Documentation
¶
Overview ¶
Package frost implements FROST (Flexible Round-Optimized Schnorr Threshold) signatures using Ristretto255 and Newplex. FROST allows a threshold of signers to collaboratively produce a standard Schnorr signature without any single party learning the group's private key.
The resulting signatures are standard Schnorr signatures compatible with sig.Verify.
Index ¶
- Constants
- Variables
- func Aggregate(domain string, groupKey *ristretto255.Element, message []byte, ...) ([]byte, error)
- func Verify(domain string, groupKey *ristretto255.Element, message, signature []byte) bool
- func VerifyShare(domain string, verifyingShare, groupKey *ristretto255.Element, ...) bool
- type Commitment
- type Nonce
- type Signer
- func (s *Signer) Commit(rand []byte) (Nonce, Commitment)
- func (s *Signer) GroupKey() *ristretto255.Element
- func (s *Signer) Identifier() uint16
- func (s *Signer) Sign(domain string, nonce Nonce, message []byte, commitments []Commitment) ([]byte, error)
- func (s *Signer) VerifyingShare() *ristretto255.Element
Constants ¶
ShareSize is the size of a signature share in bytes.
const SignatureSize = sig.Size
SignatureSize is the size of a FROST signature in bytes (same as a standard Schnorr signature).
Variables ¶
var ( // ErrInvalidParameters is returned for invalid keygen or signing parameters. ErrInvalidParameters = errors.New("frost: invalid parameters") // ErrInvalidCommitment is returned when a commitment cannot be decoded. ErrInvalidCommitment = errors.New("frost: invalid commitment") ErrInvalidShare = errors.New("frost: invalid share") // ErrMissingSigner is returned when the signer's identifier is not found in the commitment list. ErrMissingSigner = errors.New("frost: signer not in commitment list") // ErrDuplicateIdentifier is returned when duplicate signer identifiers are detected in the commitment list. ErrDuplicateIdentifier = errors.New("frost: duplicate identifier in commitments") )
Functions ¶
func Aggregate ¶
func Aggregate(domain string, groupKey *ristretto255.Element, message []byte, commitments []Commitment, sigShares [][]byte) ([]byte, error)
Aggregate combines the signature shares from a threshold of signers into a final FROST signature. The commitments must be the same set used during signing, and sigShares[i] must correspond to commitments[i] (after sorting by identifier). The resulting signature is a standard Schnorr signature verifiable with Verify.
func Verify ¶
func Verify(domain string, groupKey *ristretto255.Element, message, signature []byte) bool
Verify checks a FROST signature against the group public key and message. FROST signatures are standard Schnorr signatures, so this function is compatible with signatures produced by sig.Sign and verifiable by sig.Verify.
func VerifyShare ¶
func VerifyShare(domain string, verifyingShare, groupKey *ristretto255.Element, identifier uint16, message []byte, commitments []Commitment, sigShare []byte) bool
VerifyShare checks an individual signature share against the signer's verifying share. This can be used to identify which participant produced an invalid share before aggregation.
Types ¶
type Commitment ¶
type Commitment struct {
Identifier uint16
Hiding []byte // 32-byte canonical element encoding.
Binding []byte // 32-byte canonical element encoding.
}
A Commitment is the public counterpart of a Nonce, broadcast to all participants before signing.
type Nonce ¶
type Nonce struct {
// contains filtered or unexported fields
}
A Nonce holds the ephemeral secret nonces for a single signing round. Each Nonce must be used exactly once and then discarded.
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
A Signer holds the secret key material for a single FROST participant.
func KeyGen ¶
func KeyGen(domain string, maxSigners, threshold int, rand []byte) (*ristretto255.Element, []Signer, []*ristretto255.Element, error)
KeyGen performs trusted-dealer key generation for a threshold-of-maxSigners FROST scheme. It returns the group public key, the signers (each containing their secret share and verifying share), and the verifying shares (public keys corresponding to each signer's share).
Identifiers are 1-based: signers[i] has identifier i+1. The threshold must be at least 2 and at most maxSigners. rand must contain at least 64 bytes of uniform randomness.
func (*Signer) Commit ¶
func (s *Signer) Commit(rand []byte) (Nonce, Commitment)
Commit generates a nonce pair and its public commitment for a signing round. The rand parameter should contain at least 64 bytes of random data; the nonces are derived deterministically from the signer's share and the random data, providing hedged nonce generation that protects against both nonce reuse and weak randomness.
func (*Signer) GroupKey ¶
func (s *Signer) GroupKey() *ristretto255.Element
GroupKey returns the group's public verifying key.
func (*Signer) Identifier ¶
Identifier returns the signer's 1-based identifier.
func (*Signer) Sign ¶
func (s *Signer) Sign(domain string, nonce Nonce, message []byte, commitments []Commitment) ([]byte, error)
Sign produces a signature share for the given message. The commitments slice must contain the commitments of all participants in this signing round, including this signer's own commitment. The nonce must be the same one returned by Signer.Commit for this round and must not be reused.
func (*Signer) VerifyingShare ¶
func (s *Signer) VerifyingShare() *ristretto255.Element
VerifyingShare returns the signer's verifying share (public key corresponding to their signing share).
Source Files