Implement the messages spec

Cargo.toml

@@ -33,10 +33,12 @@ funty = "=1.1.0"
 [dev-dependencies]
 bincode = "1"
 criterion = "0.3"
+proptest-derive = "0.3"
 lazy_static = "1.4"
 proptest = "1.0"
 rand = "0.8"
 rand_chacha = "0.3"
+serde_json = "1.0"
 
 [features]
 nightly = []

src/frost.rs

@@ -33,8 +33,8 @@ use crate::private::Sealed;
 use crate::{HStar, Signature, SpendAuth, VerificationKey};
 
 /// A secret scalar value representing a single signer's secret key.
-#[derive(Clone, Copy, Default)]
-pub struct Secret(Scalar);
+#[derive(Clone, Copy, Default, PartialEq)]
+pub struct Secret(pub(crate) Scalar);
 
 // Zeroizes `Secret` to be the `Default` value on drop (when it goes out of
 // scope).  Luckily the derived `Default` includes the `Default` impl of
@@ -63,17 +63,19 @@ impl From<jubjub::ExtendedPoint> for Public {
 #[derive(Clone)]
 pub struct Share {
     receiver_index: u64,
-    value: Secret,
-    commitment: ShareCommitment,
+    /// Secret Key.
+    pub(crate) value: Secret,
+    /// The commitments to be distributed among signers.
+    pub(crate) commitment: ShareCommitment,
 }
 
 /// A Jubjub point that is a commitment to one coefficient of our secret
 /// polynomial.
 ///
 /// This is a (public) commitment to one coefficient of a secret polynomial used
 /// for performing verifiable secret sharing for a Shamir secret share.
-#[derive(Clone)]
-struct Commitment(jubjub::AffinePoint);
+#[derive(Clone, PartialEq)]
+pub(crate) struct Commitment(pub(crate) jubjub::AffinePoint);
 
 /// Contains the commitments to the coefficients for our secret polynomial _f_,
 /// used to generate participants' key shares.
@@ -88,11 +90,12 @@ struct Commitment(jubjub::AffinePoint);
 /// some agreed-upon public location for publication, where each participant can
 /// ensure that they received the correct (and same) value.
 #[derive(Clone)]
-pub struct ShareCommitment(Vec<Commitment>);
+pub struct ShareCommitment(pub(crate) Vec<Commitment>);
 
 /// The product of all signers' individual commitments, published as part of the
 /// final signature.
-pub struct GroupCommitment(jubjub::AffinePoint);
+#[derive(PartialEq)]
+pub struct GroupCommitment(pub(crate) jubjub::AffinePoint);
 
 /// Secret and public key material generated by a dealer performing
 /// [`keygen_with_dealer`].
@@ -363,9 +366,12 @@ impl SigningNonces {
 /// SigningCommitment can be used for exactly *one* signature.
 #[derive(Copy, Clone)]
 pub struct SigningCommitments {
-    index: u64,
-    hiding: jubjub::ExtendedPoint,
-    binding: jubjub::ExtendedPoint,
+    /// The participant index
+    pub(crate) index: u64,
+    /// The hiding point.
+    pub(crate) hiding: jubjub::ExtendedPoint,
+    /// The binding point.
+    pub(crate) binding: jubjub::ExtendedPoint,
 }
 
 impl From<(u64, &SigningNonces)> for SigningCommitments {
@@ -388,12 +394,12 @@ pub struct SigningPackage {
     /// Message which each participant will sign.
     ///
     /// Each signer should perform protocol-specific verification on the message.
-    pub message: &'static [u8],
+    pub message: Vec<u8>,
 }
 
 /// A representation of a single signature used in FROST structures and messages.
-#[derive(Clone, Copy, Default)]
-pub struct SignatureResponse(Scalar);
+#[derive(Clone, Copy, Default, PartialEq)]
+pub struct SignatureResponse(pub(crate) Scalar);
 
 /// A participant's signature share, which the coordinator will use to aggregate
 /// with all other signer's shares into the joint signature.
@@ -438,7 +444,7 @@ impl SignatureShare {
 /// nonce/commitment pair at a time.  Nonces should be stored in secret storage
 /// for later use, whereas the commitments are published.
 
-/// The number of nonces is limited to 255. This limit can be increased if it 
+/// The number of nonces is limited to 255. This limit can be increased if it
 /// turns out to be too conservative.
 // TODO: Make sure the above is a correct statement, fix if needed in:
 // https://github.com/ZcashFoundation/redjubjub/issues/111
@@ -471,7 +477,9 @@ fn gen_rho_i(index: u64, signing_package: &SigningPackage) -> Scalar {
     // binding factor, we should hash our input message first. Our 'standard'
     // hash is HStar, which uses a domain separator already, and is the same one
     // that generates the binding factor.
-    let message_hash = HStar::default().update(signing_package.message).finalize();
+    let message_hash = HStar::default()
+        .update(signing_package.message.as_slice())
+        .finalize();
 
     let mut hasher = HStar::default();
     hasher
@@ -526,7 +534,7 @@ fn gen_challenge(
     HStar::default()
         .update(group_commitment_bytes)
         .update(group_public.bytes.bytes)
-        .update(signing_package.message)
+        .update(signing_package.message.as_slice())
         .finalize()
 }
 

src/lib.rs

@@ -20,8 +20,9 @@ mod constants;
 mod error;
 pub mod frost;
 mod hash;
+mod messages;
 mod scalar_mul;
-mod signature;
+pub(crate) mod signature;
 mod signing_key;
 mod verification_key;