gg recid (#86)

omershlo · web-flow · commit 433cb2236d9b · 2019-12-21T20:01:26.000+02:00
* gg recid

* remove cmp

* bump version
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "multi-party-ecdsa"
-version = "0.2.9"
+version = "0.3.0"
 edition = "2018"
 authors = [
     "Gary <gary@kzencorp.com>",
diff --git a/examples/gg18_sign_client.rs b/examples/gg18_sign_client.rs
@@ -470,6 +470,7 @@ fn main() {
     println!("party {:?} Output Signature: \n", party_num_int);
     println!("R: {:?}", sig.r.get_element());
     println!("s: {:?} \n", sig.s.get_element());
+    println!("recid: {:?} \n", sig.recid.clone());
 
     let sign_json = serde_json::to_string(&(
         "r",
diff --git a/src/protocols/multi_party_ecdsa/gg_2018/party_i.rs b/src/protocols/multi_party_ecdsa/gg_2018/party_i.rs
@@ -15,7 +15,6 @@
 
     @license GPL-3.0+ <https://github.com/KZen-networks/multi-party-ecdsa/blob/master/LICENSE>
 */
-
 use centipede::juggling::proof_system::{Helgamalsegmented, Witness};
 use centipede::juggling::segmentation::Msegmentation;
 use curv::arithmetic::traits::*;
@@ -138,9 +137,10 @@ pub struct Phase5DDecom2 {
 }
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
-pub struct Signature {
+pub struct SignatureRecid {
     pub r: FE,
     pub s: FE,
+    pub recid: u8,
 }
 
 impl Keys {
@@ -667,10 +667,27 @@ impl LocalSignature {
             Err(InvalidCom)
         }
     }
-    pub fn output_signature(&self, s_vec: &[FE]) -> Result<Signature, Error> {
-        let s = s_vec.iter().fold(self.s_i, |acc, x| acc + x);
+    pub fn output_signature(&self, s_vec: &[FE]) -> Result<SignatureRecid, Error> {
+        let mut s = s_vec.iter().fold(self.s_i, |acc, x| acc + x);
+        let s_bn = s.to_big_int();
+
         let r: FE = ECScalar::from(&self.R.x_coor().unwrap().mod_floor(&FE::q()));
-        let sig = Signature { r, s };
+        let ry: BigInt = self.R.y_coor().unwrap().mod_floor(&FE::q());
+
+        /*
+         Calculate recovery id - it is not possible to compute the public key out of the signature
+         itself. Recovery id is used to enable extracting the public key uniquely.
+         1. id = R.y & 1
+         2. if (s > curve.q / 2) id = id ^ 1
+        */
+        let is_ry_odd = ry.tstbit(0);
+        let mut recid = if is_ry_odd { 1 } else { 0 };
+        let s_tag_bn = FE::q() - &s_bn;
+        if s_bn > s_tag_bn {
+            s = ECScalar::from(&s_tag_bn);
+            recid = recid ^ 1;
+        }
+        let sig = SignatureRecid { r, s, recid };
         let ver = verify(&sig, &self.y, &self.m).is_ok();
         if ver {
             Ok(sig)
@@ -680,7 +697,7 @@ impl LocalSignature {
     }
 }
 
-pub fn verify(sig: &Signature, y: &GE, message: &BigInt) -> Result<(), Error> {
+pub fn verify(sig: &SignatureRecid, y: &GE, message: &BigInt) -> Result<(), Error> {
     let b = sig.s.invert();
     let a: FE = ECScalar::from(message);
     let u1 = a * b;
diff --git a/src/protocols/two_party_ecdsa/cclst_2019/test.rs b/src/protocols/two_party_ecdsa/cclst_2019/test.rs
@@ -26,48 +26,45 @@ fn test_d_log_proof_party_two_party_one() {
 
