New tss package, and includes tss/frost threshold signature scheme

Changes:
 - The package tss will provide the threshold signature schemes.
 - The package tss/frost implements the FROST threshold signature
   scheme for Schnorr signatures.
   This scheme is under standardization process at IETF/CFRG [2].
   Test vectors from [3] are passing for P256 and Ristretto255 groups.

References:
 [1] frost paper: https://eprint.iacr.org/2020/852
 [2] draft-irtf-cfrg-frost: https://datatracker.ietf.org/doc/draft-irtf-cfrg-frost
 [3] test-vectors: https://github.com/cfrg/draft-irtf-cfrg-frost

Author: armfazh

tss/frost/combiner.go

@@ -0,0 +1,79 @@
+package frost
+
+import (
+	"errors"
+	"fmt"
+)
+
+type Combiner struct {
+	Suite
+	threshold  uint
+	maxSigners uint
+}
+
+func NewCombiner(s Suite, threshold, maxSigners uint) (*Combiner, error) {
+	if threshold > maxSigners {
+		return nil, errors.New("frost: invalid parameters")
+	}
+
+	return &Combiner{Suite: s, threshold: threshold, maxSigners: maxSigners}, nil
+}
+
+func (c Combiner) CheckSignShares(
+	signShares []*SignShare,
+	pubKeySigners []*PublicKey,
+	coms []*Commitment,
+	pubKeyGroup *PublicKey,
+	msg []byte,
+) bool {
+	if l := len(signShares); !(int(c.threshold) < l && l <= int(c.maxSigners)) {
+		return false
+	}
+	if l := len(pubKeySigners); !(int(c.threshold) < l && l <= int(c.maxSigners)) {
+		return false
+	}
+	if l := len(coms); !(int(c.threshold) < l && l <= int(c.maxSigners)) {
+		return false
+	}
+
+	for i := range signShares {
+		if !signShares[i].Verify(c.Suite, pubKeySigners[i], coms[i], coms, pubKeyGroup, msg) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func (c Combiner) Sign(msg []byte, coms []*Commitment, signShares []*SignShare) ([]byte, error) {
+	if l := len(coms); l <= int(c.threshold) {
+		return nil, fmt.Errorf("frost: only %v shares of %v required", l, c.threshold)
+	}
+
+	bindingFactors, err := c.Suite.getBindingFactors(coms, msg)
+	if err != nil {
+		return nil, err
+	}
+
+	groupCom, err := c.Suite.getGroupCommitment(coms, bindingFactors)
+	if err != nil {
+		return nil, err
+	}
+
+	gcEnc, err := groupCom.MarshalBinaryCompress()
+	if err != nil {
+		return nil, err
+	}
+
+	z := c.Suite.g.NewScalar()
+	for i := range signShares {
+		z.Add(z, signShares[i].share)
+	}
+
+	zEnc, err := z.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+
+	return append(append([]byte{}, gcEnc...), zEnc...), nil
+}

tss/frost/commit.go

@@ -0,0 +1,128 @@
+package frost
+
+import (
+	"encoding/binary"
+	"errors"
+	"io"
+	"sort"
+
+	"github.com/cloudflare/circl/group"
+)
+
+type Nonce struct {
+	ID              uint16
+	hiding, binding group.Scalar
+}
+
+func (s Suite) nonceGenerate(rnd io.Reader, secret group.Scalar) (group.Scalar, error) {
+	k := make([]byte, 32)
+	_, err := io.ReadFull(rnd, k)
+	if err != nil {
+		return nil, err
+	}
+	secretEnc, err := secret.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+
+	return s.hasher.h4(append(append([]byte{}, k...), secretEnc...)), nil
+}
+
+type Commitment struct {
+	ID              uint16
+	hiding, binding group.Element
+}
+
+func (c Commitment) MarshalBinary() ([]byte, error) {
+	bytes := (&[2]byte{})[:]
+	binary.BigEndian.PutUint16(bytes, c.ID)
+
+	h, err := c.hiding.MarshalBinaryCompress()
+	if err != nil {
+		return nil, err
+	}
+	b, err := c.binding.MarshalBinaryCompress()
+	if err != nil {
+		return nil, err
+	}
+
+	return append(append(bytes, h...), b...), nil
+}
+
+func encodeComs(coms []*Commitment) ([]byte, error) {
+	sort.SliceStable(coms, func(i, j int) bool { return coms[i].ID < coms[j].ID })
+
+	var out []byte
+	for i := range coms {
+		cEnc, err := coms[i].MarshalBinary()
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, cEnc...)
+	}
+	return out, nil
+}
+
+type bindingFactor struct {
+	ID     uint16
+	factor group.Scalar
+}
+
+func (s Suite) getBindingFactorFromID(bindingFactors []bindingFactor, id uint) (group.Scalar, error) {
+	for i := range bindingFactors {
+		if uint(bindingFactors[i].ID) == id {
+			return bindingFactors[i].factor, nil
+		}
+	}
+	return nil, errors.New("frost: id not found")
+}
+
+func (s Suite) getBindingFactors(coms []*Commitment, msg []byte) ([]bindingFactor, error) {
+	msgHash := s.hasher.h3(msg)
+	commitEncoded, err := encodeComs(coms)
+	if err != nil {
+		return nil, err
+	}
+	commitEncodedHash := s.hasher.h3(commitEncoded)
+	rhoInputPrefix := append(append([]byte{}, msgHash...), commitEncodedHash...)
+
+	bindingFactors := make([]bindingFactor, len(coms))
+	id := (&[2]byte{})[:]
+	for i := range coms {
+		binary.BigEndian.PutUint16(id, coms[i].ID)
+		bf := s.hasher.h1(append(append([]byte{}, rhoInputPrefix...), id...))
+		bindingFactors[i] = bindingFactor{ID: coms[i].ID, factor: bf}
+	}
+
+	return bindingFactors, nil
+}
+
+func (s Suite) getGroupCommitment(coms []*Commitment, bindingFactors []bindingFactor) (group.Element, error) {
+	gc := s.g.NewElement()
+	tmp := s.g.NewElement()
+	for i := range coms {
+		bf, err := s.getBindingFactorFromID(bindingFactors, uint(coms[i].ID))
+		if err != nil {
+			return nil, err
+		}
+		tmp.Mul(coms[i].binding, bf)
+		tmp.Add(tmp, coms[i].hiding)
+		gc.Add(gc, tmp)
+	}
+
+	return gc, nil
+}
+
+func (s Suite) getChallenge(groupCom group.Element, pubKey *PublicKey, msg []byte) (group.Scalar, error) {
+	gcEnc, err := groupCom.MarshalBinaryCompress()
+	if err != nil {
+		return nil, err
+	}
+	pkEnc, err := pubKey.key.MarshalBinaryCompress()
+	if err != nil {
+		return nil, err
+	}
+	chInput := append(append(append([]byte{}, gcEnc...), pkEnc...), msg...)
+
+	return s.hasher.h2(chInput), nil
+}

