crypto

package module
v0.24.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 4, 2023 License: Apache-2.0 Imports: 15 Imported by: 73

README

Flow Cryptography

This Go package provides the cryptography tools needed by the Flow blockchain. Most of the primitives and protocols can be used in other projects and are not specific to Flow.

Flow is an ongoing project, which means that new features will still be added and modifications will still be made to improve security and performance of the cryptography package.

Notes:

  • The package has been audited for security in January 2021 on this version. The package had a few improvements since.
  • The package does not provide security against side channel or fault attacks.

Package import

Cloning Flow repository and following the installation steps builds the necessary tools to use Flow cryptography.

If you wish to only import the Flow cryptography package into your Go project, please follow the following steps:

  • Get Flow cryptography package
go get github.com/onflow/crypto

or simply import the package to your Go project

import "github.com/onflow/crypto"

This is enough to run the package code for many functionalities. However, this isn't enough if BLS signature related functionalities are used. The BLS features rely on an extrnal C library (Relic) for lower level mathematical operations. Building your project at this stage including BLS functionalities would result in build errors related to missing "relic" files. For instance:

fatal error: 'relic.h' file not found
#include "relic.h"
         ^~~~~~~~~

An extra step is required to compile the external dependency (Relic) locally.

  • Install CMake, which is used for building the package. The build also requires Git and bash scripting.
  • From the Go package directory in $GOPATH/pkg/mod/github.com/onflow/crypto@<version-tag>/, build the package dependencies. version-tag is the imported package version. For instance:
cd $GOPATH/pkg/mod/github.com/onflow/crypto@v0.25.0/
go generate

Below is a bash script example to automate the above steps. The script can be copied into your Go project root directory. It extracts the imported pacakage version from your project's go.mod file and performs the remaining steps.

#!/bin/bash

# crypto package 
PKG_NAME="github.com/onflow/crypto"

# go get the package
go get ${PKG_NAME}

# go.mod
MOD_FILE="./go.mod"

# the version of onflow/crypto used in the project is read from the go.mod file
if [ -f "${MOD_FILE}" ]
then
    # extract the version from the go.mod file
    VERSION="$(grep ${PKG_NAME} < ${MOD_FILE} | cut -d' ' -f 2)"
    # using the right version, get the package directory path
    PKG_DIR="$(go env GOPATH)/pkg/mod/${PKG_NAME}@${VERSION}"
else 
   { echo "couldn't find go.mod file - make sure the script is in the project root directory"; exit 1; }
fi

# grant permissions if not existant
if [[ ! -r ${PKG_DIR}  || ! -w ${PKG_DIR} || ! -x ${PKG_DIR} ]]; then
   sudo chmod -R 755 "${PKG_DIR}"
fi

# get into the package directory and set up the external dependencies
(
    cd "${PKG_DIR}" || { echo "cd into the GOPATH package folder failed"; exit 1; }
    go generate
)

Finally, when building your project and including any BLS functionality, adding a Go build tag to include the BLS files in the build is required. The tag is not required when the package is used without BLS functions. It was introduced to avoid build errors when BLS (and therefore Relic) is not needed.

go build -tags=relic

Algorithms

Hashing and Message Authentication Code:

crypto/hash provides the hashing and MAC algorithms required for Flow. All algorithm implement the generic interface Hasher. All digests are of the generic type Hash.

  • SHA-3: 256 and 384 output sizes
  • Legacy Kaccak: 256 output size
  • SHA-2: 256 and 384 output sizes
  • KMAC: 128 variant
Signature schemes

All signature schemes use the generic interfaces of PrivateKey and PublicKey. All signatures are of the generic type Signature.

  • ECDSA

    • public keys are compressed or uncompressed.
    • ephemeral key is derived from the private key, hash and an external entropy using a CSPRNG (based on https://golang.org/pkg/crypto/ecdsa/).
    • supports NIST P-256 (secp256r1) and secp256k1 curves.

