From 4442867074a257898968db08ac7fc61e295285dd Mon Sep 17 00:00:00 2001 From: Jesse Posner Date: Wed, 6 Nov 2024 16:52:54 -0800 Subject: [PATCH] Return aggregated VSS when aggregating shares --- examples/frost.c | 7 +-- include/secp256k1_frost.h | 50 ++++++++--------- src/ctime_tests.c | 7 +-- src/modules/frost/keygen_impl.h | 95 ++++++++++++++++++++++++--------- src/modules/frost/tests_impl.h | 90 ++++++++++++++++--------------- 5 files changed, 150 insertions(+), 99 deletions(-) diff --git a/examples/frost.c b/examples/frost.c index 15a4b67ec..5f1ec6294 100644 --- a/examples/frost.c +++ b/examples/frost.c @@ -75,6 +75,7 @@ int create_shares(const secp256k1_context* ctx, struct signer_secrets *signer_se const secp256k1_pubkey *vss_commitments[N_SIGNERS]; const unsigned char *ids[N_SIGNERS]; const unsigned char *poks[N_SIGNERS]; + secp256k1_pubkey agg_vss_commitment[THRESHOLD]; for (i = 0; i < N_SIGNERS; i++) { vss_commitments[i] = signer[i].vss_commitment; @@ -100,7 +101,7 @@ int create_shares(const secp256k1_context* ctx, struct signer_secrets *signer_se assigned_shares[j] = &shares[j][i]; } /* Each participant aggregates the shares they received. */ - if (!secp256k1_frost_share_agg(ctx, &signer_secrets[i].agg_share, assigned_shares, vss_commitments, poks, N_SIGNERS, THRESHOLD, signer[i].id)) { + if (!secp256k1_frost_share_agg(ctx, &signer_secrets[i].agg_share, agg_vss_commitment, assigned_shares, vss_commitments, poks, N_SIGNERS, THRESHOLD, signer[i].id)) { return 0; } for (j = 0; j < N_SIGNERS; j++) { @@ -108,12 +109,12 @@ int create_shares(const secp256k1_context* ctx, struct signer_secrets *signer_se * internally, so it is only neccessary to call this function if * share_agg returns an error, to determine which participant(s) * submitted faulty data. */ - if (!secp256k1_frost_share_verify(ctx, THRESHOLD, signer[i].id, assigned_shares[j], &vss_commitments[j])) { + if (!secp256k1_frost_share_verify(ctx, THRESHOLD, signer[i].id, assigned_shares[j], vss_commitments[j])) { return 0; } /* Each participant generates public verification shares that are * used for verifying partial signatures. */ - if (!secp256k1_frost_compute_pubshare(ctx, &signer[j].pubshare, THRESHOLD, signer[j].id, vss_commitments, N_SIGNERS)) { + if (!secp256k1_frost_compute_pubshare(ctx, &signer[j].pubshare, THRESHOLD, signer[j].id, agg_vss_commitment, N_SIGNERS)) { return 0; } } diff --git a/include/secp256k1_frost.h b/include/secp256k1_frost.h index 4b53ea791..07b8d8247 100644 --- a/include/secp256k1_frost.h +++ b/include/secp256k1_frost.h @@ -237,29 +237,31 @@ SECP256K1_API int secp256k1_frost_shares_gen( * * Returns: 0 if the arguments are invalid, 1 otherwise (which does NOT mean * the resulting signature verifies). - * Args: ctx: pointer to a context object - * Out: agg_share: the aggregated share - * In: shares: all key generation shares for the partcipant's index - * vss_commitments: coefficient commitments of all participants ordered by - * the IDs of the participants - * pok64s: proofs of knowledge for the shares ordered by the IDs of - * the participants - * n_shares: the total number of shares - * threshold: the minimum number of shares required to produce a - * signature - * id33: the 33-byte ID of the participant whose shares are being - * aggregated + * Args: ctx: pointer to a context object + * Out: agg_share: the aggregated share + * In: shares: all key generation shares for the partcipant's index + * agg_vss_commitment: the aggregated coefficient commitment + * vss_commitments: coefficient commitment of each participant ordered by + * the IDs of the participants + * pok64s: proofs of knowledge for the shares ordered by the IDs of + * the participants + * n_shares: the