eddsa-threshold 0.2.0__py3-none-any.whl

eddsa_threshold/frost/coordinator.py

@@ -0,0 +1,185 @@
+from typing import Final
+
+from eddsa_threshold.eddsa.curves.base.edwards_curve import EdwardsCurve
+from eddsa_threshold.frost.core.base.frost_hashing import FrostHashing
+from eddsa_threshold.frost.core.frost_types import GroupInfo, NonceCommitment, ParticipantId, SecretValue, SessionId, SigningPackage, SigningSession, VSSCommitment
+from eddsa_threshold.frost.core.util import check_participant_bounds, compute_binding_factors, compute_group_commitment, derive_group_info
+
+
+class FrostCoordinator:
+    """
+    Coordinator-side implementation for a 2-round FROST signing flow.
+
+    Cryptographic operations are delegated through callback hooks so this class can stay curve/algorithm agnostic.
+    """
+
+    def __init__(self, threshold: int, participant_ids: list[ParticipantId], hashing: FrostHashing, curve: EdwardsCurve):
+        if threshold <= 0:
+            raise ValueError("threshold must be positive")
+
+        check_participant_bounds(threshold, participant_ids, curve.scalar_ops)
+
+        self.THRESHOLD: Final[int] = threshold
+        self.PARTICIPANT_IDS: Final[list[ParticipantId]] = participant_ids
+        self.MAX_PARTICIPANTS: Final[int] = len(participant_ids)
+        
+        self._dealer_info_set: bool = False
+
+        self._HASHING: Final[FrostHashing] = hashing
+        self._CURVE: Final[EdwardsCurve] = curve
+
+        self._signing_sessions: dict[SessionId, SigningSession] = {}
+        
+    def set_dealer_info(self, vss_commitment: list[VSSCommitment]) -> None:
+        """
+        Set the group info after receiving it from the trusted dealer.
+        """
+        
+        if self._dealer_info_set:
+            raise ValueError(f"coordinator has already set their dealer info")
+        
+        self._GROUP_INFO = derive_group_info(self.THRESHOLD, self.MAX_PARTICIPANTS, vss_commitment, self._CURVE)
+        self._dealer_info_set = True
+
+    def create_signing_session(self, message: bytes) -> SessionId:
+        """
+        Initializes a signing session for the given message.
+        """
+        
+        if not self._dealer_info_set:
+            raise ValueError("dealer info has not been set yet")
+
+        # for now, session id is a hash of the message + randomness (allow for multiple signing sessions for the same message)
+        session_id = self._HASHING.h2(message) + self._CURVE.scalar_ops.random_scalar()
+
+        signing_session = SigningSession(session_id, message)
+        self._signing_sessions[session_id] = signing_session
+        
+        return session_id
+
+    def register_participant_to_session(self, session_id: SessionId, participant_id: ParticipantId) -> None:
+        """
+        Registers a participant to a signing session.
+        """
+
+        if session_id not in self._signing_sessions:
+            raise ValueError("signing session not found")
+
+        signing_session = self._signing_sessions[session_id]
+
+        if signing_session.signing_in_progress:
+            raise ValueError("cannot register participant to session after signing has started")
+
+        if participant_id not in self.PARTICIPANT_IDS:
+            raise ValueError("participant id not recognized")
+
+        if participant_id in signing_session.participant_ids:
+            raise ValueError("participant already registered to session")
+
+        signing_session.participant_ids.append(participant_id)
+
+    def start_signing_session(self, session_id: SessionId) -> None:
+        """
+        Marks the signing session as started, preventing further participant registrations.
+        """
+
+        if session_id not in self._signing_sessions:
+            raise ValueError("signing session not found")
+
+        signing_session = self._signing_sessions[session_id]
+
+        if len(signing_session.participant_ids) < self.THRESHOLD:
+            raise ValueError("not enough participants registered to start signing session")
