Merge pull request #74 from dfns/presigs-per-master-key

survived · web-flow · commit de6b4db61b5b · 2024-02-07T14:34:52.000+01:00
HD wallets: Support presignatures independent of derivation path
diff --git a/cggmp21/src/signing.rs b/cggmp21/src/signing.rs
@@ -293,6 +293,10 @@ where
 
     /// Specifies HD derivation path
     ///
+    /// Note: when generating a presignature, derivation path doesn't need to be known in advance. Instead
+    /// of using this method, [`Presingature::set_derivation_path`] could be used to set derivation path
+    /// after presignature was generated.
+    ///
     /// ## Example
     /// Set derivation path to m/1/999
     ///
@@ -313,23 +317,12 @@ where
         slip_10::NonHardenedIndex: TryFrom<Index>,
     {
         use crate::key_share::HdError;
-
-        let mut public_key = self
+        let public_key = self
             .key_share
             .extended_public_key()
             .ok_or(HdError::DisabledHd)?;
-        let mut additive_shift = Scalar::<E>::zero();
-
-        for child_index in path {
-            let child_index: slip_10::NonHardenedIndex =
-                child_index.try_into().map_err(HdError::InvalidPath)?;
-            let shift = slip_10::derive_public_shift(&public_key, child_index);
-
-            additive_shift += shift.shift;
-            public_key = shift.child_public_key;
-        }
-
-        self.additive_shift = Some(additive_shift);
+        self.additive_shift =
+            Some(derive_additive_shift(public_key, path).map_err(HdError::InvalidPath)?);
         Ok(self)
     }
 
@@ -1154,6 +1147,53 @@ where
         let sigma_i = self.k.as_ref() * m + r * self.chi.as_ref();
         PartialSignature { r, sigma: sigma_i }
     }
+
+    /// Specifies HD derivation path
+    ///
+    /// Outputs a presignature that can be used to sign a message with a child key derived from master
+    /// `epub` using `derivation_path`. Note that all signers need to set the same derivation path,
+    /// otherwise output signature will be invalid.
+    ///
+    /// `epub` must be an [extended public key](DirtyIncompleteKeyShare::extended_public_key) assoicated
+    /// with the key share that was used to generate presignature. Using wrong `epub` will simply
+    /// lead to invalid signature.
+    #[cfg(feature = "hd-wallets")]
+    pub fn set_derivation_path<Index>(
+        mut self,
+        epub: slip_10::ExtendedPublicKey<E>,
+        derivation_path: impl IntoIterator<Item = Index>,
+    ) -> Result<Self, <Index as TryInto<slip_10::NonHardenedIndex>>::Error>
+    where
+        slip_10::NonHardenedIndex: TryFrom<Index>,
+    {
+        let additive_shift = derive_additive_shift(epub, derivation_path)?;
+
+        let mut chi = self.chi + additive_shift * &self.k;
+        self.chi = SecretScalar::new(&mut chi);
+
+        Ok(self)
+    }
+}
+
+#[cfg(feature = "hd-wallets")]
+fn derive_additive_shift<E: Curve, Index>(
+    mut epub: slip_10::ExtendedPublicKey<E>,
+    path: impl IntoIterator<Item = Index>,
+) -> Result<Scalar<E>, <Index as TryInto<slip_10::NonHardenedIndex>>::Error>
+where
+    slip_10::NonHardenedIndex: TryFrom<Index>,
+{
+    let mut additive_shift = Scalar::<E>::zero();
+
+    for child_index in path {
+        let child_index: slip_10::NonHardenedIndex = child_index.try_into()?;
+        let shift = slip_10::derive_public_shift(&epub, child_index);
+
+        additive_shift += shift.shift;
+        epub = shift.child_public_key;
+    }
+
+    Ok(additive_shift)
 }
 
 impl<E: Curve> PartialSignature<E> {
diff --git a/tests/tests/it/signing.rs b/tests/tests/it/signing.rs
@@ -3,8 +3,7 @@ mod generic {
     use cggmp21_tests::external_verifier::ExternalVerifier;
     use generic_ec::{coords::HasAffineX, Curve, Point};
     use rand::seq::SliceRandom;
-    use rand::{Rng, RngCore, SeedableRng};
-    use rand_chacha::ChaCha20Rng;
+    use rand::{Rng, RngCore};
     use rand_dev::DevRng;
     use round_based::simulation::Simulation;
     use sha2::Sha256;
@@ -68,7 +67,7 @@ mod generic {
         let mut outputs = vec![];
         for (i, share) in (0..).zip(participants_shares) {
             let party = simulation.add_party();
-            let mut party_rng = ChaCha20Rng::from_seed(rng.gen());
+            let mut party_rng = rng.fork();
 