  • BLS

    • supports BLS 12-381 curve.
    • is implementing the minimal-signature-size variant: signatures in G1 and public keys in G2.
    • default set-up uses compressed G1/G2 points, but uncompressed format is also supported.
    • hashing to curve uses the Simplified SWU map-to-curve.
    • expanding the message in hash-to-curve uses a cSHAKE-based KMAC128 with a domain separation tag. KMAC128 serves as an expand_message_xof function.
    • this results in the full ciphersuite BLS_SIG_BLS12381G1_XOF:KMAC128_SSWU_RO_POP_ for signatures and BLS_POP_BLS12381G1_XOF:KMAC128_SSWU_RO_POP_ for proofs of possession.
    • signature verification includes the signature membership check in G1.
    • public key membership check in G2 is provided outside of the signature verification.
    • membership check in G1 is using Bowe's fast check, while membership check in G2 is using a simple scalar multiplication by the group order (both will be updated to use Scott's method)
    • non-interactive aggregation of signatures, public keys and private keys.
    • multi-signature verification of an aggregated signature of a single message under multiple public keys.
    • multi-signature verification of an aggregated signature of multiple messages under multiple public keys.
    • batch verification of multiple signatures of a single message under multiple public keys: use a binary tree of aggregations to find the invalid signatures.
    • SPoCK scheme based on BLS: verifies two signatures have been generated from the same message that is unknown to the verifier.

  • Future features:

    • membership checks in G1/G2 using Scotts's method.
    • support minimal-pubkey-size variant
PRNG
  • ChaCha20-based CSPRNG

Protocols

Threshold Signature

  • BLS-based threshold signature

    • non interactive threshold signature reconstruction.
    • supports only BLS 12-381 curve with the same features above.
    • (t+1) signatures are required to reconstruct the threshold signature.
    • key generation (single dealer) to provide the set of keys.
    • provides a stateless api and a stateful api.

  • Future features:

    • support a partial signature reconstruction in the stateful api to avoid a long final reconstruction.
Discrete-Log based distributed key generation

All supported Distributed Key Generation protocols are discrete log based and are implemented for the same BLS setup on the BLS 12-381 curve. The protocols generate key sets for the BLS-based threshold signature.

  • Feldman VSS
    • simple verifiable secret sharing with a single dealer.
    • the library does not implement the communication channels between participants. The caller should implement the methods PrivateSend (1-to-1 messaging) and Broadcast (1-to-n messaging)
    • 1-to-1 messaging must be a private channel, the caller must make sure the channel preserves confidentialiy and authenticates the sender.
    • 1-to-n broadcasting assume all destination participants receive the same copy of the message. The channel should also authenticate the broadcaster.
    • It is recommended that both communication channels are unique per protocol instance. This could be achieved by prepending the messages to send/broadcast by a unique protocol instance ID.
  • Feldman VSS Qual.
    • an extension of the simple Feldman VSS.
    • implements a complaint mechanism to qualify/disqualify the dealer.
  • Joint Feldman (Pedersen)
    • distributed generation.
    • based on multiple parallel instances of Feldman VSS Qual with multiple dealers.
    • same assumptions about the communication channels as in Feldman VSS.

Documentation

Overview

Package crypto ...

Index

Constants

View Source 
const (

	// keygen seed length conditions
	// enforce seed to be at least double the security bits and have enough entropy.
	// it is still recommened that seed is generated using a secure RNG.
	KeyGenSeedMinLen = 2 * (securityBits / 8)
	KeyGenSeedMaxLen = 256
)
View Source 
const (

	// MinimumThreshold is the minimum value of the threshold parameter in all threshold-based protocols.
	MinimumThreshold = 1
	// DKGMinSize is the minimum size of a group participating in a DKG protocol
	DKGMinSize int = MinimumThreshold + 1
	// DKGMaxSize is the maximum size of a group participating in a DKG protocol
	DKGMaxSize int = 254
	// SeedMinLenDKG is the minumum seed length required to participate in a DKG protocol
	SeedMinLenDKG = securityBits / 8
	SeedMaxLenDKG = maxRelicPrgSeed
)
View Source 
const (
	// NIST P256
	SignatureLenECDSAP256 = 64
	PrKeyLenECDSAP256     = 32
	// PubKeyLenECDSAP256 is the size of uncompressed points on P256
	PubKeyLenECDSAP256 = 64