+
+        signing_session.signing_in_progress = True
+        
+    def receive_commitment(self, session_id: SessionId, participant_id: ParticipantId, commitment: NonceCommitment) -> None:
+        """
+        Receives a nonce commitment from a participant and stores it in the signing session.
+        """
+
+        if session_id not in self._signing_sessions:
+            raise ValueError("signing session not found")
+
+        signing_session = self._signing_sessions[session_id]
+
+        if not signing_session.signing_in_progress:
+            raise ValueError("signing session has not started yet")
+
+        if participant_id not in signing_session.participant_ids:
+            raise ValueError("participant id not registered to this signing session")
+
+        if participant_id in signing_session.commitments:
+            raise ValueError("commitment already received from this participant")
+
+        signing_session.commitments[participant_id] = commitment
+        
+        if len(signing_session.commitments) == len(signing_session.participant_ids):
+            signing_session.round_one_completed = True
+            
+    def create_signing_package(self, session_id: SessionId) -> SigningPackage:
+        """
+        Creates the signing package to be sent to the participants after round one is complete.
+        """
+
+        if session_id not in self._signing_sessions:
+            raise ValueError("signing session not found")
+
+        signing_session = self._signing_sessions[session_id]
+
+        if not signing_session.round_one_completed:
+            raise ValueError("round one not completed yet")
+
+        return SigningPackage(session_id, signing_session.message, signing_session.participant_ids, signing_session.commitments)
+    
+    def receive_signature_share(self, session_id: SessionId, participant_id: ParticipantId, signature_share: SecretValue) -> None:
+        """
+        Receives a signature share from a participant and stores it in the signing session.
+        """
+
+        if session_id not in self._signing_sessions:
+            raise ValueError("signing session not found")
+
+        signing_session = self._signing_sessions[session_id]
+
+        if not signing_session.round_one_completed:
+            raise ValueError("round one not completed yet")
+
+        if participant_id not in signing_session.participant_ids:
+            raise ValueError("participant id not registered to this signing session")
+
+        if participant_id in signing_session.signature_shares:
+            raise ValueError("signature share already received from this participant")
+
+        signing_session.signature_shares[participant_id] = signature_share
+        
+        if len(signing_session.signature_shares) == len(signing_session.participant_ids):
+            signing_session.round_two_completed = True
+
+    def aggregate(self, session_id: SessionId) -> bytes:
+        """
+        Aggregates the signature shares into a final signature.
+        """
+        
+        if session_id not in self._signing_sessions:
+            raise ValueError("signing session not found")
+        
+        signing_session = self._signing_sessions[session_id]
+        
+        if not signing_session.round_two_completed:
+            raise ValueError("round two not completed yet")
+
+        commitments = list(signing_session.commitments.values())
+        signature_shares = list(signing_session.signature_shares.values())
+
+        binding_factors = compute_binding_factors(self._GROUP_INFO.group_public_key, commitments, signing_session.message, self._HASHING, self._CURVE.encoding)
+
+        group_commitment = compute_group_commitment(commitments, binding_factors, self._CURVE)
+
+        z = 0
+        for z_i in signature_shares:
+            z = z + z_i
+
+        z = self._CURVE.scalar_ops.reduce(z)
+
+        return self._CURVE.encoding.encode_point(group_commitment) + self._CURVE.encoding.encode_scalar(z)

