marsella
commented
1 year ago Observation while working on this issue: Testing the last condition is kind of awkward because our secret keys are BigNumbers but they're being compared to k256::Scalars. I wonder if we should be using that k256::Scalar type more throughout the library, specifically for every time we generate something in 𝔽_q.
Right now if we want to test signing we need to run all of presiging first to get a
PresignRecord(or, more interestingly, a set of consistentPresignRecords). It would be nice to have a test-only function to quickly simulate the presign protocol without actually running it. There are similar methods for keygen and auxinfo outputs.To do this, we need to figure out what properties the presign record must satisfy. A record is a tuple
(R, k_i, chi_i)such that:Ris a curve point. It is a jointly-randomly-selected pointg^(k^-1)wherekis a random integer.k_iis a scalar. It's a share of the random integerkchi_iis a scalar. It's a share ofx * kwherexis the ecdsa secret key (distributed among all the parties)A set of valid presign records should have the following properties, but I'm not completely confident that these are necessary or sufficient. We'll need to generate a key pair to start with (doesn't have to be distributed); denote the public key
Xand private keyx.All parties have the same
R.R = g^((sum k_i)^-1)sum(chi_i) = x * (sum k_i) mod q. I'm not quite sure what multiplicative notation this is --kandxare both just numbers modq(sampled fromF_q) so it might be straight up multiplication[x] There's no test for presign in general; to confirm that the above properties are correctly stated, it would be wise to write a test that runs presign correctly and checks the properties once it finishes
[x] Figure out if there are additional properties to uphold
[x] Write a test-only function to simulate a set of consistent
Presignrecords (plus the verifying key) for a given # of participants. This can be modeled after thesimulatemethods onkeygen::Outputandauxinfo::Output.