	// SECG secp256k1
	SignatureLenECDSASecp256k1 = 64
	PrKeyLenECDSASecp256k1     = 32
	// PubKeyLenECDSASecp256k1 is the size of uncompressed points on secp256k1
	PubKeyLenECDSASecp256k1 = 64
)
View Source 
const (
	// ThresholdSignMinSize is the minimum size of a group participating in a threshold signature protocol
	ThresholdSignMinSize = MinimumThreshold + 1
	// ThresholdSignMaxSize is the maximum size of a group participating in a threshold signature protocol
	ThresholdSignMaxSize = DKGMaxSize
)
View Source 
const (
	SignatureLenBLSBLS12381 = 48
)

Variables

View Source 
var BLS12381Order = []byte{0x73, 0xED, 0xA7, 0x53, 0x29, 0x9D, 0x7D, 0x48, 0x33, 0x39,
	0xD8, 0x08, 0x09, 0xA1, 0xD8, 0x05, 0x53, 0xBD, 0xA4, 0x02, 0xFF, 0xFE,
	0x5B, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01}

Functions

func BLSThresholdKeyGen 

func BLSThresholdKeyGen(size int, threshold int, seed []byte) ([]PrivateKey,
	[]PublicKey, PublicKey, error)

func BLSVerifyPOP 

func BLSVerifyPOP(pk PublicKey, s Signature) (bool, error)

func BatchVerifyBLSSignaturesOneMessage 

func BatchVerifyBLSSignaturesOneMessage(pks []PublicKey, sigs []Signature,
	message []byte, kmac hash.Hasher) ([]bool, error)

func EnoughShares 

func EnoughShares(threshold int, sharesNumber int) (bool, error)

func IsBLSAggregateEmptyListError 

func IsBLSAggregateEmptyListError(err error) bool

func IsBLSSignatureIdentity 

func IsBLSSignatureIdentity(s Signature) bool

func IsDKGFailureError 

func IsDKGFailureError(err error) bool

IsDKGFailureError checks if the input error is of a dkgFailureError type. dkgFailureError is an error returned when a participant detects a failure in the protocol and is not able to compute output keys.

func IsDKGInvalidStateTransitionError 

func IsDKGInvalidStateTransitionError(err error) bool

IsDkgInvalidStateTransitionError checks if the input error is of a dkgInvalidStateTransition type. invalidStateTransition is returned when a caller triggers an invalid state transition in the local DKG instance. Such a failure can only happen if the API is misued by not respecting the state machine conditions.

func IsDuplicatedSignerError 

func IsDuplicatedSignerError(err error) bool

IsDuplicatedSignerError checks if the input error is a duplicatedSignerError

func IsInvalidHasherSizeError 

func IsInvalidHasherSizeError(err error) bool

IsInvalidHasherSizeError checks if the input error is of an invalidHasherSizeError type. invalidHasherSizeError is an error returned when a crypto API is called with a hasher with an output size not suited with the cryptographic operation.

func IsInvalidInputsError 

func IsInvalidInputsError(err error) bool

IsInvalidInputsError checks if the input error is of an invalidInputsError type invalidInputsError is returned when the API is provided invalid inputs. Some specific errors are assigned specific sentinel errors for a simpler error check while the remaining input errors trigger an invalidInputsError.

func IsInvalidSignatureError 

func IsInvalidSignatureError(err error) bool

func IsNilHasherError 

func IsNilHasherError(err error) bool

IsNilHasherError checks if the input error wraps a nilHasherError. nilHasherError is returned when a nil hasher is used.

