# This is a combination of 8 commits.

# This is the 1st commit message:

Remove requirement that bitcoin key shares need to be normalized

Signed-off-by: Denis Varlakov <[email protected]>

# This is the commit message #2:

Update docs

Signed-off-by: Denis Varlakov <[email protected]>

# This is the commit message #3:

Update docs

Signed-off-by: Denis Varlakov <[email protected]>

# This is the commit message #4:

Update README

Signed-off-by: Denis Varlakov <[email protected]>

# This is the commit message #5:

First attempt to add HD wallets

Signed-off-by: Denis Varlakov <[email protected]>

# This is the commit message #6:

Second attempt to implement HD wallets

Signed-off-by: Denis Varlakov <[email protected]>

# This is the commit message #7:

The final attempt to implement HD wallets

Signed-off-by: Denis Varlakov <[email protected]>

# This is the commit message #8:

Update deps

Signed-off-by: Denis Varlakov <[email protected]>

Cargo.toml

@@ -9,10 +9,3 @@ exclude = [
   "wasm/no_std",
 ]
 
-[patch.crates-io.cggmp21-keygen]
-git = "https://github.com/dfnsco/cggmp21-private"
-rev = "730e1217443eccac983d0177cab222decf07f139"
-
-[patch.crates-io.key-share]
-git = "https://github.com/dfnsco/cggmp21-private"
-rev = "730e1217443eccac983d0177cab222decf07f139"

README.md

@@ -6,7 +6,7 @@ signers to commit nonces ahead of time), and identifiable abort.
 This crate provides:
 * Distributed Key Generation (DKG) \
   FROST does not define DKG protocol to be used. We simply re-export DKG based on [CGGMP21] implementation
-  when `cggmp21-keygen` feature is enabled, which is a fairly reasonalbe choice as it's proven to be UC-secure.
+  when `cggmp21-keygen` feature is enabled, which is a fairly reasonable choice as it's proven to be UC-secure.
   Alternatively, you can use any other UC-secure DKG protocol.
 * FROST Signing \
   We provide API for both manual signing execution (for better flexibility and efficiency) and interactive protocol
@@ -23,7 +23,7 @@ The crate is wasm and no_std friendly.
 
 ### Distributed Key Generation (DKG)
 First of all, you need to generate a key. For that purpose, you can use any secure
-(preferrably, UC-secure) DKG protocol. FROST IETF Draft does not define any DKG
+(preferably, UC-secure) DKG protocol. FROST IETF Draft does not define any DKG
 protocol or requirements it needs to meet, so the choice is up to you. This library
 re-exports CGGMP21 DKG from `cggmp21-keygen` crate when `cggmp21-keygen` feature
 is enabled which is proven to be UC-secure and should be a reasonable default.
@@ -39,7 +39,7 @@ let outgoing: impl Sink<Outgoing<Msg>>;
 
 where:
 * `Msg` is a protocol message (e.g., `keygen::msg::threshold::Msg`)
-* `round_based::Incoming` and `round_based::Outgoing` wrap `Msg` and provide additional data (e.g., sender/recepient)
+* `round_based::Incoming` and `round_based::Outgoing` wrap `Msg` and provide additional data (e.g., sender/recipient)
 * `futures::Stream` and `futures::Sink` are well-known async primitives.
 
 

givre/Cargo.toml

@@ -7,7 +7,7 @@ edition = "2021"
 
 [dependencies]
 cggmp21-keygen = { version = "0.3", optional = true }
-key-share = { version = "0.4", default-features = false }
+key-share = { version = "0.4.1", default-features = false }
 
 generic-ec = { version = "0.4", default-features = false, features = ["alloc"] }
 
@@ -22,6 +22,8 @@ sha2 = { version = "0.10", default-features = false, optional = true }
 
 serde = { version = "1", default-features = false, features = ["derive"], optional = true }
 
