clean up schnorr::ID to use standard variable names for a schnorr proof

delete sensitive values in the signer after dkg and signing

clear sensitive data from coordinators

add helper functions to zero out schnorr::ID and PolyCommitment; zero out dkg_public_shares and keep after reset in dkg_ended

add helper functions to check if a schnorr::ID and PolyCommitment has been zeroed out; add test to see if sensitive data has been cleared

add missing tests to frost coordinator

fix comment on PolyCommitment::is_zero

use values fn to iterate over map values

Author: xoloki

src/common.rs

@@ -37,6 +37,16 @@ impl PolyCommitment {
     pub fn verify(&self) -> bool {
         self.id.verify(&self.poly[0])
     }
+
+    /// Zero out the schnorr::ID
+    pub fn zero(&mut self) {
+        self.id.zero();
+    }
+
+    /// Check if schnorr proof is zeroed out
+    pub fn is_zero(&self) -> bool {
+        self.id.is_zero()
+    }
 }
 
 impl Display for PolyCommitment {

src/schnorr.rs

@@ -1,3 +1,4 @@
+use num_traits::Zero;
 use rand_core::{CryptoRng, RngCore};
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256};
@@ -12,46 +13,56 @@ use crate::{
 
 #[allow(non_snake_case)]
 #[derive(Clone, Debug, Deserialize, Serialize, PartialEq)]
-/// ID type which encapsulates the ID and a schnorr proof of ownership of the polynomial
+/// Encapsulatetion of the ID and a zero knowledge proof of ownership of a private key bound to ID
 pub struct ID {
-    /// The ID
+    /// ID
     pub id: Scalar,
-    /// The public schnorr response
-    pub kG: Point,
-    /// The aggregate of the schnorr committed values
-    pub kca: Scalar,
+    /// Commitment to the proof random value
+    pub R: Point,
+    /// Sigma protocol response
+    pub s: Scalar,
 }
 
 #[allow(non_snake_case)]
 impl ID {
-    /// Construct a new schnorr ID which binds the passed `Scalar` `id` and `Scalar` `a`, with a zero-knowledge proof of ownership of `a`
-    pub fn new<RNG: RngCore + CryptoRng>(id: &Scalar, a: &Scalar, rng: &mut RNG) -> Self {
-        let k = Scalar::random(rng);
-        let c = Self::challenge(id, &(&k * &G), &(a * &G));
-
-        Self {
-            id: *id,
-            kG: &k * G,
-            kca: &k + c * a,
-        }
+    /// Construct a new schnorr ID that proves ownership of private key `x` bound to `id`
+    pub fn new<RNG: RngCore + CryptoRng>(id: &Scalar, x: &Scalar, rng: &mut RNG) -> Self {
+        let r = Scalar::random(rng);
+        let R = r * G;
+        let X = x * G;
+        let c = Self::challenge(id, &R, &X);
+        let s = r + c * x;
+
+        Self { id: *id, R, s }
     }
 
     /// Compute the schnorr challenge
-    pub fn challenge(id: &Scalar, K: &Point, A: &Point) -> Scalar {
+    pub fn challenge(id: &Scalar, R: &Point, X: &Point) -> Scalar {
         let mut hasher = Sha256::new();
         let tag = "WSTS/polynomial-constant";
 
         hasher.update(tag.as_bytes());
         hasher.update(id.to_bytes());
-        hasher.update(K.compress().as_bytes());
-        hasher.update(A.compress().as_bytes());
+        hasher.update(R.compress().as_bytes());
+        hasher.update(X.compress().as_bytes());
 
         hash_to_scalar(&mut hasher)
     }
 
-    /// Verify the proof
-    pub fn verify(&self, A: &Point) -> bool {
-        let c = Self::challenge(&self.id, &self.kG, A);
-        &self.kca * &G == &self.kG + c * A
+    /// Verify the proof against the public key `X`
+    pub fn verify(&self, X: &Point) -> bool {
+        let c = Self::challenge(&self.id, &self.R, X);
+        &self.s * &G == &self.R + c * X
+    }
+
+    /// Zero out the schnorr proof
+    pub fn zero(&mut self) {
+        self.R = Point::new();
+        self.s = Scalar::zero();
+    }
+
+    /// Check if schnorr proof is zeroed out
+    pub fn is_zero(&self) -> bool {
+        self.R == Point::new() && self.s == Scalar::zero()
     }
 }

src/state_machine/coordinator/fire.rs

@@ -737,7 +737,9 @@ impl<Aggregator: AggregatorTrait> Coordinator<Aggregator> {
         // Cache the polynomials used in DKG for the aggregator
         for signer_id in self.dkg_private_shares.keys() {
             for (party_id, comm) in &self.dkg_public_shares[signer_id].comms {
-                self.party_polynomials.insert(*party_id, comm.clone());
+                let mut comm = comm.clone();
+                comm.zero();
+                self.party_polynomials.insert(*party_id, comm);
             }
         }
 