func IsNotBLSKeyError 

func IsNotBLSKeyError(err error) bool

func IsNotEnoughSharesError 

func IsNotEnoughSharesError(err error) bool

IsNotEnoughSharesError checks if the input error is a notEnoughSharesError

func NewExpandMsgXOFKMAC128 

func NewExpandMsgXOFKMAC128(tag string) hash.Hasher

bls.go functions

func SPOCKVerify 

func SPOCKVerify(pk1 PublicKey, proof1 Signature, pk2 PublicKey, proof2 Signature) (bool, error)

func SPOCKVerifyAgainstData 

func SPOCKVerifyAgainstData(pk PublicKey, proof Signature, data []byte, kmac hash.Hasher) (bool, error)

func SignatureFormatCheck 

func SignatureFormatCheck(algo SigningAlgorithm, s Signature) (bool, error)

SignatureFormatCheck verifies the format of a serialized signature, regardless of messages or public keys.

This function is only defined for ECDSA algos for now.

If SignatureFormatCheck returns false then the input is not a valid signature and will fail a verification against any message and public key.

func TestHasherErrors 

func TestHasherErrors(t *testing.T)

func TestKeyGenErrors 

func TestKeyGenErrors(t *testing.T)

func VerifyBLSSignatureManyMessages 

func VerifyBLSSignatureManyMessages(pks []PublicKey, s Signature,
	messages [][]byte, kmac []hash.Hasher) (bool, error)

func VerifyBLSSignatureOneMessage 

func VerifyBLSSignatureOneMessage(pks []PublicKey, s Signature,
	message []byte, kmac hash.Hasher) (bool, error)

Types

type DKGProcessor 

type DKGProcessor interface {
	// PrivateSend sends a message to a destination over
	// a private channel. The channel must preserve the
	// confidentiality of the message and should authenticate
	// the sender.
	// It is recommended that the private channel is unique per
	// protocol instance. This can be achieved by prepending all
	// messages by a unique instance ID.
	PrivateSend(dest int, data []byte)
	// Broadcast broadcasts a message to all participants.
	// This function assumes all participants have received the same message,
	// failing to do so, the protocol can be broken.
	// The broadcasted message is public and not confidential.
	// The broadcasting channel should authenticate the sender.
	// It is recommended that the broadcasting channel is unique per
	// protocol instance. This can be achieved by prepending all
	// messages by a unique instance ID.
	Broadcast(data []byte)
	// Disqualify flags that a participant is misbehaving and that it got
	// disqualified from the protocol. Such behavior deserves
	// disqualifying as it is flagged to all honest participants in
	// the protocol.
	// log describes the disqualification reason.
	Disqualify(participant int, log string)
	// FlagMisbehavior warns that a participant is misbehaving.
	// Such behavior is not necessarily flagged to all participants and therefore
	// the participant is not disqualified from the protocol. Other mechanisms
	// outside DKG could be implemented to synchronize slashing the misbehaving
	// participant by all participating participants, using the api `ForceDisqualify`. Failing to
	// do so, the protocol can be broken.
	// log describes the misbehavior.
	FlagMisbehavior(participant int, log string)
}

DKGProcessor is an interface that implements the DKG output actions.

An instance of a DKGProcessor is needed for each participant in order to particpate in a DKG protocol

type DKGState 

type DKGState interface {
	// Size returns the size of the DKG group n
	Size() int
	// Threshold returns the threshold value t
	Threshold() int
	// Start starts running a DKG in the current participant
	Start(seed []byte) error
	// HandleBroadcastMsg processes a new broadcasted message received by the current participant.
	// orig is the message origin index
	HandleBroadcastMsg(orig int, msg []byte) error
	// HandlePrivateMsg processes a new private message received by the current participant.
	// orig is the message origin index
	HandlePrivateMsg(orig int, msg []byte) error
	// End ends a DKG protocol in the current participant.
	// It returns the finalized public data and participant private key share.
	// - the group public key corresponding to the group secret key
	// - all the public key shares corresponding to the participants private
	// key shares
	// - the finalized private key which is the current participant's own private key share
	End() (PrivateKey, PublicKey, []PublicKey, error)
	// NextTimeout set the next timeout of the protocol if any timeout applies.
	// Some protocols could require more than one timeout
	NextTimeout() error
	// Running returns the running state of the DKG protocol
	Running() bool
	// ForceDisqualify forces a participant to get disqualified
	// for a reason outside of the DKG protocol.
	// The caller should make sure all honest participants call this function,
	// otherwise, the protocol can be broken.
	ForceDisqualify(participant int) error
}

