Trait Ciphersuite
pub trait Ciphersuite:
Copy
+ PartialEq
+ Debug
+ 'static
+ Send
+ Sync {
type Group: Group;
type HashOutput: AsRef<[u8]>;
type SignatureSerialization: Clone + AsRef<[u8]> + AsMut<[u8]> + for<'a> TryFrom<&'a [u8]> + Debug;
const ID: &'static str;
Show 22 methods
// Required methods
fn H1(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar;
fn H2(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar;
fn H3(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar;
fn H4(m: &[u8]) -> Self::HashOutput;
fn H5(m: &[u8]) -> Self::HashOutput;
// Provided methods
fn HDKG(
_m: &[u8],
) -> Option<<<Self::Group as Group>::Field as Field>::Scalar> { ... }
fn HID(
_m: &[u8],
) -> Option<<<Self::Group as Group>::Field as Field>::Scalar> { ... }
fn single_sign<R>(
signing_key: &SigningKey<Self>,
rng: R,
message: &[u8],
) -> Signature<Self>
where R: RngCore + CryptoRng { ... }
fn verify_signature(
message: &[u8],
signature: &Signature<Self>,
public_key: &VerifyingKey<Self>,
) -> Result<(), Error<Self>> { ... }
fn pre_sign<'a>(
signing_package: &'a SigningPackage<Self>,
signer_nonces: &'a SigningNonces<Self>,
key_package: &'a KeyPackage<Self>,
) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, SigningNonces<Self>>, Cow<'a, KeyPackage<Self>>), Error<Self>> { ... }
fn pre_aggregate<'a>(
signing_package: &'a SigningPackage<Self>,
signature_shares: &'a BTreeMap<Identifier<Self>, SignatureShare<Self>>,
public_key_package: &'a PublicKeyPackage<Self>,
) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, BTreeMap<Identifier<Self>, SignatureShare<Self>>>, Cow<'a, PublicKeyPackage<Self>>), Error<Self>> { ... }
fn pre_verify<'a>(
msg: &'a [u8],
signature: &'a Signature<Self>,
public_key: &'a VerifyingKey<Self>,
) -> Result<(Cow<'a, [u8]>, Cow<'a, Signature<Self>>, Cow<'a, VerifyingKey<Self>>), Error<Self>> { ... }
fn pre_commitment_sign<'a>(
signing_package: &'a SigningPackage<Self>,
signing_nonces: &'a SigningNonces<Self>,
_binding_factor_list: &'a BindingFactorList<Self>,
) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, SigningNonces<Self>>), Error<Self>> { ... }
fn pre_commitment_aggregate<'a>(
signing_package: &'a SigningPackage<Self>,
_binding_factor_list: &'a BindingFactorList<Self>,
) -> Result<Cow<'a, SigningPackage<Self>>, Error<Self>> { ... }
fn generate_nonce<R>(
rng: &mut R,
) -> (<<Self::Group as Group>::Field as Field>::Scalar, <Self::Group as Group>::Element)
where R: RngCore + CryptoRng { ... }
fn challenge(
R: &<Self::Group as Group>::Element,
verifying_key: &VerifyingKey<Self>,
message: &[u8],
) -> Result<Challenge<Self>, Error<Self>> { ... }
fn compute_signature_share(
_group_commitment: &GroupCommitment<Self>,
signer_nonces: &SigningNonces<Self>,
binding_factor: BindingFactor<Self>,
lambda_i: <<Self::Group as Group>::Field as Field>::Scalar,
key_package: &KeyPackage<Self>,
challenge: Challenge<Self>,
) -> SignatureShare<Self> { ... }
fn verify_share(
_group_commitment: &GroupCommitment<Self>,
signature_share: &SignatureShare<Self>,
identifier: Identifier<Self>,
group_commitment_share: &GroupCommitmentShare<Self>,
verifying_share: &VerifyingShare<Self>,
lambda_i: <<Self::Group as Group>::Field as Field>::Scalar,
challenge: &Challenge<Self>,
) -> Result<(), Error<Self>> { ... }
fn serialize_signature(
signature: &Signature<Self>,
) -> Result<Vec<u8>, Error<Self>> { ... }
fn deserialize_signature(
bytes: &[u8],
) -> Result<Signature<Self>, Error<Self>> { ... }
fn post_dkg(
key_package: KeyPackage<Self>,
public_key_package: PublicKeyPackage<Self>,
) -> Result<(KeyPackage<Self>, PublicKeyPackage<Self>), Error<Self>> { ... }
fn post_generate(
secret_shares: BTreeMap<Identifier<Self>, SecretShare<Self>>,
public_key_package: PublicKeyPackage<Self>,
) -> Result<(BTreeMap<Identifier<Self>, SecretShare<Self>>, PublicKeyPackage<Self>), Error<Self>> { ... }
}Expand description
A FROST ciphersuite specifies the underlying prime-order group details and cryptographic hash function.
