant verify knowledge of proof in received package.
@@ -118,7 +118,7 @@ end
 # Each participant verify received shares.
 1.upto(max_signer) do |i|
   received_shares[i].each do |send_by, share|
-    target_package = received_package[i].find{ |package| package.identifier == send_by }
+    target_package = received_package[i].find { |package| package.identifier == send_by }
     expect(target_package.verify_share(share)).to be true
   end
 end
@@ -126,7 +126,7 @@ end
 # Each participant compute signing share.
 signing_shares = {}
 1.upto(max_signer) do |i|
-  shares = received_shares[i].map{|_, share| share}
+  shares = received_shares[i].map { |_, share| share }
   signing_shares[i] = FROST::DKG.compute_signing_share(secrets[i], shares)
 end
 
@@ -134,4 +134,43 @@ end
 group_pubkey = FROST::DKG.compute_group_pubkey(secrets[1], received_package[1])
 
 # The subsequent signing phase is the same as above with signing_shares as the secret.
-```
+```
+
+### Share repair
+
+Using `FROST::Repairable` module, you can repair existing (or new) participant's share with the cooperation of T participants.
+
+```ruby
+# Dealer generate shares.
+FROST::SigningKey.generate(ECDSA::Group::Secp256k1)
+polynomial = dealer.gen_poly(min_signers - 1)
+shares = 1.upto(max_signers).map {|identifier| polynomial.gen_share(identifier) }
+
+# Signer 2 will lose their share
+# Signers (helpers) 1, 4 and 5 will help signer 2 (participant) to recover their share
+helper1 = shares[0]
+helper4 = shares[3]
+helper5 = shares[4]
+helper_shares = [helper1, helper4, helper5]
+helpers = helper_shares.map(&:identifier)
+participant_share = shares[1]
+
+# Each helper computes delta values.
+received_values = {}
+helper_shares.each do |helper_share|
+  delta_values = FROST::Repairable.step1(helpers, participant_share.identifier, helper_share)
+  delta_values.each do |target_id, value|
+    received_values[target_id] ||= []
+    received_values[target_id] << value
+  end
+end
+
+# Each helper send sum value to participant.
+participant_received_values = []
+received_values.each do |_, values|
+  participant_received_values << FROST::Repairable.step2(values, ECDSA::Group::Secp256k1)
+end
+
+# Participant can obtain his share.
+repair_share = FROST::Repairable.step3(2, participant_received_values, ECDSA::Group::Secp256k1)
+```

data/lib/frost/dkg.rb

@@ -11,7 +11,7 @@ module FROST
     # @param [Integer] identifier
     # @param [ECDSA::Group] group Group of elliptic curve.
     # @return [Array] The triple of polynomial and public package(FROST::DKG::Package)
-    def part1(identifier, min_signers, max_signers, group)
+    def generate_secret(identifier, min_signers, max_signers, group)
       raise ArgumentError, "identifier must be Integer" unless identifier.is_a?(Integer)
       raise ArgumentError, "identifier must be greater than 0." if identifier < 1
       raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)

data/lib/frost/polynomial.rb

@@ -75,22 +75,34 @@ module FROST
     end
 
     # Generates the lagrange coefficient for the i'th participant.
+    # The Lagrange polynomial for a set of points (xj, yj) for 0 <= j <= k is
+    # ∑_{i=0}^k yi.ℓi(x), where ℓi(x) is the Lagrange basis polynomial:
+    # ℓi(x) = ∏_{0≤j≤k; j≠i} (x - xj) / (xi - xj).
+    # This computes ℓj(x) for the set of points `xs` and for the j corresponding to the given xj.
     # @param [Array] x_coordinates The list of x-coordinates.
     # @param [Integer] xi an x-coordinate contained in x_coordinates.
     # @param [ECDSA::Group] group Elliptic curve group.
+    # @param [Integer] x (Optional) if x is nil, it uses 0 for it (since Identifiers can't be 0).
     # @return [Integer] The lagrange coefficient.
-    def self.derive_interpolating_value(x_coordinates, xi, group)
+    def self.derive_interpolating_value(x_coordinates, xi, group, x: nil)
       raise ArgumentError, "xi is not included in x_coordinates." unless x_coordinates.include?(xi)
       raise ArgumentError, "Duplicate values in x_coordinates." if (x_coordinates.length - x_coordinates.uniq.length) > 0
       raise ArgumentError, "group must be ECDSA::Group." unless group.is_a?(ECDSA::Group)
+      raise ArgumentError, "x must be Integer." if x && !x.is_a?(Integer)
 
