feat: add VRF-based certification for certpedpop

LLFourn · claude · nickfarrow · commit ca623e52031a · 2025-08-12T22:43:46.000+10:00
This adds the ability to use VRFs (Verifiable Random Functions) as the certification scheme in certpedpop, enabling the generation of a randomness beacon from the DKG process. Key features: - Add vrf_cert_keygen feature flag with vrf_fun and sha2 dependencies - Implement CertificationScheme for RFC 9381 SSWU and TAI VRFs - Add compute_randomness_beacon function to derive randomness from VRF outputs - Provide helper functions to create VRF certifiers The randomness beacon is computed by hashing all VRF gamma points together, ensuring no single party can predict the output as long as at least one party is honest. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/schnorr_fun/Cargo.toml b/schnorr_fun/Cargo.toml
@@ -17,6 +17,8 @@ keywords = ["bitcoin", "schnorr"]
 secp256kfun = { path = "../secp256kfun", version = "0.11",  default-features = false }
 bech32 = { version = "0.11", optional = true, default-features = false, features = ["alloc"] }
 bincode = { workspace =  true, optional = true }
+vrf_fun = { path = "../vrf_fun", version = "0.11", optional = true, default-features = false }
+sha2 = { version = "0.10", optional = true }
 
 [dev-dependencies]
 secp256kfun = { path = "../secp256kfun", version = "0.11",  features = ["proptest", "bincode", "alloc"] }
@@ -49,6 +51,7 @@ libsecp_compat_0_29 = ["secp256kfun/libsecp_compat_0_29"]
 libsecp_compat_0_30 = ["secp256kfun/libsecp_compat_0_30"]
 proptest = ["secp256kfun/proptest"]
 share_backup = ["dep:bech32"]
+vrf_cert_keygen = ["dep:vrf_fun", "dep:sha2", "alloc", "secp256kfun/std", "vrf_fun/std"]
 
 [package.metadata.docs.rs]
 all-features = true
diff --git a/schnorr_fun/src/frost/chilldkg.rs b/schnorr_fun/src/frost/chilldkg.rs
@@ -53,7 +53,7 @@ use secp256kfun::{
 /// certifying the aggregated keygen input in certpedpop.
 pub trait CertificationScheme {
     /// The signature type produced by this scheme
-    type Signature: Clone + core::fmt::Debug + PartialEq;
+    type Signature: Clone + core::fmt::Debug;
 
     /// Sign the AggKeygenInput with the given keypair
     fn certify(&self, keypair: &KeyPair, agg_input: &encpedpop::AggKeygenInput) -> Self::Signature;
@@ -91,6 +91,115 @@ impl<H: Hash32, NG: NonceGen> CertificationScheme for Schnorr<H, NG> {
     }
 }
 
