Support Ethereum Recoverable Signatures

gatoWololo commented 9 months ago

We will need to support Ethereum recoverable signatures. Notes:

How do we expose this functionality? As an extra parameter to our function? This probably won't work as the Output associated type of the ProtocolParticipant trait is still set to tss_ecdsa::sign::Signature. It would be easier to just modify the existing SignParticipant::compute_output method to return the recoverable signature, at the cost of no longer having the "regular" signature...

We should be able to compute this signature as follows:

Actually it seems like we can generate the recovery ID if we know the public key and message. If the coordinator doesn't have the public key by default, we could send it back from the nodes or have the nodes compute the RID themselves and send the (signature, RID) pair.

I personally don't know how "trial recovery" works.

gatoWololo commented 9 months ago

Update on this ticket: We believe using the trial_recovery_from_msg function is the right approach.

We have a few choices about how to expose this signature to the end user: For example, we could change the Output type of the ProtocolParticipant implementation on SignParticipant:

impl ProtocolParticipant for SignParticipant {
    type Input = Input;
    type Output = Signature;

To return a RecoverableSignature. I think this would be the wrong approach.

Instead, we should extend the API of our Signature type to support a recovery_id function:

fn recovery_id(&self, message: &[u8], public_key: &VerifyingKey) -> RecoveryId

Using k256 RecoveryId. This would allow a user to "opt-in" to a recoverable signature.

gatoWololo commented 6 months ago

Closed by #512

boltlabs-inc / tss-ecdsa

Support Ethereum Recoverable Signatures #508