eddsa_threshold/frost/core/__init__.py

@@ -0,0 +1 @@
+"""FROST core primitives."""

eddsa_threshold/frost/core/base/__init__.py

@@ -0,0 +1 @@
+"""Base FROST interfaces."""

eddsa_threshold/frost/core/base/frost_hashing.py

@@ -0,0 +1,27 @@
+from abc import ABC, abstractmethod
+
+
+class FrostHashing(ABC):
+    """
+    FrostHashing is the base class that ensures that all hashing functions used in the FROST protocol are present.
+    """
+
+    @abstractmethod
+    def h1(self, m: bytes) -> int:
+        raise NotImplementedError()
+
+    @abstractmethod
+    def h2(self, m: bytes) -> int:
+        raise NotImplementedError()
+
+    @abstractmethod
+    def h3(self, m: bytes) -> int:
+        raise NotImplementedError()
+
+    @abstractmethod
+    def h4(self, m: bytes) -> bytes:
+        raise NotImplementedError()
+
+    @abstractmethod
+    def h5(self, m: bytes) -> bytes:
+        raise NotImplementedError()

eddsa_threshold/frost/core/ed25519/__init__.py

@@ -0,0 +1 @@
+"""Ed25519-specific FROST helpers."""

eddsa_threshold/frost/core/ed25519/frost_hashing.py

@@ -0,0 +1,26 @@
+from eddsa_threshold.eddsa.curves.ed25519.constants import L
+from eddsa_threshold.eddsa.util.hash_bindings import sha512
+from eddsa_threshold.frost.core.base.frost_hashing import FrostHashing
+
+
+class Ed25519FrostHashing(FrostHashing):
+    """
+    Ed25519FrostHashing is the implementation of the FrostHashing interface for Ed25519.
+    """
+
+    _CONTEXT_STRING = b"FROST-ED25519-SHA512-v1"
+
+    def h1(self, m: bytes) -> int:
+        return int.from_bytes(sha512(self._CONTEXT_STRING + b"rho" + m), "little") % L
+
+    def h2(self, m: bytes) -> int:
+        return int.from_bytes(sha512(m), "little") % L
+
+    def h3(self, m: bytes) -> int:
+        return int.from_bytes(sha512(self._CONTEXT_STRING + b"nonce" + m), "little") % L
+
+    def h4(self, m: bytes) -> bytes:
+        return sha512(self._CONTEXT_STRING + b"msg" + m)
+
+    def h5(self, m: bytes) -> bytes:
+        return sha512(self._CONTEXT_STRING + b"com" + m)

eddsa_threshold/frost/core/ed448/__init__.py

@@ -0,0 +1 @@
+"""Ed448-specific FROST helpers."""

eddsa_threshold/frost/core/ed448/frost_hashing.py

@@ -0,0 +1,27 @@
+from eddsa_threshold.eddsa.curves.ed448.constants import L
+from eddsa_threshold.eddsa.util.hash_bindings import shake256
+from eddsa_threshold.frost.core.base.frost_hashing import FrostHashing
+
+
+class Ed448FrostHashing(FrostHashing):
+    """
+    Ed448FrostHashing is the implementation of the FrostHashing interface for Ed448.
+    """
+    
+    _CONTEXT_STRING = b"FROST-ED448-SHAKE256-v1"
+    _DIGEST_SIZE = 114
+
+    def h1(self, m: bytes) -> int:
+        return int.from_bytes(shake256(self._CONTEXT_STRING + b"rho" + m, self._DIGEST_SIZE), "little") % L
+
+    def h2(self, m: bytes) -> int:
+        return int.from_bytes(shake256(b"SigEd448" + b'\x00' + b'\x00' + m, self._DIGEST_SIZE), "little") % L
+
+    def h3(self, m: bytes) -> int:
+        return int.from_bytes(shake256(self._CONTEXT_STRING + b"nonce" + m, self._DIGEST_SIZE), "little") % L
+
+    def h4(self, m: bytes) -> bytes:
+        return shake256(self._CONTEXT_STRING + b"msg" + m, self._DIGEST_SIZE)
+
+    def h5(self, m: bytes) -> bytes:
+        return shake256(self._CONTEXT_STRING + b"com" + m, self._DIGEST_SIZE)

eddsa_threshold/frost/core/frost_types.py

@@ -0,0 +1,53 @@
+from dataclasses import dataclass, field
+
+from typing import Tuple
+
+ParticipantId = int
+SessionId = int
+SecretValue = int
+VSSCommitment = Tuple
+
+
+@dataclass(frozen=True)
+class SecretShare:
+    index: ParticipantId
+    value: SecretValue
+
+
+@dataclass(frozen=True)
+class GroupInfo:
+    group_public_key: bytes
+    public_keys: dict[ParticipantId, bytes]
+
+
+@dataclass(frozen=True)
+class NonceCommitment:
+    participant_id: ParticipantId
+    hiding_nonce_commitment: Tuple[int, int]
+    binding_nonce_commitment: Tuple[int, int]
+
+
+@dataclass(frozen=True)
+class BindingFactor:
+    participant_id: ParticipantId
+    binding_factor: int
+
+
+@dataclass(frozen=True)
+class SigningPackage:
+    session_id: SessionId
+    message: bytes
+    participant_ids: list[ParticipantId]
+    commitments: dict[ParticipantId, NonceCommitment]
+
+
+@dataclass
+class SigningSession:
+    session_id: SessionId
+    message: bytes
+    participant_ids: list[ParticipantId] = field(default_factory=list)
+    commitments: dict[ParticipantId, NonceCommitment] = field(default_factory=dict)
+    signature_shares: dict[ParticipantId, SecretValue] = field(default_factory=dict)
+    signing_in_progress: bool = False
+    round_one_completed: bool = False
+    round_two_completed: bool = False