+slip-10 = { version = "0.4", default-features = false, optional = true }
+
 [dev-dependencies]
 rand_core = { version = "0.6", default-features = false, features = ["getrandom"] }
 futures = "0.3"
@@ -43,10 +45,10 @@ spof = ["key-share/spof"]
 # it'll fail to compile.
 #
 # Library doesn't have support of HD signing yet.
-hd-wallets = ["key-share/hd-wallets", "cggmp21-keygen?/hd-wallets"]
+hd-wallets = ["slip-10", "key-share/hd-wallets", "cggmp21-keygen?/hd-wallets"]
 
 all-ciphersuites = ["ciphersuite-secp256k1", "ciphersuite-ed25519", "ciphersuite-bitcoin"]
 ciphersuite-secp256k1 = ["generic-ec/curve-secp256k1", "k256", "sha2", "static_assertions"]
 ciphersuite-ed25519 = ["generic-ec/curve-ed25519", "sha2"]
-ciphersuite-bitcoin = ["ciphersuite-secp256k1"]
+ciphersuite-bitcoin = ["ciphersuite-secp256k1", "sha2"]
 

givre/src/ciphersuite.rs

@@ -50,6 +50,9 @@ pub trait Ciphersuite: Sized + Clone + Copy + core::fmt::Debug {
     /// algorithm available in [`generic_ec`] crate.
     type MultiscalarMul: generic_ec::multiscalar::MultiscalarMul<Self::Curve>;
 
+    /// Indicates that the ciphersuite outputs taproot-compatible signatures
+    const IS_TAPROOT: bool = false;
+
     /// `H1` hash function as defined in the draft
     ///
     /// Accepts a list of bytestring, that'll be concatenated before hashing.
@@ -115,8 +118,8 @@ pub trait Ciphersuite: Sized + Clone + Copy + core::fmt::Debug {
     /// (aka point at infinity) is always normalized. Note that certain parts of the protocol may enforce this property
     /// via debug assertions.
     ///
-    /// The protocol always outputs signatures with normalized R-component. We also require that public key is
-    /// normalized. If it isn't, signing fails. You can use [`normalize_key_share`] function to normalize any key.
+    /// The protocol always outputs signatures with normalized R-component. If key share has non-normalized public
+    /// key, it will be normalized at the time of signing.
     ///
     /// If Schnorr scheme doesn't have a notion of normalized points, this function should always return `true`.
     fn is_normalized(point: &Point<Self::Curve>) -> bool {
@@ -307,13 +310,3 @@ where
             .map_err(|_| <D::Error as serde::de::Error>::custom("point isn't normalized"))
     }
 }
-
-/// Checks whether `key_share` is normalized
-///
-/// `key_share` must be normalized, otherwise the signing will return error. See [`Ciphersuite::is_normalized`]
-/// for more details.
-pub fn is_key_share_normalized<C: Ciphersuite>(
-    key_share: &crate::key_share::KeyShare<C::Curve>,
-) -> bool {
-    C::is_normalized(&key_share.shared_public_key)
-}

givre/src/ciphersuite/bitcoin.rs

@@ -5,12 +5,6 @@ use super::{Ciphersuite, Secp256k1};
 
 /// FROST ciphersuite that outputs [BIP-340] compliant signatures
 ///
-/// # Normalized public keys
-/// BIP-340 requires that public keys are normalized, meaning that they must have
-/// odd Y coordinate. Generic DKG protocols output public key with both even and odd
-/// Y coordinate. You can use [`normalize_key_share`](super::normalize_key_share)
-/// to normalize the key share after it's generated.
-///
 /// [BIP-340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 #[derive(Debug, Clone, Copy)]
 pub struct Bitcoin;
@@ -21,6 +15,8 @@ impl Ciphersuite for Bitcoin {
     type Digest = <Secp256k1 as Ciphersuite>::Digest;
     type MultiscalarMul = generic_ec::multiscalar::Default;
 
+    const IS_TAPROOT: bool = true;
+
     fn h1(msg: &[&[u8]]) -> generic_ec::Scalar<Self::Curve> {
         Secp256k1::h1(msg)
     }

givre/src/lib.rs

@@ -189,11 +189,11 @@ mod _unused_deps {
 
 /// Key share
 ///
-/// This module re-exports type definitions from [`key_share`](::key_share) crate.
+/// This module re-exports type definitions from [`key_share`] crate.
 pub mod key_share {
     #[doc(inline)]
     pub use key_share::{
-        CoreKeyShare as KeyShare, DirtyCoreKeyShare as DirtyKeyShare, DirtyKeyInfo,
+        CoreKeyShare as KeyShare, DirtyCoreKeyShare as DirtyKeyShare, DirtyKeyInfo, HdError,
         InvalidCoreShare as InvalidKeyShare, KeyInfo, Validate, VssSetup,
     };
 

givre/src/signing.rs

@@ -33,4 +33,5 @@ pub mod aggregate;
 pub mod full_signing;
 pub mod round1;
 pub mod round2;
+pub mod taproot;
 mod utils;