func NewFeldmanVSS 

func NewFeldmanVSS(size int, threshold int, myIndex int,
	processor DKGProcessor, dealerIndex int) (DKGState, error)

dkg.go functions

func NewFeldmanVSSQual 

func NewFeldmanVSSQual(size int, threshold int, myIndex int,
	processor DKGProcessor, dealerIndex int) (DKGState, error)

func NewJointFeldman 

func NewJointFeldman(size int, threshold int, myIndex int,
	processor DKGProcessor) (DKGState, error)

type PrivateKey 

type PrivateKey interface {
	// Algorithm returns the signing algorithm related to the private key.
	Algorithm() SigningAlgorithm
	// Size return the key size in bytes.
	Size() int
	// String return a hex representation of the key
	String() string
	// Sign generates a signature using the provided hasher.
	Sign([]byte, hash.Hasher) (Signature, error)
	// PublicKey returns the public key.
	PublicKey() PublicKey
	// Encode returns a bytes representation of the private key
	Encode() []byte
	// Equals returns true if the given PrivateKeys are equal. Keys are considered unequal if their algorithms are
	// unequal or if their encoded representations are unequal. If the encoding of either key fails, they are considered
	// unequal as well.
	Equals(PrivateKey) bool
}

PrivateKey is an unspecified signature scheme private key

func AggregateBLSPrivateKeys 

func AggregateBLSPrivateKeys(keys []PrivateKey) (PrivateKey, error)

func DecodePrivateKey 

func DecodePrivateKey(algo SigningAlgorithm, data []byte) (PrivateKey, error)

DecodePrivateKey decodes an array of bytes into a private key of the given algorithm

The function returns:

  • (nil, invalidInputsErrors) if the signing algorithm is not supported
  • (nil, invalidInputsErrors) if the input does not serialize a valid private key:
  • ECDSA: bytes(x) where bytes() is the big-endian encoding padded to the curve order.
  • BLS: bytes(x) where bytes() is the big-endian encoding padded to the order of BLS12-381. for all algorithms supported, input is big-endian encoding of a the private scalar less than the curve order and left-padded to 32 bytes
  • (nil, error) if an unexpected error occurs
  • (sk, nil) otherwise

func GeneratePrivateKey 

func GeneratePrivateKey(algo SigningAlgorithm, seed []byte) (PrivateKey, error)

GeneratePrivateKey generates a private key of the algorithm using the entropy of the given seed.

The seed minimum length is 32 bytes and it should have enough entropy. It is recommended to use a secure crypto RNG to generate the seed.

The function returns:

  • (false, invalidInputsErrors) if the signing algorithm is not supported or if the seed length is not valid (less than 32 bytes or larger than 256 bytes)
  • (false, error) if an unexpected error occurs
  • (sk, nil) if key generation was successful

type PublicKey 

type PublicKey interface {
	// Algorithm returns the signing algorithm related to the public key.
	Algorithm() SigningAlgorithm
	// Size() return the key size in bytes.
	Size() int
	// String return a hex representation of the key
	String() string
	// Verify verifies a signature of an input message using the provided hasher.
	Verify(Signature, []byte, hash.Hasher) (bool, error)
	// Encode returns a bytes representation of the public key.
	Encode() []byte
	// EncodeCompressed returns a compressed byte representation of the public key.
	// The compressed serialization concept is generic to elliptic curves,
	// but we refer to individual curve parameters for details of the compressed format
	EncodeCompressed() []byte
	// Equals returns true if the given PublicKeys are equal. Keys are considered unequal if their algorithms are
	// unequal or if their encoded representations are unequal. If the encoding of either key fails, they are considered
	// unequal as well.
	Equals(PublicKey) bool
}