+/// VRF-based implementation of CertificationScheme
+#[cfg(feature = "vrf_cert_keygen")]
+pub mod vrf_cert {
+    use super::*;
+    use vrf_fun::VrfProof;
+
+    /// A wrapper type for using VRF as a certification scheme
+    pub struct VrfCertifier<V> {
+        /// The underlying VRF instance
+        pub vrf: V,
+    }
+
+    /// Create a VRF certification scheme with the RFC 9381 SSWU suite using SHA256
+    pub fn sswu_vrf_sha256() -> VrfCertifier<vrf_fun::Rfc9381SswuVrf<sha2::Sha256>> {
+        VrfCertifier {
+            vrf: vrf_fun::Rfc9381SswuVrf::default(),
+        }
+    }
+
+    /// Create a VRF certification scheme with the RFC 9381 TAI suite using SHA256
+    pub fn tai_vrf_sha256() -> VrfCertifier<vrf_fun::Rfc9381TaiVrf<sha2::Sha256>> {
+        VrfCertifier {
+            vrf: vrf_fun::Rfc9381TaiVrf::default(),
+        }
+    }
+
+    /// Implement CertificationScheme for VrfCertifier wrapping the SSWU VRF
+    impl CertificationScheme for VrfCertifier<vrf_fun::Rfc9381SswuVrf<sha2::Sha256>> {
+        type Signature = VrfProof;
+
+        fn certify(
+            &self,
+            keypair: &KeyPair,
+            agg_input: &encpedpop::AggKeygenInput,
+        ) -> Self::Signature {
+            // Use the certification bytes as the VRF input
+            let cert_bytes = agg_input.cert_bytes();
+            vrf_fun::rfc9381::sswu::prove::<sha2::Sha256>(keypair, &cert_bytes)
+        }
+
+        fn verify_cert(
+            &self,
+            cert_key: Point,
+            agg_input: &encpedpop::AggKeygenInput,
+            signature: &Self::Signature,
+        ) -> bool {
+            // Use the certification bytes as the VRF input
+            let cert_bytes = agg_input.cert_bytes();
+            vrf_fun::rfc9381::sswu::verify::<sha2::Sha256>(cert_key, &cert_bytes, signature)
+                .is_some()
+        }
+    }
+
+    /// Implement CertificationScheme for VrfCertifier wrapping the TAI VRF
+    impl CertificationScheme for VrfCertifier<vrf_fun::Rfc9381TaiVrf<sha2::Sha256>> {
+        type Signature = VrfProof;
+
+        fn certify(
+            &self,
+            keypair: &KeyPair,
+            agg_input: &encpedpop::AggKeygenInput,
+        ) -> Self::Signature {
+            // Use the certification bytes as the VRF input
+            let cert_bytes = agg_input.cert_bytes();
+            vrf_fun::rfc9381::tai::prove::<sha2::Sha256>(keypair, &cert_bytes)
+        }
+
+        fn verify_cert(
+            &self,
+            cert_key: Point,
+            agg_input: &encpedpop::AggKeygenInput,
+            signature: &Self::Signature,
+        ) -> bool {
+            // Use the certification bytes as the VRF input
+            let cert_bytes = agg_input.cert_bytes();
+            vrf_fun::rfc9381::tai::verify::<sha2::Sha256>(cert_key, &cert_bytes, signature)
+                .is_some()
+        }
+    }
+
+    /// Compute a randomness beacon from a set of VRF outputs
+    ///
+    /// This function takes all the VRF outputs (gamma points) from the certificate
+    /// and hashes them together to produce unpredictable randomness that no single
+    /// party could have controlled (as long as at least one party is honest).
+    pub fn compute_randomness_beacon<S>(certificate: &certpedpop::Certificate<S>) -> [u8; 32]
+    where
+        S: CertificationScheme,
+        S::Signature: AsRef<VrfProof>,
+    {
+        use sha2::{Digest, Sha256};
+
+        let mut hasher = Sha256::new();
+
+        // Sort by public key to ensure deterministic ordering
+        let mut sorted_entries: Vec<_> = certificate.iter().collect();
+        sorted_entries.sort_by_key(|(pk, _)| pk.to_bytes());
+
+        // Hash all the VRF gamma points
+        for (_, vrf_proof) in sorted_entries {
+            let gamma = vrf_proof.as_ref().gamma;
+            hasher.update(gamma.to_bytes());
+        }
+
+        // Get the hash output
+        hasher.finalize().into()
+    }
+}
+
 /// SimplePedPop is a bare bones secure distributed key generation algorithm that leaves a lot left
 /// up to the application.
 ///
@@ -1103,7 +1212,7 @@ pub mod certpedpop {
     }
 
     /// A key generation session that has been certified by each certifying party (contributors and share receivers).
-    #[derive(Clone, Debug, PartialEq)]
+    #[derive(Clone, Debug)]
     pub struct CertifiedKeygen<S: CertificationScheme> {
         input: AggKeygenInput,
         certificate: Certificate<S>,