@@ -749,6 +751,10 @@ impl<Aggregator: AggregatorTrait> Coordinator<Aggregator> {
             .fold(Point::default(), |s, (_, comm)| s + comm.poly[0]);
 
         info!("Aggregate public key: {key}");
+
+        self.dkg_public_shares.clear();
+        self.dkg_private_shares.clear();
+
         self.aggregate_public_key = Some(key);
         self.move_to(State::Idle)
     }
@@ -1087,6 +1093,7 @@ impl<Aggregator: AggregatorTrait> Coordinator<Aggregator> {
 
             self.move_to(State::Idle)?;
         }
+
         Ok(())
     }
 
@@ -1403,7 +1410,8 @@ pub mod test {
                     bad_signature_share_request, check_signature_shares, coordinator_state_machine,
                     empty_private_shares, empty_public_shares, equal_after_save_load,
                     feedback_messages, feedback_mutated_messages, gen_nonces, invalid_nonce,
-                    new_coordinator, run_dkg_sign, setup, setup_with_timeouts, start_dkg_round,
+                    new_coordinator, run_dkg_sign, sensitive_data, setup, setup_with_timeouts,
+                    start_dkg_round,
                 },
                 Config, Coordinator as CoordinatorTrait, State,
             },
@@ -3144,6 +3152,16 @@ pub mod test {
         gen_nonces::<FireCoordinator<v2::Aggregator>, v2::Signer>(5, 1);
     }
 
+    #[test]
+    fn sensitive_data_v1() {
+        sensitive_data::<FireCoordinator<v1::Aggregator>, v1::Signer>(5, 1);
+    }
+
+    #[test]
+    fn sensitive_data_v2() {
+        sensitive_data::<FireCoordinator<v2::Aggregator>, v2::Signer>(5, 1);
+    }
+
     #[test]
     fn bad_signature_share_request_v1() {
         bad_signature_share_request::<FireCoordinator<v1::Aggregator>, v1::Signer>(5, 2);

src/state_machine/coordinator/frost.rs

@@ -414,7 +414,9 @@ impl<Aggregator: AggregatorTrait> Coordinator<Aggregator> {
                 return Err(Error::BadStateChange(format!("Should not have transitioned to DkgEndGather since we were missing DkgPublicShares from signer {signer_id}")));
             };
             for (party_id, comm) in &dkg_public_shares.comms {
-                self.party_polynomials.insert(*party_id, comm.clone());
+                let mut comm = comm.clone();
+                comm.zero();
+                self.party_polynomials.insert(*party_id, comm);
             }
         }
 
@@ -428,6 +430,9 @@ impl<Aggregator: AggregatorTrait> Coordinator<Aggregator> {
             %key,
             "Aggregate public key"
         );
+        self.dkg_public_shares.clear();
+        self.dkg_private_shares.clear();
+
         self.aggregate_public_key = Some(key);
         self.move_to(State::Idle)
     }
@@ -982,8 +987,9 @@ pub mod test {
             frost::Coordinator as FrostCoordinator,
             test::{
                 bad_signature_share_request, check_signature_shares, coordinator_state_machine,
-                empty_private_shares, empty_public_shares, equal_after_save_load, invalid_nonce,
-                new_coordinator, run_dkg_sign, setup, start_dkg_round,
+                empty_private_shares, empty_public_shares, equal_after_save_load, gen_nonces,
+                invalid_nonce, new_coordinator, run_dkg_sign, sensitive_data, setup,
+                start_dkg_round,
             },
             Config, Coordinator as CoordinatorTrait, State,
         },
@@ -1401,6 +1407,26 @@ pub mod test {
         );
     }
 
+    #[test]
+    fn gen_nonces_v1() {
+        gen_nonces::<FrostCoordinator<v1::Aggregator>, v1::Signer>(5, 1);
+    }
+
+    #[test]
+    fn gen_nonces_v2() {
+        gen_nonces::<FrostCoordinator<v2::Aggregator>, v2::Signer>(5, 1);
+    }
+
+    #[test]
+    fn sensitive_data_v1() {
+        sensitive_data::<FrostCoordinator<v1::Aggregator>, v1::Signer>(5, 1);
+    }
+
+    #[test]
+    fn sensitive_data_v2() {
+        sensitive_data::<FrostCoordinator<v2::Aggregator>, v2::Signer>(5, 1);
+    }
+
     #[test]
     fn bad_signature_share_request_v1() {
         bad_signature_share_request::<FrostCoordinator<v1::Aggregator>, v1::Signer>(5, 2);

