w3f · Fiono11 · May 6, 2024 · May 6, 2024 · May 6, 2024 · May 6, 2024
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,6 +22,7 @@ curve25519-dalek = { version = "4.1.0", default-features = false, features = [
     "zeroize",
     "precomputed-tables",
     "legacy_compatibility",
+    "rand_core",
 ] }
 subtle = { version = "2.4.1", default-features = false }
 merlin = { version = "3.0.0", default-features = false }
@@ -32,7 +33,10 @@ serde_bytes = { version = "0.11.5", default-features = false, optional = true }
 cfg-if = { version = "1.0.0", optional = true }
 sha2 = { version = "0.10.7", default-features = false }
 failure = { version = "0.1.8", default-features = false, optional = true }
-zeroize = { version = "1.6", default-features = false, features = ["zeroize_derive"] }
+zeroize = { version = "1.6", default-features = false, features = [
+    "zeroize_derive",
+] }
+chacha20poly1305 = { version = "0.10.1", default-features = false }
 
 [dev-dependencies]
 rand = "0.8.5"
@@ -47,17 +51,38 @@ serde_json = "1.0.68"
 name = "schnorr_benchmarks"
 harness = false
 
+[[bench]]
+name = "olaf_benchmarks"
+required-features = ["alloc", "aead"]
+harness = false
+
 [features]
 default = ["std", "getrandom"]
 preaudit_deprecated = []
 nightly = []
-alloc = ["curve25519-dalek/alloc", "rand_core/alloc", "getrandom_or_panic/alloc", "serde_bytes/alloc"]
-std = ["alloc", "getrandom", "serde_bytes/std", "rand_core/std", "getrandom_or_panic/std"]
+alloc = [
+    "curve25519-dalek/alloc",
+    "rand_core/alloc",
+    "getrandom_or_panic/alloc",
+    "serde_bytes/alloc",
+]
+std = [
+    "alloc",
+    "getrandom",
+    "serde_bytes/std",
+    "rand_core/std",
+    "getrandom_or_panic/std",
+    "chacha20poly1305/std",
+]
 asm = ["sha2/asm"]
 serde = ["serde_crate", "serde_bytes", "cfg-if"]
 # We cannot make getrandom a direct dependency because rand_core makes
 # getrandom a feature name, which requires forwarding.
-getrandom = ["rand_core/getrandom", "getrandom_or_panic/getrandom", "aead?/getrandom"]
+getrandom = [
+    "rand_core/getrandom",
+    "getrandom_or_panic/getrandom",
+    "aead?/getrandom",
+]
 # We thus cannot forward the wasm-bindgen feature of getrandom,
 # but our consumers could depend upon getrandom and activate its
 # wasm-bindgen feature themselve, which works due to cargo features

diff --git a/benches/olaf_benchmarks.rs b/benches/olaf_benchmarks.rs
@@ -0,0 +1,53 @@
+use criterion::criterion_main;
+
+mod olaf_benches {
+    use criterion::{criterion_group, BenchmarkId, Criterion};
+    use schnorrkel::keys::{PublicKey, Keypair};
+    use schnorrkel::olaf::simplpedpop::AllMessage;
+
+    fn benchmark_simplpedpop(c: &mut Criterion) {
+        let mut group = c.benchmark_group("SimplPedPoP");
+
+        for &n in [3, 10, 100, 1000].iter() {
+            let participants = n;
+            let threshold = (n * 2 + 2) / 3;
+
+            let keypairs: Vec<Keypair> = (0..participants).map(|_| Keypair::generate()).collect();
+            let public_keys: Vec<PublicKey> = keypairs.iter().map(|kp| kp.public).collect();
+
+            let mut all_messages: Vec<AllMessage> = Vec::new();
+
+            for i in 0..participants {
+                let message = keypairs[i]
+                    .simplpedpop_contribute_all(threshold as u16, public_keys.clone())
+                    .unwrap();
+                all_messages.push(message);
+            }
+
+            group.bench_function(BenchmarkId::new("round1", participants), |b| {
+                b.iter(|| {
+                    keypairs[0]
+                        .simplpedpop_contribute_all(threshold as u16, public_keys.clone())
+                        .unwrap();
+                })
+            });
+
+            group.bench_function(BenchmarkId::new("round2", participants), |b| {
+                b.iter(|| {
+                    keypairs[0].simplpedpop_recipient_all(&all_messages).unwrap();
+                })
+            });
+        }
+
+        group.finish();
+    }
+
+    criterion_group! {
+        name = olaf_benches;
+        config = Criterion::default();
+        targets =
+            benchmark_simplpedpop,
+    }
+}
+
+criterion_main!(olaf_benches::olaf_benches);
diff --git a/src/lib.rs b/src/lib.rs
@@ -248,6 +248,9 @@ pub mod derive;
 pub mod cert;
 pub mod errors;
 