Required Associated Constants§
Required Associated Types§
type HashOutput: AsRef<[u8]>
type HashOutput: AsRef<[u8]>
A unique byte array of fixed length.
Required Methods§
fn H1(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar
fn H1(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar
H1 for a FROST ciphersuite.
Maps arbitrary inputs to Self::Scalar elements of the prime-order group scalar field.
fn H2(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar
fn H2(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar
H2 for a FROST ciphersuite.
Maps arbitrary inputs to Self::Scalar elements of the prime-order group scalar field.
fn H3(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar
fn H3(m: &[u8]) -> <<Self::Group as Group>::Field as Field>::Scalar
H3 for a FROST ciphersuite.
Maps arbitrary inputs to Self::Scalar elements of the prime-order group scalar field.
fn H4(m: &[u8]) -> Self::HashOutput
fn H4(m: &[u8]) -> Self::HashOutput
H4 for a FROST ciphersuite.
Usually an an alias for the ciphersuite hash function H with domain separation applied.
fn H5(m: &[u8]) -> Self::HashOutput
fn H5(m: &[u8]) -> Self::HashOutput
H5 for a FROST ciphersuite.
Usually an an alias for the ciphersuite hash function H with domain separation applied.
Provided Methods§
fn HDKG(_m: &[u8]) -> Option<<<Self::Group as Group>::Field as Field>::Scalar>
fn HDKG(_m: &[u8]) -> Option<<<Self::Group as Group>::Field as Field>::Scalar>
Hash function for a FROST ciphersuite, used for the DKG.
The DKG it not part of the specification, thus this is optional. It can return None if DKG is not supported by the Ciphersuite. This is the default implementation.
Maps arbitrary inputs to non-zero Self::Scalar elements of the prime-order group scalar field.
fn HID(_m: &[u8]) -> Option<<<Self::Group as Group>::Field as Field>::Scalar>
fn HID(_m: &[u8]) -> Option<<<Self::Group as Group>::Field as Field>::Scalar>
Hash function for a FROST ciphersuite, used for deriving identifiers from strings.
This feature is not part of the specification and is just a convenient way of creating identifiers. Therefore it can return None if this is not supported by the Ciphersuite. This is the default implementation.
Maps arbitrary inputs to non-zero Self::Scalar elements of the prime-order group scalar field.
fn single_sign<R>(
signing_key: &SigningKey<Self>,
rng: R,
message: &[u8],
) -> Signature<Self>
fn single_sign<R>( signing_key: &SigningKey<Self>, rng: R, message: &[u8], ) -> Signature<Self>
Optional. Do regular (non-FROST) signing with a [SigningKey]. Called
by [SigningKey::sign()]. This is not used by FROST. Can be overridden
if required which is useful if FROST signing has been changed by the
other Ciphersuite trait methods and regular signing should be changed
accordingly to match.
fn verify_signature(
message: &[u8],
signature: &Signature<Self>,
public_key: &VerifyingKey<Self>,
) -> Result<(), Error<Self>>
fn verify_signature( message: &[u8], signature: &Signature<Self>, public_key: &VerifyingKey<Self>, ) -> Result<(), Error<Self>>
Optional. Verify a signature for this ciphersuite. Called by
[VerifyingKey::verify()]. The default implementation uses the
“cofactored” equation (it multiplies by the cofactor returned by
Group::cofactor()).