src/state_machine/coordinator/mod.rs

@@ -1092,6 +1092,40 @@ pub mod test {
         }
     }
 
+    pub fn sensitive_data<Coordinator: CoordinatorTrait, SignerType: SignerTrait>(
+        num_signers: u32,
+        keys_per_signer: u32,
+    ) {
+        let (coordinators, signers) =
+            run_dkg::<Coordinator, SignerType>(num_signers, keys_per_signer);
+
+        // check the coordinators to see if they deleted public and private shares
+        for coordinator in &coordinators {
+            let state = coordinator.save();
+
+            assert!(state.dkg_public_shares.is_empty());
+            assert!(state.dkg_private_shares.is_empty());
+
+            for (_party_id, comm) in &state.party_polynomials {
+                assert!(comm.is_zero());
+            }
+        }
+
+        // check the signers to see if they deleted private shares and zeroed out poly commitments
+        for signer in &signers {
+            assert!(signer.dkg_private_shares.is_empty());
+
+            for (_party_id, comm) in &signer.commitments {
+                assert!(comm.is_zero());
+            }
+
+            for dkg_public_shares in signer.dkg_public_shares.values() {
+                for (_id, comm) in &dkg_public_shares.comms {
+                    assert!(comm.is_zero());
+                }
+            }
+        }
+    }
     pub fn bad_signature_share_request<Coordinator: CoordinatorTrait, SignerType: SignerTrait>(
         num_signers: u32,
         keys_per_signer: u32,

src/state_machine/signer/mod.rs

@@ -381,6 +381,7 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
         self.invalid_private_shares.clear();
         self.public_nonces.clear();
         self.signer.reset_polys(rng);
+        self.signer.gen_nonces(rng);
         self.dkg_public_shares.clear();
         self.dkg_private_shares.clear();
         self.dkg_private_begin_msg = None;
@@ -452,6 +453,7 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
     /// DKG is done so compute secrets
     pub fn dkg_ended<R: RngCore + CryptoRng>(&mut self, rng: &mut R) -> Result<Message, Error> {
         if !self.can_dkg_end() {
+            self.reset(self.dkg_id, rng);
             return Ok(Message::DkgEnd(DkgEnd {
                 dkg_id: self.dkg_id,
                 signer_id: self.signer_id,
@@ -467,6 +469,7 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
 
         let Some(dkg_end_begin) = &self.dkg_end_begin_msg else {
             // no cached DkgEndBegin message
+            self.reset(self.dkg_id, rng);
             return Ok(Message::DkgEnd(DkgEnd {
                 dkg_id: self.dkg_id,
                 signer_id: self.signer_id,
@@ -490,6 +493,7 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
         }
 
         if num_dkg_keys < self.dkg_threshold {
+            self.reset(self.dkg_id, rng);
             return Ok(Message::DkgEnd(DkgEnd {
                 dkg_id: self.dkg_id,
                 signer_id: self.signer_id,
@@ -532,6 +536,7 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
         }
 
         if !missing_public_shares.is_empty() {
+            self.reset(self.dkg_id, rng);
             return Ok(Message::DkgEnd(DkgEnd {
                 dkg_id: self.dkg_id,
                 signer_id: self.signer_id,
@@ -540,6 +545,7 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
         }
 
         if !bad_public_shares.is_empty() {
+            self.reset(self.dkg_id, rng);
             return Ok(Message::DkgEnd(DkgEnd {
                 dkg_id: self.dkg_id,
                 signer_id: self.signer_id,
@@ -548,6 +554,7 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
         }
 
         if !missing_private_shares.is_empty() {
+            self.reset(self.dkg_id, rng);
             return Ok(Message::DkgEnd(DkgEnd {
                 dkg_id: self.dkg_id,
                 signer_id: self.signer_id,
@@ -614,6 +621,14 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
             "sending DkgEnd"
         );
 
+        for (_, dps) in self.dkg_public_shares.iter_mut() {
+            for (_, comm) in dps.comms.iter_mut() {
+                comm.zero();
+            }
+        }
+        let dkg_public_shares = self.dkg_public_shares.clone();
+        self.reset(self.dkg_id, rng);
+        self.dkg_public_shares = dkg_public_shares;
         let dkg_end = Message::DkgEnd(dkg_end);
         Ok(dkg_end)
     }
@@ -765,7 +780,8 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
                 SignatureType::Frost => self.signer.sign(msg, &signer_ids, &key_ids, &nonces),
             };
 
-            self.signer.gen_nonces(rng);
+            // delete sensitive values to prevent protocol attacks
+            self.reset(self.dkg_id, rng);
 
             let response = SignatureShareResponse {
                 dkg_id: sign_request.dkg_id,

src/traits.rs

@@ -362,7 +362,7 @@ pub mod test_helpers {
                 if party_id == bad_party_id {
                     // alter the schnorr proof so it will fail verification
                     let mut bad_comm = comm.clone();
-                    bad_comm.id.kca += Scalar::from(1);
+                    bad_comm.id.s += Scalar::from(1);
                     (party_id, bad_comm)
                 } else {
                     (party_id, comm)