       field = ECDSA::PrimeField.new(group.order)
       numerator = 1
       denominator = 1
+
       x_coordinates.each do |xj|
         next if xi == xj
-        numerator *= xj
-        denominator *= (xj - xi)
+        if x
+          numerator *= (x - xj)
+          denominator *= (xi - xj)
+        else
+          numerator *= xj
+          denominator *= (xj - xi)
+        end
       end
 
       field.mod(numerator * field.inverse(denominator))

data/lib/frost/repairable.rb

@@ -0,0 +1,56 @@
+module FROST
+  # Implements the Repairable Threshold Scheme (RTS) from <https://eprint.iacr.org/2017/1155>
+  module Repairable
+    module_function
+
+    # Step 1 for RTS.
+    # Each helper computes delta_i,j for other helpers.
+    # @param [Array] helpers Array of helper's identifier.
+    # @param [Integer] participant Identifier of the participant whose shares you want to restore.
+    # @param [FROST::SecretShare] share Share of participant running this process.
+    # @return [Hash] Hash with helper ID as key and value as delta value.
+    def step1(helpers, participant, share)
+      raise ArgumentError, "helpers must be greater than 1." if helpers.length < 2
+      raise ArgumentError, "participant must be greater than 1." if participant < 1
+      raise ArgumentError, "helpers has duplicate identifier." unless helpers.uniq.length == helpers.length
+      raise ArgumentError, "helpers contains same identifier with participant." if helpers.include?(participant)
+
+      field = ECDSA::PrimeField.new(share.group.order)
+      random_values = (helpers.length - 1).times.map { SecureRandom.random_number(share.group.order - 1) }
+
+      # compute last random value
+      ## Calculate Lagrange Coefficient for helper_i
+      zeta_i = Polynomial.derive_interpolating_value(helpers, share.identifier, share.group, x: participant)
+      lhs = field.mod(zeta_i * share.share)
+      # last random value
+      last = field.mod(lhs - random_values.sum)
+      random_values << last
+
+      helpers.zip(random_values).to_h
+    end
+
+    # Step 2 for RTS.
+    # Each helper sum received delta values from other helpers.
+    # @param [Array] step1_values Array of delta values.
+    # @param [ECDSA::Group] group
+    # @return [Integer] Sum of delta values.
+    def step2(step1_values, group)
+      raise ArgumentError, "group must be ECDSA::Group" unless group.is_a?(ECDSA::Group)
+
+      field = ECDSA::PrimeField.new(group.order)
+      field.mod(step1_values.sum)
+    end
+
+    # Participant compute own share with received sum of delta value.
+    # @param [Integer] identifier Identifier of the participant whose shares you want to restore.
+    # @param [Array] step2_results Array of Step 2 results received from other helpers.
+    # @param [ECDSA::Group] group
+    # @return
+    def step3(identifier, step2_results, group)
+      raise ArgumentError, "group must be ECDSA::Group" unless group.is_a?(ECDSA::Group)
+
+      field = ECDSA::PrimeField.new(group.order)
+      FROST::SecretShare.new(identifier, field.mod(step2_results.sum), group)
+    end
+  end
+end

data/lib/frost/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module FROST
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

data/lib/frost.rb

@@ -17,6 +17,7 @@ module FROST
   autoload :Polynomial, "frost/polynomial"
   autoload :SigningKey, "frost/signing_key"
   autoload :DKG, "frost/dkg"
+  autoload :Repairable, "frost/repairable"
 
   module_function
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: frostrb
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - azuchi
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-02-16 00:00:00.000000000 Z
+date: 2024-02-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ecdsa_ext
@@ -64,6 +64,7 @@ files:
 - lib/frost/hash.rb
 - lib/frost/nonce.rb
 - lib/frost/polynomial.rb
+- lib/frost/repairable.rb
 - lib/frost/secret_share.rb
 - lib/frost/signature.rb
 - lib/frost/signing_key.rb