dkls23/sign/messages.rs
1// Copyright (c) Silence Laboratories Pte. Ltd. All Rights Reserved.
2// This software is licensed under the Silence Laboratories License Agreement.
3
4//! Message types for the Distributed Signature Generation (DSG) Protocol
5//!
6//! This module defines the message structures used in the DSG protocol for
7//! communication between participants. These messages are designed to be
8//! memory-safe and efficiently serializable.
9//!
10//! # Safety
11//!
12//! The message structures use `bytemuck` traits to ensure safe memory
13//! operations and alignment requirements. All structures are marked with
14//! `#[repr(C)]` to guarantee a stable memory layout.
15
16use k256::{ProjectivePoint, Scalar};
17
18use sl_oblivious::{rvole::RVOLEOutput, soft_spoken::Round1Output};
19
20use bytemuck::{AnyBitPattern, NoUninit};
21use zeroize::{Zeroize, ZeroizeOnDrop};
22
23use crate::proto::{PointBytes, ScalarBytes};
24
25/// Message type for the first round of the signature generation protocol
26///
27/// This message contains the initial commitment and public key information
28/// that each participant broadcasts to all other participants.
29///
30/// # Memory Layout
31///
32/// The structure is marked with `#[repr(C)]` to ensure a stable memory layout
33/// and uses `AnyBitPattern` and `NoUninit` for safe memory operations.
34#[derive(Clone, Copy, AnyBitPattern, NoUninit)]
35#[repr(C)]
36pub struct SignMsg1 {
37 /// Session identifier for the protocol run
38 pub session_id: [u8; 32],
39
40 /// Hash of the commitment value
41 pub commitment_r_i: [u8; 32],
42
43 /// Participant's encryption public key
44 pub enc_pk: [u8; 32],
45
46 /// Party ID from the key share
47 pub party_id: u8,
48}
49
50/// Message type for the second round of the signature generation protocol (P2P)
51///
52/// This message is sent peer-to-peer between participants and contains
53/// the final session ID and encrypted data for the MtA protocol.
54///
55/// # Memory Layout
56///
57/// The structure is marked with `#[repr(C)]` to ensure a stable memory layout
58/// and uses `AnyBitPattern` and `NoUninit` for safe memory operations.
59#[derive(Clone, Copy, AnyBitPattern, NoUninit)]
60#[repr(C)]
61pub struct SignMsg2 {
62 /// Final session identifier
63 pub final_session_id: [u8; 32],
64
65 /// Encrypted data for the MtA protocol
66 pub mta_msg1: Round1Output,
67}
68
69/// Message type for the third round of the signature generation protocol (P2P)
70///
71/// This message is sent peer-to-peer between participants and contains
72/// various encrypted data points and commitments needed for the signature.
73///
74/// # Memory Layout
75///
76/// The structure is marked with `#[repr(C)]` to ensure a stable memory layout
77/// and uses `AnyBitPattern` and `NoUninit` for safe memory operations.
78#[derive(Clone, Copy, AnyBitPattern, NoUninit)]
79#[repr(C)]
80pub struct SignMsg3 {
81 /// Final session identifier
82 pub final_session_id: [u8; 32],
83
84 /// Encrypted data for the RVOLE protocol
85 pub mta_msg2: RVOLEOutput,
86
87 /// Encrypted digest value
88 pub digest_i: [u8; 32],
89
90 /// Encrypted public key component
91 pub pk_i: PointBytes,
92
93 /// Encrypted R point component
94 pub big_r_i: PointBytes,
95
96 /// Encrypted blind factor
97 pub blind_factor: [u8; 32],
98
99 /// Encrypted gamma_v point
100 pub gamma_v: PointBytes,
101
102 /// Encrypted gamma_u point
103 pub gamma_u: PointBytes,
104
105 /// Encrypted psi scalar value
106 pub psi: ScalarBytes,
107}
108
109/// Message type for the fourth round of the signature generation protocol
110///
111/// This message contains the final signature components that each participant
112/// broadcasts to all other participants.
113///
114/// # Memory Layout
115///
116/// The structure is marked with `#[repr(C)]` to ensure a stable memory layout
117/// and uses `AnyBitPattern` and `NoUninit` for safe memory operations.
118#[derive(Clone, Copy, AnyBitPattern, NoUninit)]
119#[repr(C)]
120pub struct SignMsg4 {
121 /// Session identifier
122 pub session_id: [u8; 32],
123
124 /// s_0 Scalar
125 pub s_0: ScalarBytes,
126
127 /// s_1 Scalar
128 pub s_1: ScalarBytes,
129}
130
131/// Result of the pre-signature phase for a party
132///
133/// This structure contains all the necessary information from the pre-signature
134/// phase that will be needed to complete the signature in the finish phase.
135///
136/// # Memory Layout
137///
138/// The structure is marked with `#[repr(C)]` to ensure a stable memory layout
139/// and uses `AnyBitPattern` and `NoUninit` for safe memory operations.
140/// It also implements `Zeroize` to ensure sensitive data is securely erased.
141#[derive(Clone, Copy, AnyBitPattern, NoUninit, Zeroize)]
142#[repr(C)]
143pub struct PreSign {
144 /// Final session identifier
145 pub final_session_id: [u8; 32],
146
147 /// First signature component (s_0)
148 pub(crate) s_0: ScalarBytes,
149
150 /// Second signature component (s_1)
151 pub(crate) s_1: ScalarBytes,
152
153 /// Phi_i scalar value
154 pub(crate) phi_i: ScalarBytes,
155
156 /// R point value
157 pub(crate) r: PointBytes,
158
159 /// Public key value
160 pub(crate) public_key: PointBytes,
161
162 /// Party ID
163 pub(crate) party_id: u8,
164}
165
166/// Partial signature from a single party
167///
168/// This structure contains a party's contribution to the final signature.
169/// It implements `Zeroize` and `ZeroizeOnDrop` to ensure sensitive data
170/// is securely erased when the structure is dropped.
171#[derive(Zeroize, ZeroizeOnDrop)]
172pub(crate) struct PartialSignature {
173 /// Final session identifier
174 pub final_session_id: [u8; 32],
175
176 /// Public key value
177 pub public_key: ProjectivePoint,
178
179 /// Hash of the message being signed
180 pub message_hash: [u8; 32],
181
182 /// s_0 Scalar
183 pub s_0: Scalar,
184
185 /// s_1 Scalar
186 pub s_1: Scalar,
187
188 /// R point value
189 pub r: ProjectivePoint,
190}