             #[cfg(feature = "hd-wallets")]
             let derivation_path = derivation_path.clone();
@@ -114,6 +113,105 @@ mod generic {
             .expect("external verification failed")
     }
 
+    #[test_case::case(Some(3), 5, false; "t3n5")]
+    #[cfg_attr(feature = "hd-wallets", test_case::case(Some(3), 5, true; "t3n5-hd"))]
+    #[tokio::test]
+    async fn signing_with_presigs<E: Curve, V>(t: Option<u16>, n: u16, hd_wallet: bool)
+    where
+        Point<E>: HasAffineX<E>,
+        V: ExternalVerifier<E>,
+    {
+        #[cfg(not(feature = "hd-wallets"))]
+        assert!(!hd_wallet);
+
+        let mut rng = DevRng::new();
+
+        let shares = cggmp21_tests::CACHED_SHARES
+            .get_shares::<E, SecurityLevel128>(t, n, hd_wallet)
+            .expect("retrieve cached shares");
+
+        let mut simulation = Simulation::<Msg<E, Sha256>>::new();
+
+        let eid: [u8; 32] = rng.gen();
+        let eid = ExecutionId::new(&eid);
+
+        // Choose `t` signers to generate presignature
+        let t = shares[0].min_signers();
+        let mut participants = (0..n).collect::<Vec<_>>();
+        participants.shuffle(&mut rng);
+        let participants = &participants[..usize::from(t)];
+        println!("Signers: {participants:?}");
+
+        let participants_shares = participants.iter().map(|i| &shares[usize::from(*i)]);
+
+        let mut outputs = vec![];
+        for (i, share) in (0..).zip(participants_shares) {
+            let party = simulation.add_party();
+            let mut party_rng = rng.fork();
+
+            outputs.push(async move {
+                cggmp21::signing(eid, i, participants, share)
+                    .generate_presignature(&mut party_rng, party)
+                    .await
+            });
+        }
+
+        let presignatures = futures::future::try_join_all(outputs)
+            .await
+            .expect("signing failed");
+
+        // Now, that we have presignatures generated, we learn (generate) a messages to sign
+        // and the derivation path (if hd is enabled)
+        let mut original_message_to_sign = [0u8; 100];
+        rng.fill_bytes(&mut original_message_to_sign);
+        let message_to_sign = DataToSign::digest::<Sha256>(&original_message_to_sign);
+
+        #[cfg(feature = "hd-wallets")]
+        let derivation_path = if hd_wallet {
+            Some(cggmp21_tests::random_derivation_path(&mut rng))
+        } else {
+            None
+        };
+
+        let partial_signatures = presignatures
+            .into_iter()
+            .map(|presig| {
+                #[cfg(feature = "hd-wallets")]
+                let presig = if let Some(derivation_path) = &derivation_path {
+                    let epub = shares[0].extended_public_key().expect("not hd wallet");
+                    presig
+                        .set_derivation_path(epub, derivation_path.iter().copied())
+                        .unwrap()
+                } else {
+                    presig
+                };
+                presig.issue_partial_signature(message_to_sign)
+            })
+            .collect::<Vec<_>>();
+
+        let signature = cggmp21::PartialSignature::combine(&partial_signatures)
+            .expect("invalid partial sigantures");
+
+        #[cfg(feature = "hd-wallets")]
+        let public_key = if let Some(path) = &derivation_path {
+            shares[0]
+                .derive_child_public_key(path.iter().cloned())
+                .unwrap()
+                .public_key
+        } else {
+            shares[0].shared_public_key
+        };
+        #[cfg(not(feature = "hd-wallets"))]
+        let public_key = shares[0].shared_public_key;
+
+        signature
+            .verify(&public_key, &message_to_sign)
+            .expect("signature is not valid");
+
+        V::verify(&public_key, &signature, &original_message_to_sign)
+            .expect("external verification failed")
+    }
+
     #[instantiate_tests(<cggmp21::supported_curves::Secp256k1, cggmp21_tests::external_verifier::blockchains::Bitcoin>)]
     mod secp256k1 {}
     #[instantiate_tests(<cggmp21::supported_curves::Secp256r1, cggmp21_tests::external_verifier::Noop>)]