total number of shares + * threshold: the minimum number of shares required to produce a + * signature + * id33: the 33-byte ID of the participant whose shares are being + * aggregated */ SECP256K1_API int secp256k1_frost_share_agg( const secp256k1_context *ctx, secp256k1_frost_share *agg_share, + secp256k1_pubkey *agg_vss_commitment, const secp256k1_frost_share * const *shares, const secp256k1_pubkey * const *vss_commitments, const unsigned char * const *pok64s, size_t n_shares, size_t threshold, const unsigned char *id33 -) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(8); +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(9); /** Verifies a share received during a key generation session * @@ -281,28 +283,28 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_frost_share_verify( size_t threshold, const unsigned char *id33, const secp256k1_frost_share *share, - const secp256k1_pubkey * const *vss_commitment + const secp256k1_pubkey *vss_commitment ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); /** Computes a public verification share used for verifying partial signatures * * Returns: 0 if the arguments are invalid, 1 otherwise - * Args: ctx: pointer to a context object - * Out: pubshare: pointer to a struct to store the public verification - * share - * In: threshold: the minimum number of signers required to produce a - * signature - * id33: the 33-byte participant ID of the participant whose - * partial signature will be verified with the pubshare - * vss_commitments: coefficient commitments of all participants - * n_participants: the total number of participants + * Args: ctx: pointer to a context object + * Out: pubshare: pointer to a struct to store the public verification + * share + * In: threshold: the minimum number of signers required to produce a + * signature + * id33: the 33-byte participant ID of the participant whose + * partial signature will be verified with the pubshare + * agg_vss_commitment: the output of `secp256k1_frost_share_agg` + * n_participants: the total number of participants */ SECP256K1_API int secp256k1_frost_compute_pubshare( const secp256k1_context *ctx, secp256k1_pubkey *pubshare, size_t threshold, const unsigned char *id33, - const secp256k1_pubkey * const *vss_commitments, + const secp256k1_pubkey *agg_vss_commitment, size_t n_participants ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); diff --git a/src/ctime_tests.c b/src/ctime_tests.c index 32b65fa40..9e51e92a7 100644 --- a/src/ctime_tests.c +++ b/src/ctime_tests.c @@ -385,6 +385,7 @@ static void run_tests(secp256k1_context *ctx, unsigned char *key) { const unsigned char *pok_ptr[2]; secp256k1_pubkey pubshare[2]; const secp256k1_pubkey *pubshares_ptr[2]; + secp256k1_pubkey agg_vss_commitment[2]; id_ptr[0] = id[0]; id_ptr[1] = id[1]; @@ -438,12 +439,12 @@ static void run_tests(secp256k1_context *ctx, unsigned char *key) { SECP256K1_CHECKMEM_DEFINE(&vss_commitment[1][1], sizeof(secp256k1_pubkey)); SECP256K1_CHECKMEM_DEFINE(pok[0], 64); SECP256K1_CHECKMEM_DEFINE(pok[1], 64); - ret = secp256k1_frost_share_agg(ctx, &agg_share, share_ptr, vss_ptr, pok_ptr, 2, 2, id_ptr[0]); + ret = secp256k1_frost_share_agg(ctx, &agg_share, agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 2, 2, id_ptr[0]); SECP256K1_CHECKMEM_DEFINE(&ret, sizeof(ret)); CHECK(ret == 1); SECP256K1_CHECKMEM_UNDEFINE(&agg_share, sizeof(&agg_share)); - CHECK(secp256k1_frost_compute_pubshare(ctx, &pubshare[0], 2, id_ptr[0], vss_ptr, 2)); - CHECK(secp256k1_frost_compute_pubshare(ctx, &pubshare[1], 2, id_ptr[1], vss_ptr, 2)); + CHECK(secp256k1_frost_compute_pubshare(ctx, &pubshare[0], 2, id_ptr[0], agg_vss_commitment, 2)); + CHECK(secp256k1_frost_compute_pubshare(ctx, &pubshare[1], 