PublicKey is an unspecified signature scheme public key.

func AggregateBLSPublicKeys 

func AggregateBLSPublicKeys(keys []PublicKey) (PublicKey, error)

func DecodePublicKey 

func DecodePublicKey(algo SigningAlgorithm, data []byte) (PublicKey, error)

DecodePublicKey decodes an array of bytes into a public key of the given algorithm

The function returns:

func DecodePublicKeyCompressed 

func DecodePublicKeyCompressed(algo SigningAlgorithm, data []byte) (PublicKey, error)

DecodePublicKeyCompressed decodes an array of bytes given in a compressed representation into a public key of the given algorithm Only ECDSA is supported (BLS uses the compressed serialzation by default).

The function returns:

  • (nil, invalidInputsErrors) if the signing algorithm is not supported (is not ECDSA)
  • (nil, invalidInputsErrors) if the input does not serialize a valid public key:
  • ECDSA: sign_byte||bytes(x) according to X9.62 section 4.3.6.
  • (nil, error) if an unexpected error occurs
  • (sk, nil) otherwise

func IdentityBLSPublicKey 

func IdentityBLSPublicKey() PublicKey

func RemoveBLSPublicKeys 

func RemoveBLSPublicKeys(aggKey PublicKey, keysToRemove []PublicKey) (PublicKey, error)

type Signature 

type Signature []byte

Signature is a generic type, regardless of the signature scheme

func AggregateBLSSignatures 

func AggregateBLSSignatures(sigs []Signature) (Signature, error)

func BLSGeneratePOP 

func BLSGeneratePOP(sk PrivateKey) (Signature, error)

bls_multisig.go functions

func BLSInvalidSignature 

func BLSInvalidSignature() Signature

func BLSReconstructThresholdSignature 

func BLSReconstructThresholdSignature(size int, threshold int,
	shares []Signature, signers []int) (Signature, error)

func SPOCKProve 

func SPOCKProve(sk PrivateKey, data []byte, kmac hash.Hasher) (Signature, error)

func (Signature) Bytes 

func (s Signature) Bytes() []byte

Bytes returns a byte array of the signature data

func (Signature) String 

func (s Signature) String() string

String returns a String representation of the signature data

type SigningAlgorithm 

type SigningAlgorithm int

SigningAlgorithm is an identifier for a signing algorithm (and parameters if applicable) 

const (
	// Supported signing algorithms
	UnknownSigningAlgorithm SigningAlgorithm = iota
	// BLSBLS12381 is BLS on BLS 12-381 curve
	BLSBLS12381
	// ECDSAP256 is ECDSA on NIST P-256 curve
	ECDSAP256
	// ECDSASecp256k1 is ECDSA on secp256k1 curve
	ECDSASecp256k1
)

func (SigningAlgorithm) String 

func (f SigningAlgorithm) String() string

String returns the string representation of this signing algorithm.

type ThresholdSignatureInspector 

type ThresholdSignatureInspector interface {
	// VerifyShare verifies the input signature against the stored message and stored
	// key at the input index. This function does not update the internal state.
	// The function is thread-safe.
	// Returns:
	//  - (true, nil) if the signature is valid
	//  - (false, nil) if `orig` is a valid index but the signature share is invalid
	//  - (false, InvalidInputsError) if `orig` is an invalid index value
	//  - (false, error) for all other unexpected errors
	VerifyShare(orig int, share Signature) (bool, error)

	// VerifyThresholdSignature verifies the input signature against the stored
	// message and stored group public key. It does not update the internal state.
	// The function is thread-safe.
	// Returns:
	//  - (true, nil) if the signature is valid
	//  - (false, nil) if the signature is invalid
	//  - (false, error) for all other unexpected errors
	VerifyThresholdSignature(thresholdSignature Signature) (bool, error)