+#[cfg(all(feature = "alloc", feature = "aead"))]
+pub mod olaf;
+
 #[cfg(all(feature = "aead", feature = "getrandom"))]
 pub mod aead;
 

diff --git a/src/olaf/mod.rs b/src/olaf/mod.rs
@@ -0,0 +1,73 @@
+//! Implementation of the Olaf protocol (<https://eprint.iacr.org/2023/899>), which is composed of the Distributed
+//! Key Generation (DKG) protocol SimplPedPoP and the Threshold Signing protocol FROST.
+
+/// Implementation of the SimplPedPoP protocol.
+pub mod simplpedpop;
+
+use curve25519_dalek::{constants::RISTRETTO_BASEPOINT_POINT, RistrettoPoint, Scalar};
+use merlin::Transcript;
+use zeroize::ZeroizeOnDrop;
+use crate::{context::SigningTranscript, Keypair, PublicKey, SignatureError, KEYPAIR_LENGTH};
+
+pub(super) const MINIMUM_THRESHOLD: u16 = 2;
+pub(super) const GENERATOR: RistrettoPoint = RISTRETTO_BASEPOINT_POINT;
+pub(super) const COMPRESSED_RISTRETTO_LENGTH: usize = 32;
+pub(crate) const SCALAR_LENGTH: usize = 32;
+
+/// The threshold public key generated in the SimplPedPoP protocol, used to validate the threshold signatures of the FROST protocol.
+#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+pub struct ThresholdPublicKey(pub(crate) PublicKey);
+
+/// The verifying share of a participant generated in the SimplPedPoP protocol, used to verify its signatures shares in the FROST protocol.
+#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+pub struct VerifyingShare(pub(crate) PublicKey);
+
+/// The signing keypair of a participant generated in the SimplPedPoP protocol, used to produce its signatures shares in the FROST protocol.
+#[derive(Clone, Debug, ZeroizeOnDrop)]
+pub struct SigningKeypair(pub(crate) Keypair);
+
+impl SigningKeypair {
+    /// Serializes `SigningKeypair` to bytes.
+    pub fn to_bytes(&self) -> [u8; KEYPAIR_LENGTH] {
+        self.0.to_bytes()
+    }
+
+    /// Deserializes a `SigningKeypair` from bytes.
+    pub fn from_bytes(bytes: &[u8]) -> Result<SigningKeypair, SignatureError> {
+        let keypair = Keypair::from_bytes(bytes)?;
+        Ok(SigningKeypair(keypair))
+    }
+}
+
+/// The identifier of a participant, which must be the same in the SimplPedPoP protocol and in the FROST protocol.
+#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+pub struct Identifier(pub(crate) Scalar);
+
+impl Identifier {
+    pub(super) fn generate(recipients_hash: &[u8; 16], index: u16) -> Identifier {
+        let mut pos = Transcript::new(b"Identifier");
+        pos.append_message(b"RecipientsHash", recipients_hash);
+        pos.append_message(b"i", &index.to_le_bytes()[..]);
+
+        Identifier(pos.challenge_scalar(b"evaluation position"))
+    }
+}
+
+#[cfg(test)]
+pub(crate) mod test_utils {
+    use rand::{thread_rng, Rng};
+    use crate::olaf::simplpedpop::Parameters;
+
+    const MAXIMUM_PARTICIPANTS: u16 = 10;
+    const MINIMUM_PARTICIPANTS: u16 = 2;
+
+    pub(crate) fn generate_parameters() -> Parameters {
+        use super::MINIMUM_THRESHOLD;
+
+        let mut rng = thread_rng();
+        let participants = rng.gen_range(MINIMUM_PARTICIPANTS..=MAXIMUM_PARTICIPANTS);
+        let threshold = rng.gen_range(MINIMUM_THRESHOLD..=participants);
+
+        Parameters { participants, threshold }
+    }
+}