eddsa_threshold/frost/core/polynomial.py

@@ -0,0 +1,39 @@
+from eddsa_threshold.eddsa.curves.base.scalar_ops import ScalarOps
+
+
+def evaluate_polynomial(coeffs: list[int], x: int, scalar_ops: ScalarOps) -> int:
+    """
+    Evaluates a polynomial at a given x using Horner's method.
+    """
+    
+    # https://en.wikipedia.org/wiki/Horner's_method
+    result = 0
+    for coeff in reversed(coeffs):
+        result = result * x + coeff
+
+    return scalar_ops.reduce(result)
+
+
+def derive_interpolating_value(L: list[int], x_i: int, x: int, scalar_ops: ScalarOps) -> int:
+    """
+    Compute Lagrange basis coefficient λ_i(x) for arbitrary interpolation point x.
+    """
+
+    if x_i not in L:
+        raise ValueError("x_i not in set")
+
+    if len(set(L)) != len(L):
+        raise ValueError("duplicate x values")
+
+    numerator = 1
+    denominator = 1
+
+    # Compute the Lagrange basis polynomial
+    # https://en.wikipedia.org/wiki/Lagrange_polynomial
+    for x_j in L:
+        if x_j == x_i:
+            continue
+        numerator = numerator * (x - x_j)
+        denominator = denominator * (x_i - x_j)
+
+    return scalar_ops.reduce(numerator * scalar_ops.inv(scalar_ops.reduce(denominator)))

eddsa_threshold/frost/core/secrets/__init__.py

@@ -0,0 +1 @@
+"""Secret sharing helpers."""

eddsa_threshold/frost/core/secrets/secret_sharing.py

@@ -0,0 +1,26 @@
+from abc import ABC, abstractmethod
+from typing import Final, Tuple
+
+from eddsa_threshold.eddsa.curves.base.scalar_ops import ScalarOps
+from eddsa_threshold.frost.core.frost_types import SecretShare
+
+
+class SecretSharing(ABC):
+    def __init__(self, threshold: int, num_shares: int, scalar_ops: ScalarOps):
+        self.T: Final[int] = threshold
+        self.N: Final[int] = num_shares
+        self.scalar_ops: Final[ScalarOps] = scalar_ops
+
+    @abstractmethod
+    def split(self, secret: int) -> Tuple[list[SecretShare], list[int]]:
+        """
+        Split the secret into N shares with a threshold of T.
+        """
+        raise NotImplementedError
+    
+    @abstractmethod
+    def reconstruct(self, shares: list[SecretShare]) -> int:
+        """
+        Reconstruct the secret from at least T shares.
+        """
+        raise NotImplementedError

eddsa_threshold/frost/core/secrets/shamir_secret_sharing.py

@@ -0,0 +1,41 @@
+from typing import Tuple
+
+from eddsa_threshold.eddsa.curves.base.scalar_ops import ScalarOps
+from eddsa_threshold.frost.core.polynomial import evaluate_polynomial, derive_interpolating_value
+from eddsa_threshold.frost.core.secrets.secret_sharing import SecretSharing
+from eddsa_threshold.frost.core.frost_types import SecretShare
+
+
+class ShamirSecretSharing(SecretSharing):
+    def split(self, secret: int) -> Tuple[list[SecretShare], list[int]]:
+        """
+        Split the secret into N shares with a threshold of T.
+        Uses Shamir's Secret Sharing with random coefficients.
+        """
+        
+        # Generate random coefficients for the polynomial f(x) = secret + a1*x + a2*x^2 + ... + a_{T-1}*x^{T-1}
+        # Uses .random_scalar(), NOT PRODUCTION SECURE, but fine for this project.
+        coeffs = [secret] + [self.scalar_ops.random_scalar() for _ in range(1, self.T)]
+
+        shares = []
+        for i in range(1, self.N + 1):
+            secret_key_share_i = evaluate_polynomial(coeffs, i, self.scalar_ops)
+            shares.append(SecretShare(i, secret_key_share_i))
+
+        return shares, coeffs
+
+    def reconstruct(self, shares: list[SecretShare]) -> int:
+        """
+        Reconstruct the secret from at least T shares using Lagrange interpolation.
+        """
+        
+        if len(shares) < self.T:
+            raise ValueError("Not enough shares to reconstruct the secret")
+
+        secret = self.scalar_ops.identity
+        for share_i in shares:
+            # Add share_i contribution to the secret
+            lagrange_coeff = derive_interpolating_value([share_j.index for share_j in shares], share_i.index, 0, self.scalar_ops)
+            secret += share_i.value * lagrange_coeff
+
+        return self.scalar_ops.reduce(secret)