 #[test]
 fn test_full_key_gen() {
-    for i in 0..20 {
-        let (party_one_first_message, comm_witness, ec_key_pair_party1) =
-            party_one::KeyGenFirstMsg::create_commitments_with_fixed_secret_share(ECScalar::from(
-                &BigInt::sample(253),
-            ));
-        let (party_two_first_message, _ec_key_pair_party2) =
-            party_two::KeyGenFirstMsg::create_with_fixed_secret_share(ECScalar::from(
-                &BigInt::from(10),
-            ));
-        let party_one_second_message = party_one::KeyGenSecondMsg::verify_and_decommit(
-            comm_witness,
-            &party_two_first_message.d_log_proof,
-        )
-        .expect("failed to verify and decommit");
+    let (party_one_first_message, comm_witness, ec_key_pair_party1) =
+        party_one::KeyGenFirstMsg::create_commitments_with_fixed_secret_share(ECScalar::from(
+            &BigInt::sample(253),
+        ));
+    let (party_two_first_message, _ec_key_pair_party2) =
+        party_two::KeyGenFirstMsg::create_with_fixed_secret_share(ECScalar::from(&BigInt::from(
+            10,
+        )));
+    let party_one_second_message = party_one::KeyGenSecondMsg::verify_and_decommit(
+        comm_witness,
+        &party_two_first_message.d_log_proof,
+    )
+    .expect("failed to verify and decommit");
 
-        let _party_two_second_message =
-            party_two::KeyGenSecondMsg::verify_commitments_and_dlog_proof(
-                &party_one_first_message,
-                &party_one_second_message,
-            )
-            .expect("failed to verify commitments and DLog proof");
+    let _party_two_second_message = party_two::KeyGenSecondMsg::verify_commitments_and_dlog_proof(
+        &party_one_first_message,
+        &party_one_second_message,
+    )
+    .expect("failed to verify commitments and DLog proof");
 
-        // init HSMCL keypair:
-        let seed: BigInt = str::parse(
+    // init HSMCL keypair:
+    let seed: BigInt = str::parse(
             "314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848"
         ).unwrap();
-        let hsmcl_key_pair = party_one::HSMCLKeyPair::generate_keypair_and_encrypted_share(
-            &ec_key_pair_party1,
-            seed.clone(),
-        );
-
-        let party_one_private =
-            party_one::Party1Private::set_private_key(&ec_key_pair_party1, &hsmcl_key_pair);
-
-        let cldl_proof = party_one::HSMCLKeyPair::generate_zkcldl_proof(
-            &hsmcl_key_pair,
-            &party_one_private,
-            seed.clone(),
-        );
-        let _party_two_hsmcl_pub =
-            party_two::HSMCLPublic::verify_zkcldl_proof(cldl_proof).expect("proof error");
-    }
+    let hsmcl_key_pair = party_one::HSMCLKeyPair::generate_keypair_and_encrypted_share(
+        &ec_key_pair_party1,
+        seed.clone(),
+    );
+
+    let party_one_private =
+        party_one::Party1Private::set_private_key(&ec_key_pair_party1, &hsmcl_key_pair);
+
+    let cldl_proof = party_one::HSMCLKeyPair::generate_zkcldl_proof(
+        &hsmcl_key_pair,
+        &party_one_private,
+        seed.clone(),
+    );
+    let _party_two_hsmcl_pub =
+        party_two::HSMCLPublic::verify_zkcldl_proof(cldl_proof).expect("proof error");
 }
 
 #[test]
diff --git a/src/protocols/two_party_ecdsa/lindell_2017/party_one.rs b/src/protocols/two_party_ecdsa/lindell_2017/party_one.rs
@@ -565,7 +565,7 @@ impl Signature {
         k1_inv.zeroize();
         s_tag_fe.zeroize();
         let s_tag_tag_bn = s_tag_tag.to_big_int();
-        let s = cmp::min(s_tag_tag_bn.clone(), FE::q().clone() - s_tag_tag_bn.clone());
+        let s = cmp::min(s_tag_tag_bn.clone(), FE::q() - &s_tag_tag_bn);
 
         /*
          Calculate recovery id - it is not possible to compute the public key out of the signature