§Cryptographic Safety
You may override this to provide a tailored implementation, but if the
ciphersuite defines it, it must also multiply by the cofactor to comply
with the RFC. Note that batch verification (see
[crate::batch::Verifier]) also uses the default implementation
regardless whether a tailored implementation was provided.
fn pre_sign<'a>(
signing_package: &'a SigningPackage<Self>,
signer_nonces: &'a SigningNonces<Self>,
key_package: &'a KeyPackage<Self>,
) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, SigningNonces<Self>>, Cow<'a, KeyPackage<Self>>), Error<Self>>
fn pre_sign<'a>( signing_package: &'a SigningPackage<Self>, signer_nonces: &'a SigningNonces<Self>, key_package: &'a KeyPackage<Self>, ) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, SigningNonces<Self>>, Cow<'a, KeyPackage<Self>>), Error<Self>>
Optional. Pre-process [round2::sign()] inputs. The default
implementation returns them as-is. Cow is used so implementations
can choose to return the same passed reference or a modified clone.
fn pre_aggregate<'a>(
signing_package: &'a SigningPackage<Self>,
signature_shares: &'a BTreeMap<Identifier<Self>, SignatureShare<Self>>,
public_key_package: &'a PublicKeyPackage<Self>,
) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, BTreeMap<Identifier<Self>, SignatureShare<Self>>>, Cow<'a, PublicKeyPackage<Self>>), Error<Self>>
fn pre_aggregate<'a>( signing_package: &'a SigningPackage<Self>, signature_shares: &'a BTreeMap<Identifier<Self>, SignatureShare<Self>>, public_key_package: &'a PublicKeyPackage<Self>, ) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, BTreeMap<Identifier<Self>, SignatureShare<Self>>>, Cow<'a, PublicKeyPackage<Self>>), Error<Self>>
Optional. Pre-process [crate::aggregate()] and
[crate::verify_signature_share()] inputs. In the latter case, “dummy”
container BTreeMap and PublicKeyPackage are passed with the relevant
values (PublicKeyPackage.min_signers will be None). The default
implementation returns them as-is. Cow is used so implementations
can choose to return the same passed reference or a modified clone.
fn pre_verify<'a>(
msg: &'a [u8],
signature: &'a Signature<Self>,
public_key: &'a VerifyingKey<Self>,
) -> Result<(Cow<'a, [u8]>, Cow<'a, Signature<Self>>, Cow<'a, VerifyingKey<Self>>), Error<Self>>
fn pre_verify<'a>( msg: &'a [u8], signature: &'a Signature<Self>, public_key: &'a VerifyingKey<Self>, ) -> Result<(Cow<'a, [u8]>, Cow<'a, Signature<Self>>, Cow<'a, VerifyingKey<Self>>), Error<Self>>
Optional. Pre-process [VerifyingKey::verify()] inputs. The default
implementation returns them as-is. Cow is used so implementations
can choose to return the same passed reference or a modified clone.
fn pre_commitment_sign<'a>(
signing_package: &'a SigningPackage<Self>,
signing_nonces: &'a SigningNonces<Self>,
_binding_factor_list: &'a BindingFactorList<Self>,
) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, SigningNonces<Self>>), Error<Self>>
fn pre_commitment_sign<'a>( signing_package: &'a SigningPackage<Self>, signing_nonces: &'a SigningNonces<Self>, _binding_factor_list: &'a BindingFactorList<Self>, ) -> Result<(Cow<'a, SigningPackage<Self>>, Cow<'a, SigningNonces<Self>>), Error<Self>>
Optional. Pre-process [crate::compute_group_commitment()] inputs in
[round2::sign()].