eddsa_threshold/frost/core/util.py

@@ -0,0 +1,109 @@
+from typing import Tuple
+
+from eddsa_threshold.eddsa.curves.base.edwards_curve import EdwardsCurve
+from eddsa_threshold.eddsa.curves.base.encoding import Encoding
+from eddsa_threshold.eddsa.curves.base.scalar_ops import ScalarOps
+from eddsa_threshold.frost.core.base.frost_hashing import FrostHashing
+from eddsa_threshold.frost.core.frost_types import BindingFactor, GroupInfo, NonceCommitment, ParticipantId, VSSCommitment
+
+
+def encode_group_commitments(commitments: list[NonceCommitment], encoding: Encoding) -> bytes:
+    """
+    Encodes a list of NonceCommitments into bytes.
+    """
+    
+    # Sort by participant id for deterministic encoding
+    group_commitments = sorted(commitments, key=lambda c: c.participant_id)
+
+    encoded_group_commitment = b""
+
+    for commitment in group_commitments:
+        encoded_commitment = encoding.encode_scalar(commitment.participant_id) + encoding.encode_point(
+            commitment.hiding_nonce_commitment) + encoding.encode_point(commitment.binding_nonce_commitment)
+        encoded_group_commitment = encoded_group_commitment + encoded_commitment
+
+    return encoded_group_commitment
+
+
+def compute_binding_factors(group_public_key: bytes, commitments: list[NonceCommitment], message: bytes, hashing: FrostHashing, encoding: Encoding) -> list[BindingFactor]:
+    """
+    Computes the binding factors for a signing session given the group public key, the list of NonceCommitments, and the message.
+    """
+    
+    message_hash = hashing.h4(message)
+    encoded_commitments_hash = hashing.h5(encode_group_commitments(commitments, encoding))
+
+    rho_prefix = group_public_key + message_hash + encoded_commitments_hash
+
+    binding_factors = []
+    for commitment in commitments:
+        rho_input = rho_prefix + encoding.encode_scalar(commitment.participant_id)
+        binding_factor = hashing.h1(rho_input)
+        binding_factors.append(BindingFactor(commitment.participant_id, binding_factor))
+    return binding_factors
+
+
+def binding_factor_for_participant(participant_id: ParticipantId, binding_factors: list[BindingFactor]) -> int:
+    """
+    Retrieves the binding factor for a given participant id from a list of BindingFactors.
+    """
+    
+    for factor in binding_factors:
+        if factor.participant_id == participant_id:
+            return factor.binding_factor
+
+    raise ValueError(f"binding factor not found for participant {participant_id}")
+
+
+# EdwardsCurve for now, because this project only implements FROST for EdDSA, but this can be made more generic if needed.
+def compute_group_commitment(commitments: list[NonceCommitment], binding_factors: list[BindingFactor], curve: EdwardsCurve) -> Tuple:
+    """
+    Computes the group commitment from a list of NonceCommitments and BindingFactors.
+    """
+    
+    group_commitment = (0, 1, 1, 0)  # Neutral element in extended coordinates
+
+    for commitment in commitments:
+        binding_factor = binding_factor_for_participant(commitment.participant_id, binding_factors)
+        binding_nonce = curve.scalar_mult(binding_factor, curve.affine_to_extended(commitment.binding_nonce_commitment))
+
+        group_commitment = curve.add(group_commitment, curve.affine_to_extended(commitment.hiding_nonce_commitment))
+        group_commitment = curve.add(group_commitment, binding_nonce)
+
+    return curve.extended_to_affine(group_commitment)
+
+
+def check_participant_bounds(threshold: int, participant_ids: list[ParticipantId], scalar_ops: ScalarOps) -> None:
+    """
+    Checks that participant ids are within valid bounds
+    """
+    
+    if threshold <= 0:
+        raise ValueError("threshold must be positive")
+    if len(participant_ids) < threshold:
+        raise ValueError("number of participants must be >= threshold")
+    if len(participant_ids) <= 0:
+        raise ValueError("number of participants must be positive")
+    if len(participant_ids) >= scalar_ops.order:
+        raise ValueError("number of participants must be less than the curve order")
+
+    unique_ids = set(participant_ids)
+    if len(unique_ids) != len(participant_ids):
+        raise ValueError("participant ids must be unique")
+
+
+def derive_group_info(threshold: int, max_participants: int, vss_commitment: list[VSSCommitment], curve: EdwardsCurve) -> GroupInfo:
+    """
+    Derives the group public key and participant public keys from the VSS commitment.
+    """
+    
+    group_public_key = curve.encode_extended_point(vss_commitment[0])  # the first commitment is the group public key
+
+    participant_public_keys: dict[ParticipantId, bytes] = {}
+
+    for i in range(1, max_participants + 1):
+        participant_i_pk = (0, 1, 1, 0)
+        for j in range(0, threshold):
+            participant_i_pk = curve.add(curve.scalar_mult(pow(i, j), vss_commitment[j]), participant_i_pk)
+        participant_public_keys[i] = curve.encode_extended_point(participant_i_pk)
+    return GroupInfo(group_public_key, participant_public_keys)