	// EnoughShares indicates whether enough shares have been accumulated in order to reconstruct
	// a group signature. This function is thread safe and locks the internal state.
	// Returns:
	//  - true if and only if at least (threshold+1) shares were added
	EnoughShares() bool

	// TrustedAdd adds a signature share to the internal pool of shares
	// without verifying the signature against the message and the participant's
	// public key. This function is thread safe and locks the internal state.
	//
	// The share is only added if the signer index is valid and has not been
	// added yet. Moreover, the share is added only if not enough shares were collected.
	// The function returns:
	//  - (true, nil) if enough signature shares were already collected and no error occurred
	//  - (false, nil) if not enough shares were collected and no error occurred
	//  - (false, InvalidInputsError) if index is invalid
	//  - (false, duplicatedSignerError) if a signature for the index was previously added
	TrustedAdd(orig int, share Signature) (bool, error)

	// VerifyAndAdd verifies a signature share (same as `VerifyShare`),
	// and may or may not add the share to the local pool of shares.
	// This function is thread safe and locks the internal state.
	//
	// The share is only added if the signature is valid, the signer index is valid and has not been
	// added yet. Moreover, the share is added only if not enough shares were collected.
	// Boolean returns:
	//  - First boolean output is true if the share is valid and no error is returned, and false otherwise.
	//  - Second boolean output is true if enough shares were collected and no error is returned, and false otherwise.
	// Error returns:
	//  - invalidInputsError if input index is invalid. A signature that doesn't verify against the signer's
	//    public key is not considered an invalid input.
	//  - duplicatedSignerError if signer was already added.
	//  - other errors if an unexpected exception occurred.
	VerifyAndAdd(orig int, share Signature) (bool, bool, error)

	// HasShare checks whether the internal map contains the share of the given index.
	// This function is thread safe.
	// The function errors with InvalidInputsError if the index is invalid.
	HasShare(orig int) (bool, error)

	// ThresholdSignature returns the threshold signature if the threshold was reached.
	// The threshold signature is reconstructed only once and is cached for subsequent calls.
	//
	// Returns:
	// - (signature, nil) if no error occurred
	// - (nil, notEnoughSharesError) if not enough shares were collected
	// - (nil, invalidSignatureError) if at least one collected share does not serialize to a valid BLS signature.
	// - (nil, invalidInputsError) if the constructed signature failed to verify against the group public key and stored message. This post-verification
	//    is required  for safety, as `TrustedAdd` allows adding invalid signatures.
	// - (nil, error) for any other unexpected error.
	ThresholdSignature() (Signature, error)
}

ThresholdSignatureInspector is an inspector of the threshold signature protocol. The interface only allows inspecting the threshold signing protocol without taking part in it.

func NewBLSThresholdSignatureInspector 

func NewBLSThresholdSignatureInspector(
	groupPublicKey PublicKey,
	sharePublicKeys []PublicKey,
	threshold int,
	message []byte,
	dsTag string,
) (ThresholdSignatureInspector, error)

type ThresholdSignatureParticipant 

type ThresholdSignatureParticipant interface {
	ThresholdSignatureInspector
	// SignShare generates a signature share using the current private key share.
	//
	// The function does not add the share to the internal pool of shares and do
	// not update the internal state.
	// This function is thread safe
	// No error is expected unless an unexpected exception occurs
	SignShare() (Signature, error)
}

ThresholdSignatureParticipant is a participant in a threshold signature protocol. A participant is able to participate in a threshold signing protocol as well as inspecting the protocol.

func NewBLSThresholdSignatureParticipant 

func NewBLSThresholdSignatureParticipant(
	groupPublicKey PublicKey,
	sharePublicKeys []PublicKey,
	threshold int,
	myIndex int,
	myPrivateKey PrivateKey,
	message []byte,
	dsTag string,
) (ThresholdSignatureParticipant, error)

bls_threshold.go functions

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.