fn pre_commitment_aggregate<'a>(
signing_package: &'a SigningPackage<Self>,
_binding_factor_list: &'a BindingFactorList<Self>,
) -> Result<Cow<'a, SigningPackage<Self>>, Error<Self>>
fn pre_commitment_aggregate<'a>( signing_package: &'a SigningPackage<Self>, _binding_factor_list: &'a BindingFactorList<Self>, ) -> Result<Cow<'a, SigningPackage<Self>>, Error<Self>>
Optional. Pre-process [crate::compute_group_commitment()] inputs in
[crate::aggregate()].
fn generate_nonce<R>(
rng: &mut R,
) -> (<<Self::Group as Group>::Field as Field>::Scalar, <Self::Group as Group>::Element)
fn generate_nonce<R>( rng: &mut R, ) -> (<<Self::Group as Group>::Field as Field>::Scalar, <Self::Group as Group>::Element)
Optional. Generate a nonce and a commitment to it. Used by
[SigningKey] for regular (non-FROST) signing and internally by the DKG
to generate proof-of-knowledge signatures.
fn challenge(
R: &<Self::Group as Group>::Element,
verifying_key: &VerifyingKey<Self>,
message: &[u8],
) -> Result<Challenge<Self>, Error<Self>>
fn challenge( R: &<Self::Group as Group>::Element, verifying_key: &VerifyingKey<Self>, message: &[u8], ) -> Result<Challenge<Self>, Error<Self>>
Optional. Generates the challenge as is required for Schnorr signatures.
Called by [round2::sign()] and [crate::aggregate()].
Optional. Compute the signature share for a particular signer on a given
challenge. Called by [round2::sign()].
Optional. Verify a signing share. Called by [crate::aggregate()] if
cheater detection is enabled.
fn serialize_signature(
signature: &Signature<Self>,
) -> Result<Vec<u8>, Error<Self>>
fn serialize_signature( signature: &Signature<Self>, ) -> Result<Vec<u8>, Error<Self>>
Optional. Converts a signature to its
Ciphersuite::SignatureSerialization in bytes.
The default implementation serializes a signature by serializing its R
point and z component independently, and then concatenating them.
fn deserialize_signature(bytes: &[u8]) -> Result<Signature<Self>, Error<Self>>
fn deserialize_signature(bytes: &[u8]) -> Result<Signature<Self>, Error<Self>>
Optional. Converts bytes as Ciphersuite::SignatureSerialization into
a Signature<C>.
The default implementation assumes the serialization is a serialized R
point followed by a serialized z component with no padding or extra
fields.
fn post_dkg(
key_package: KeyPackage<Self>,
public_key_package: PublicKeyPackage<Self>,
) -> Result<(KeyPackage<Self>, PublicKeyPackage<Self>), Error<Self>>
fn post_dkg( key_package: KeyPackage<Self>, public_key_package: PublicKeyPackage<Self>, ) -> Result<(KeyPackage<Self>, PublicKeyPackage<Self>), Error<Self>>
Post-process the output of the DKG for a given participant.
fn post_generate(
secret_shares: BTreeMap<Identifier<Self>, SecretShare<Self>>,
public_key_package: PublicKeyPackage<Self>,
) -> Result<(BTreeMap<Identifier<Self>, SecretShare<Self>>, PublicKeyPackage<Self>), Error<Self>>
fn post_generate( secret_shares: BTreeMap<Identifier<Self>, SecretShare<Self>>, public_key_package: PublicKeyPackage<Self>, ) -> Result<(BTreeMap<Identifier<Self>, SecretShare<Self>>, PublicKeyPackage<Self>), Error<Self>>
Post-process the output of the key generation for a participant.
Dyn Compatibility§
This trait is not dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety", so this trait is not object safe.