2, id_ptr[1], agg_vss_commitment, 2)); CHECK(secp256k1_frost_pubkey_gen(ctx, &cache, pubshares_ptr, 2, id_ptr)); /* nonce_gen */ SECP256K1_CHECKMEM_UNDEFINE(session_id, sizeof(session_id)); diff --git a/src/modules/frost/keygen_impl.h b/src/modules/frost/keygen_impl.h index cf2d727d4..d18a5edd5 100644 --- a/src/modules/frost/keygen_impl.h +++ b/src/modules/frost/keygen_impl.h @@ -227,7 +227,7 @@ typedef struct { const secp256k1_context *ctx; secp256k1_scalar idx; secp256k1_scalar idxn; - const secp256k1_pubkey * const* vss_commitment; + const secp256k1_pubkey *vss_commitment; } secp256k1_frost_verify_share_ecmult_data; typedef struct { @@ -245,9 +245,15 @@ typedef struct { size_t n_pubshares; } secp256k1_frost_interpolate_pubkey_ecmult_data; +typedef struct { + const secp256k1_context *ctx; + size_t idxn; + const secp256k1_pubkey * const* vss_commitments; +} secp256k1_frost_vss_agg_ecmult_data; + static int secp256k1_frost_verify_share_ecmult_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) { secp256k1_frost_verify_share_ecmult_data *ctx = (secp256k1_frost_verify_share_ecmult_data *) data; - if (!secp256k1_pubkey_load(ctx->ctx, pt, *(ctx->vss_commitment)+idx)) { + if (!secp256k1_pubkey_load(ctx->ctx, pt, &ctx->vss_commitment[idx])) { return 0; } *sc = ctx->idxn; @@ -288,8 +294,20 @@ static int secp256k1_frost_interpolate_pubkey_ecmult_callback(secp256k1_scalar * return 1; } +static int secp256k1_frost_vss_agg_pubkey_ecmult_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) { + secp256k1_frost_vss_agg_ecmult_data *ctx = (secp256k1_frost_vss_agg_ecmult_data *) data; + + if (!secp256k1_pubkey_load(ctx->ctx, pt, &ctx->vss_commitments[idx][ctx->idxn])) { + return 0; + } + + *sc = secp256k1_scalar_one; + + return 1; +} + /* See RFC 9591 */ -static int secp256k1_frost_vss_verify_internal(const secp256k1_context* ctx, size_t threshold, const unsigned char *id33, const secp256k1_scalar *share, const secp256k1_pubkey * const* vss_commitment) { +static int secp256k1_frost_vss_verify_internal(const secp256k1_context* ctx, size_t threshold, const unsigned char *id33, const secp256k1_scalar *share, const secp256k1_pubkey *vss_commitment) { secp256k1_scalar share_neg; secp256k1_gej tmpj, snj; secp256k1_ge sng; @@ -319,7 +337,7 @@ static int secp256k1_frost_vss_verify_internal(const secp256k1_context* ctx, siz return secp256k1_gej_is_infinity(&tmpj); } -int secp256k1_frost_share_verify(const secp256k1_context* ctx, size_t threshold, const unsigned char *id33, const secp256k1_frost_share *share, const secp256k1_pubkey * const* vss_commitment) { +int secp256k1_frost_share_verify(const secp256k1_context* ctx, size_t threshold, const unsigned char *id33, const secp256k1_frost_share *share, const secp256k1_pubkey *vss_commitment) { secp256k1_scalar share_i; VERIFY_CHECK(ctx != NULL); @@ -335,16 +353,17 @@ int secp256k1_frost_share_verify(const secp256k1_context* ctx, size_t threshold, return secp256k1_frost_vss_verify_internal(ctx, threshold, id33, &share_i, vss_commitment); } -int secp256k1_frost_compute_pubshare(const secp256k1_context* ctx, secp256k1_pubkey *pubshare, size_t threshold, const unsigned char *id33, const secp256k1_pubkey * const* vss_commitments, size_t n_participants) { - secp256k1_gej pkj; +int secp256k1_frost_compute_pubshare(const secp256k1_context* ctx, secp256k1_pubkey *pubshare, size_t threshold, const unsigned char *id33, const secp256k1_pubkey *agg_vss_commitment, size_t n_participants) { + secp256k1_gej tmpj; secp256k1_ge tmp; - secp256k1_frost_compute_pubshare_ecmult_data compute_pubshare_ecmult_data; + secp256k1_frost_verify_share_ecmult_data verify_share_ecmult_data; VERIFY_CHECK(ctx != NULL); + ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(pubshare != NULL); memset(pubshare, 0, sizeof(*pubshare)); ARG_CHECK(id33 != NULL); - ARG_CHECK(vss_commitments != NULL); + ARG_CHECK(agg_vss_commitment != NULL); ARG_CHECK(n_participants > 1); ARG_CHECK(threshold > 1); @@ -352,34 +371,55 @@ int secp256k1_frost_compute_pubshare(const secp256k1_context* ctx, secp256k1_pub return 0; } - /* Use an EC multi-multiplication to compute the following equation: - * agg_share_i*G = ( - * idx^0*vss_commitment[0][0] + ... - * + idx^(t - 1)*vss_commitment[0][t - 1] - * ) + ... - * + ( - * idx^0*vss_commitment[n - 1][0] + ... - * + idx^(t - 1)*vss_commitment[n - 1][t - 1] - * )*/ - compute_pubshare_ecmult_data.ctx = ctx; - compute_pubshare_ecmult_data.vss_commitments = vss_commitments; - compute_pubshare_ecmult_data.threshold = threshold; + /* Use an EC multi-multiplication to verify the following equation: + * agg_share_i * G = idx^0*agg_vss_commitment[0] + * + ... + * + idx^(threshold - 1)*agg_vss_commitment[threshold - 1]*/ + verify_share_ecmult_data.ctx = ctx; + verify_share_ecmult_data.vss_commitment = agg_vss_commitment; /* Evaluate the public polynomial at the idx */ - if (!secp256k1_frost_compute_indexhash(&compute_pubshare_ecmult_data.idx, id33)) { + if (!secp256k1_frost_compute_indexhash(&verify_share_ecmult_data.idx, id33)) { return 0; } - secp256k1_scalar_set_int(&compute_pubshare_ecmult_data.idxn, 1); + secp256k1_scalar_set_int(&verify_share_ecmult_data.idxn, 1); /* TODO: add scratch */ - if (!secp256k1_ecmult_multi_var(&ctx->error_callback, NULL, &pkj, NULL, secp256k1_frost_compute_pubshare_ecmult_callback, (void *) &compute_pubshare_ecmult_data, n_participants*threshold)) { + if (!secp256k1_ecmult_multi_var(&ctx->error_callback, NULL, &tmpj, NULL, secp256k1_frost_verify_share_ecmult_callback, (void *) &verify_share_ecmult_data, threshold)) { return 0; } - secp256k1_ge_set_gej(&tmp, &pkj); + secp256k1_ge_set_gej(&tmp, &tmpj); secp256k1_pubkey_save(pubshare, &tmp); return 1; } -int secp256k1_frost_share_agg(const secp256k1_context* ctx, secp256k1_frost_share *agg_share, const secp256k1_frost_share * const* shares, const secp256k1_pubkey * const* vss_commitments, const unsigned char * const *pok64s, size_t n_shares, size_t threshold, const unsigned char *id33) { +static int secp256k1_frost_vss_agg(const secp256k1_context* ctx, secp256k1_pubkey *agg_vss_commitment, const secp256k1_pubkey * const *vss_commitments, size_t n_participants, size_t threshold) { + secp256k1_gej tmpj; + secp256k1_ge tmp; + secp256k1_frost_vss_agg_ecmult_data vss_agg_ecmult_data; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(agg_vss_commitment != NULL); + ARG_CHECK(vss_commitments != NULL); + ARG_CHECK(n_participants > 1); + ARG_CHECK(threshold > 1); + + vss_agg_ecmult_data.ctx = ctx; + vss_agg_ecmult_data.vss_commitments = vss_commitments; + + for (vss_agg_ecmult_data.idxn = 0; vss_agg_ecmult_data.idxn < threshold; vss_agg_ecmult_data.idxn++) { + /* TODO: add scratch */ + if (!secp256k1_ecmult_multi_var(&ctx->error_callback, NULL, &tmpj, NULL, secp256k1_frost_vss_agg_pubkey_ecmult_callback, (void *) &vss_agg_ecmult_data, n_participants)) { + return 0; + } + secp256k1_ge_set_gej(&tmp, &tmpj); + secp256k1_pubkey_save(&agg_vss_commitment[vss_agg_ecmult_data.idxn], &tmp); + } + + return 1; +} + +int secp256k1_frost_share_agg(const secp256k1_context* ctx, secp256k1_frost_share *agg_share, secp256k1_pubkey *agg_vss_commitment, const secp256k1_frost_share * const* shares, const secp256k1_pubkey * const* vss_commitments, const unsigned char * const *pok64s, size_t n_shares, size_t threshold, const unsigned char *id33) { secp256k1_scalar acc; size_t i; int ret = 1; @@ -422,10 +462,13 @@ int secp256k1_frost_share_agg(const