Documentation ¶
Overview ¶
Package cosi is the Collective Signing implementation according to the paper of Bryan Ford: http://arxiv.org/pdf/1503.08768v1.pdf .
Stages of CoSi ¶
The CoSi-protocol has 4 stages:
1. Announcement: The leader multicasts an announcement of the start of this round down through the spanning tree, optionally including the statement S to be signed.
2. Commitment: Each node i picks a random scalar vi and computes its individual commit Vi = Gvi . In a bottom-up process, each node i waits for an aggregate commit Vˆj from each immediate child j, if any. Node i then computes its own aggregate commit Vˆi = Vi \prod{j ∈ Cj}{Vˆj}, where Ci is the set of i’s immediate children. Finally, i passes Vi up to its parent, unless i is the leader (node 0).
3. Challenge: The leader computes a collective challenge c = H( Aggregate Commit ∥ Aggregate Public key || Message ), then multicasts c down through the tree, along with the statement S to be signed if it was not already announced in phase 1.
4. Response: In a final bottom-up phase, each node i waits to receive a partial aggregate response rˆj from each of its immediate children j ∈ Ci. Node i now computes its individual response ri = vi + cxi, and its partial aggregate response rˆi = ri + \sum{j ∈ Cj}{rˆj} . Node i finally passes rˆi up to its parent, unless i is the root.
Index ¶
- func VerifySignature(suite abstract.Suite, publics []abstract.Point, message, sig []byte) error
- type CoSi
- func (cm CoSi) Aggregate() abstract.Point
- func (c *CoSi) AggregateResponse() abstract.Scalar
- func (c *CoSi) Challenge(challenge abstract.Scalar)
- func (c *CoSi) Commit(s cipher.Stream, subComms []abstract.Point) abstract.Point
- func (c *CoSi) CreateChallenge(msg []byte) (abstract.Scalar, error)
- func (c *CoSi) CreateCommitment(s cipher.Stream) abstract.Point
- func (c *CoSi) CreateResponse() (abstract.Scalar, error)
- func (c *CoSi) GetChallenge() abstract.Scalar
- func (c *CoSi) GetCommitment() abstract.Point
- func (c *CoSi) GetResponse() abstract.Scalar
- func (cm CoSi) MaskBit(signer int) bool
- func (cm CoSi) MaskLen() int
- func (c *CoSi) Response(responses []abstract.Scalar) (abstract.Scalar, error)
- func (cm CoSi) SetMask(mask []byte) error
- func (cm CoSi) SetMaskBit(signer int, enabled bool)
- func (c *CoSi) Signature() []byte
- func (c *CoSi) VerifyResponses(aggregatedPublic abstract.Point) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func VerifySignature ¶
VerifySignature is the method to call to verify a signature issued by a Cosi struct. Publics is the WHOLE list of publics keys, the mask at the end of the signature will take care of removing the indivual public keys that did not participate
Types ¶
type CoSi ¶
type CoSi struct {
// contains filtered or unexported fields
}
CoSi is the struct that implements one round of a CoSi protocol. It's important to only use this struct *once per round*, and if you try to use it twice, it will try to alert you if it can. You create a CoSi struct by giving your secret key you wish to pariticipate with during the CoSi protocol, and the list of public keys representing the list of all co-signer's public keys involved in the round. To use CoSi, call three different functions on it which corresponds to the last three phases of the protocols:
- (Create)Commitment: creates a new secret and its commitment. The output has to be passed up to the parent in the tree.
- CreateChallenge: the root creates the challenge from receiving all the commitments. This output must be sent down the tree using Challenge() function.
- (Create)Response: creates and possibly aggregates all responses and the output must be sent up into the tree.
The root can then issue `Signature()` to get the final signature that can be verified using `VerifySignature()`. To handle missing signers, the signature generation will append a bitmask at the end of the signature with each bit index set corresponding to a missing cosigner. If you need to specify a missing signer, you can call SetMaskBit(i int, enabled bool) which will set the signer i disabled in the mask. The index comes from the list of public keys you give when creating the CoSi struct. You can also give the full mask directly with SetMask().
func NewCosi ¶
NewCosi returns a new Cosi struct given the suite, the longterm secret, and the list of public keys. If some signers were not to be participating, you have to set the mask using `SetMask` method. By default, all participants are designated as participating. If you wish to specify which co-signers are participating, use NewCosiWithMask
func (*CoSi) AggregateResponse ¶
AggregateResponse returns the aggregated response that this cosi has accumulated.
func (*CoSi) Commit ¶
Commit creates the commitment / secret as in CreateCommitment and it also aggregate children commitments from the children's messages.
func (*CoSi) CreateChallenge ¶
CreateChallenge creates the challenge out of the message it has been given. This is typically called by Root.
func (*CoSi) CreateCommitment ¶
CreateCommitment creates the commitment of a random secret generated from the given s stream. It returns the message to pass up in the tree. This is typically called by the leaves.
func (*CoSi) CreateResponse ¶
CreateResponse is called by a leaf to create its own response from the challenge + commitment + private key. It returns the response to send up to the tree.
func (*CoSi) GetChallenge ¶
GetChallenge returns the challenge that were passed down to this cosi.
func (*CoSi) GetCommitment ¶
GetCommitment returns the commitment generated by this CoSi (not aggregated).
func (*CoSi) GetResponse ¶
GetResponse returns the individual response generated by this CoSi
func (CoSi) MaskBit ¶
MaskBit returns a boolean value indicating whether the indicated signer is enabled (true) or disabled (false)
func (CoSi) MaskLen ¶
func (cm CoSi) MaskLen() int
MaskLen returns the length in bytes of a complete disable-mask for this cosigner list.
func (*CoSi) Response ¶
Response generates the response from the commitment, challenge and the responses of its children.
func (CoSi) SetMask ¶
Set the entire participation bitmask according to the provided packed byte-slice interpreted in little-endian byte-order. That is, bits 0-7 of the first byte correspond to cosigners 0-7, bits 0-7 of the next byte correspond to cosigners 8-15, etc. Each bit is set to indicate the corresponding cosigner is disabled, or cleared to indicate the cosigner is enabled.
If the mask provided is too short (or nil), SetMask conservatively interprets the bits of the missing bytes to be 0, or Enabled.
func (CoSi) SetMaskBit ¶
SetMaskBit enables or disables the mask bit for an individual cosigner.
func (*CoSi) Signature ¶
Signature returns a signature using the same format as EdDSA signature AggregateCommit || AggregateResponse || Mask *NOTE*: Signature() is only intended to be called by the root since only the root knows the aggregate response.
func (*CoSi) VerifyResponses ¶
VerifyResponses verifies the response this CoSi has against the aggregated public key the tree is using. This is callable by any nodes in the tree, after it has aggregated its responses. You can enforce verification at each level of the tree for faster reactivity.