tss/frost/frost.go

@@ -0,0 +1,91 @@
+// Package frost provides the FROST threshold signature scheme for Schnorr signatures.
+//
+// References:
+//  FROST paper: https://eprint.iacr.org/2020/852
+//  draft-irtf-cfrg-frost: https://datatracker.ietf.org/doc/draft-irtf-cfrg-frost
+package frost
+
+import (
+	"io"
+
+	"github.com/cloudflare/circl/group"
+	"github.com/cloudflare/circl/secretsharing"
+)
+
+type PrivateKey struct {
+	Suite
+	key    group.Scalar
+	pubKey *PublicKey
+}
+
+type PublicKey struct {
+	Suite
+	key group.Element
+}
+
+func GenerateKey(s Suite, rnd io.Reader) *PrivateKey {
+	return &PrivateKey{s, s.g.RandomNonZeroScalar(rnd), nil}
+}
+
+func (k *PrivateKey) Public() *PublicKey {
+	return &PublicKey{k.Suite, k.Suite.g.NewElement().MulGen(k.key)}
+}
+
+type SharesCommitment = []group.Element
+
+func (k *PrivateKey) Split(rnd io.Reader, threshold, maxSigners uint) ([]PeerSigner, SharesCommitment, error) {
+	vss, err := secretsharing.NewVerifiable(k.Suite.g, threshold, maxSigners)
+	if err != nil {
+		return nil, nil, err
+	}
+	shares, sharesCom := vss.Shard(rnd, k.key)
+	peers := make([]PeerSigner, len(shares))
+	for i := range shares {
+		peers[i] = PeerSigner{
+			Suite:      k.Suite,
+			ID:         uint16(shares[i].ID),
+			threshold:  uint16(threshold),
+			maxSigners: uint16(maxSigners),
+			keyShare:   shares[i].Share,
+			myPubKey:   nil,
+		}
+	}
+
+	return peers, sharesCom, nil
+}
+
+func Verify(s Suite, pubKey *PublicKey, msg, signature []byte) bool {
+	params := s.g.Params()
+	Ne, Ns := params.CompressedElementLength, params.ScalarLength
+	if len(signature) < int(Ne+Ns) {
+		return false
+	}
+
+	REnc := signature[:Ne]
+	R := s.g.NewElement()
+	err := R.UnmarshalBinary(REnc)
+	if err != nil {
+		return false
+	}
+
+	zEnc := signature[Ne : Ne+Ns]
+	z := s.g.NewScalar()
+	err = z.UnmarshalBinary(zEnc)
+	if err != nil {
+		return false
+	}
+
+	pubKeyEnc, err := pubKey.key.MarshalBinaryCompress()
+	if err != nil {
+		return false
+	}
+
+	chInput := append(append(append([]byte{}, REnc...), pubKeyEnc...), msg...)
+	c := s.hasher.h2(chInput)
+
+	l := s.g.NewElement().MulGen(z)
+	r := s.g.NewElement().Mul(pubKey.key, c)
+	r.Add(r, R)
+
+	return l.IsEqual(r)
+}