secp256k1_context* ctx, secp256k1_frost_shar return 0; } /* Verify share against commitments */ - ret &= secp256k1_frost_vss_verify_internal(ctx, threshold, id33, &share_i, &vss_commitments[i]); + ret &= secp256k1_frost_vss_verify_internal(ctx, threshold, id33, &share_i, vss_commitments[i]); secp256k1_scalar_add(&acc, &acc, &share_i); } secp256k1_frost_share_save(agg_share, &acc); + if (!secp256k1_frost_vss_agg(ctx, agg_vss_commitment, vss_commitments, n_shares, threshold)) { + return 0; + } return ret; } diff --git a/src/modules/frost/tests_impl.h b/src/modules/frost/tests_impl.h index 33bc6c757..ca85df85e 100644 --- a/src/modules/frost/tests_impl.h +++ b/src/modules/frost/tests_impl.h @@ -62,6 +62,7 @@ void frost_simple_test(void) { const unsigned char *pok_ptr[5]; const secp256k1_pubkey *pubshare_ptr[5]; secp256k1_frost_keygen_cache cache; + secp256k1_pubkey agg_vss_commitment[3]; for (i = 0; i < 5; i++) { secp256k1_testrand256(buf[i]); @@ -81,10 +82,10 @@ void frost_simple_test(void) { for (i = 0; i < 5; i++) { for (j = 0; j < 5; j++) { share_ptr[j] = &shares[j][i]; - CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[i], share_ptr[j], &vss_ptr[j]) == 1); + CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[i], share_ptr[j], vss_ptr[j]) == 1); } - CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[i], 3, id_ptr[i], vss_ptr, 5) == 1); - CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i]) == 1); + CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i]) == 1); + CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[i], 3, id_ptr[i], agg_vss_commitment, 5) == 1); } CHECK(secp256k1_frost_pubkey_gen(CTX, &cache, pubshare_ptr, 5, id_ptr) == 1); @@ -189,6 +190,7 @@ void frost_api_tests(void) { const unsigned char *pok_ptr[5]; const unsigned char *invalid_pok_ptr[5]; const secp256k1_pubkey *pubshare_ptr[5]; + secp256k1_pubkey agg_vss_commitment[3]; /** setup **/ memset(max64, 0xff, sizeof(max64)); @@ -273,72 +275,72 @@ void frost_api_tests(void) { invalid_share_ptr[j] = &shares[j][i]; } invalid_share_ptr[0] = &invalid_share; - CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i]) == 1); - CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, invalid_pok_ptr, 5, 3, id_ptr[i]) == 0); + CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i]) == 1); + CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, invalid_pok_ptr, 5, 3, id_ptr[i]) == 0); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, NULL, share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i])); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], NULL, vss_ptr, pok_ptr, 5, 3, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, NULL, agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, NULL, vss_ptr, pok_ptr, 5, 3, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, NULL, pok_ptr, 5, 3, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, NULL, pok_ptr, 5, 3, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, invalid_vss_ptr, pok_ptr, 5, 3, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, invalid_vss_ptr, pok_ptr, 5, 3, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, NULL, 5, 3, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, NULL, 5, 3, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, pok_ptr, 5, 3, NULL)); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 5, 3, NULL)); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], invalid_share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, invalid_share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, pok_ptr, 0, 3, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 0, 3, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], NULL, vss_ptr, pok_ptr, 0, 3, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, NULL, vss_ptr, pok_ptr, 0, 3, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, pok_ptr, 5, 0, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 5, 0, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, NULL, pok_ptr, 5, 0, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, NULL, pok_ptr, 5, 0, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, NULL, 5, 0, id_ptr[i])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, NULL, 5, 0, id_ptr[i])); CHECK(frost_memcmp_and_randomize(agg_share[i].data, zeros68, sizeof(agg_share[i].data)) == 0); - CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i]) == 1); + CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i]) == 1); } /* Share verification */ - CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[0], &vss_ptr[0]) == 1); - CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[0], &vss_ptr[1]) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 3, NULL, share_ptr[0], &vss_ptr[0])); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 3, id_ptr[4], NULL, &vss_ptr[1])); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 3, id_ptr[4], &invalid_share, &vss_ptr[0])); + CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[0], vss_ptr[0]) == 1); + CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[0], vss_ptr[1]) == 0); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 3, NULL, share_ptr[0], vss_ptr[0])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 3, id_ptr[4], NULL, vss_ptr[1])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 3, id_ptr[4], &invalid_share, vss_ptr[0])); CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[0], NULL)); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[0], &invalid_vss_ptr[0])); - CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 0, id_ptr[4], share_ptr[0], &vss_ptr[0])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[0], invalid_vss_ptr[0])); + CHECK_ILLEGAL(CTX, secp256k1_frost_share_verify(CTX, 0, id_ptr[4], share_ptr[0], vss_ptr[0])); - CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[0], &vss_ptr[0]) == 1); - CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[1], &vss_ptr[1]) == 1); + CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[0], vss_ptr[0]) == 1); + CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[4], share_ptr[1], vss_ptr[1]) == 1); /* Compute public verification share */ - CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], vss_ptr, 5) == 1); - CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, NULL, 3, id_ptr[0], vss_ptr, 5)); - CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, NULL, vss_ptr, 5)); + CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], agg_vss_commitment, 5) == 1); + CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, NULL, 3, id_ptr[0], agg_vss_commitment, 5)); + CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, NULL, agg_vss_commitment, 5)); CHECK(frost_memcmp_and_randomize(pubshare[0].data, zeros68, sizeof(pubshare[0].data)) == 0); CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], NULL, 5)); CHECK(frost_memcmp_and_randomize(pubshare[0].data, zeros68, sizeof(pubshare[0].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], invalid_vss_ptr, 5)); + CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], invalid_vss_commitment[0], 5)); CHECK(frost_memcmp_and_randomize(pubshare[0].data, zeros68, sizeof(pubshare[0].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 0, id_ptr[0], invalid_vss_ptr, 5)); + CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 0, id_ptr[0], invalid_vss_commitment[0], 5)); CHECK(frost_memcmp_and_randomize(pubshare[0].data, zeros68, sizeof(pubshare[0].data)) == 0); CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 0, id_ptr[0], NULL, 5)); CHECK(frost_memcmp_and_randomize(pubshare[0].data, zeros68, sizeof(pubshare[0].data)) == 0); - CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], invalid_vss_ptr, 0)); + CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], invalid_vss_commitment[0], 0)); CHECK(frost_memcmp_and_randomize(pubshare[0].data, zeros68, sizeof(pubshare[0].data)) == 0); CHECK_ILLEGAL(CTX, secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], NULL, 0)); CHECK(frost_memcmp_and_randomize(pubshare[0].data, zeros68, sizeof(pubshare[0].data)) == 0); - CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], vss_ptr, 5) == 1); - CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[1], 3, id_ptr[1], vss_ptr, 5) == 1); - CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[2], 3, id_ptr[2], vss_ptr, 5) == 1); - CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[3], 3, id_ptr[3], vss_ptr, 5) == 1); - CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[4], 3, id_ptr[4], vss_ptr, 5) == 1); + CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[0], 3, id_ptr[0], agg_vss_commitment, 5) == 1); + CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[1], 3, id_ptr[1], agg_vss_commitment, 5) == 1); + CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[2], 3, id_ptr[2], agg_vss_commitment, 5) == 1); + CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[3], 3, id_ptr[3], agg_vss_commitment, 5) == 1); + CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[4], 3, id_ptr[4], agg_vss_commitment, 5) == 1); /* pubkey_gen */ CHECK(secp256k1_frost_pubkey_gen(CTX, &keygen_cache, pubshare_ptr, 5, id_ptr) == 1); @@ -712,6 +714,7 @@ void frost_tweak_test(void) { const unsigned char *id_ptr[5]; const unsigned char *pok_ptr[5]; const secp256k1_pubkey *pubshare_ptr[5]; + secp256k1_pubkey agg_vss_commitment[3]; /* Key Setup */ for (i = 0; i < 5; i++) { @@ -730,10 +733,10 @@ void frost_tweak_test(void) { for (i = 0; i < 5; i++) { for (j = 0; j < 5; j++) { share_ptr[j] = &shares[j][i]; - CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[i], share_ptr[j], &vss_ptr[j]) == 1); + CHECK(secp256k1_frost_share_verify(CTX, 3, id_ptr[i], share_ptr[j], vss_ptr[j]) == 1); } - CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[i], 3, id_ptr[i], vss_ptr, 5) == 1); - CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i]) == 1); + CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 5, 3, id_ptr[i]) == 1); + CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[i], 3, id_ptr[i], agg_vss_commitment, 5) == 1); } /* Compute P0 and test signing for it */ CHECK(secp256k1_frost_pubkey_gen(CTX, &keygen_cache, pubshare_ptr, 5, id_ptr) == 1); @@ -785,6 +788,7 @@ void frost_dkg_test_helper(secp256k1_frost_keygen_cache *keygen_cache, secp256k1 const unsigned char *pok_ptr[5]; secp256k1_pubkey pubshare[5]; const secp256k1_pubkey *pubshare_ptr[5]; + secp256k1_pubkey agg_vss_commitment[3]; for (i = 0; i < 5; i++) { secp256k1_testrand256(seed[i]); @@ -799,8 +803,8 @@ void frost_dkg_test_helper(secp256k1_frost_keygen_cache *keygen_cache, secp256k1 for (j = 0; j < 5; j++) { share_ptr[j] = &shares[j][i]; } - CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[i], 3, ids33[i], vss_ptr, 5) == 1); - CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], share_ptr, vss_ptr, pok_ptr, 5, 3, ids33[i]) == 1); + CHECK(secp256k1_frost_share_agg(CTX, &agg_share[i], agg_vss_commitment, share_ptr, vss_ptr, pok_ptr, 5, 3, ids33[i]) == 1); + CHECK(secp256k1_frost_compute_pubshare(CTX, &pubshare[i], 3, ids33[i], agg_vss_commitment, 5) == 1); } CHECK(secp256k1_frost_pubkey_gen(CTX, keygen_cache, pubshare_ptr, 5, ids33) == 1); }