protocol

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Overview

Package protocol implements threshold signature schemes including DKLS23 ECDSA and FROST Schnorr.

Index

Constants

View Source 
const (

	// Gx is the x-coordinate of the base point G
	Gx = "79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798"

	// Gy is the y-coordinate of the base point G
	Gy = "483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8"
)

secp256k1 curve parameters (Bitcoin/Ethereum curve) These are the standard parameters for the secp256k1 elliptic curve

View Source 
const SchnorrSigSize = 64

SchnorrSigSize is the byte length of a serialised secp256k1 Schnorr signature: 32-byte r (x-coord of R) || 32-byte s.

Variables

View Source 
var ErrInvalidHash = &SigningError{msg: "hash must be 32 bytes"}

ErrInvalidHash is returned when the hash is invalid

View Source 
var ErrInvalidOTChoice = &OTError{msg: "receiver choice must be 0 or 1"}

ErrInvalidOTChoice is returned when the receiver's choice is not 0 or 1

View Source 
var ErrInvalidOTInput = &OTError{msg: "sender inputs must be valid scalars in range [1, n-1]"}

ErrInvalidOTInput is returned when sender inputs are invalid

View Source 
var ErrInvalidPublicKey = &SigningError{msg: "public key is invalid"}

ErrInvalidPublicKey is returned when a public key is invalid

View Source 
var ErrInvalidScalar = &ScalarError{msg: "scalar must be in range [1, n-1]"}

ErrInvalidScalar is returned when a scalar is not within the valid range

View Source 
var ErrInvalidSignature = &SigningError{msg: "signature is invalid"}

ErrInvalidSignature is returned when a signature is invalid

Functions

func CombineNonces 

func CombineNonces(Ra, Rb *secp256k1.PublicKey) (*big.Int, *secp256k1.PublicKey, error)

CombineNonces adds two nonce public points and extracts the r value.

This function adds the two nonce public points R_a and R_b to get R = R_a + R_b, then extracts the x-coordinate modulo n to get the signature r value.

Parameters:

  • R_a: Party A's nonce public point
  • R_b: Party B's nonce public point

Returns:

  • r: the x-coordinate of R modulo n
  • R: the combined nonce public point
  • Error if inputs are invalid

func CombinePartialSignatures 

func CombinePartialSignatures(sa, sb *big.Int) (*big.Int, error)

CombinePartialSignatures adds two partial signatures modulo n.

This function combines the partial signatures s_a and s_b from both parties to produce the final signature s = s_a + s_b mod n.

Parameters:

  • s_a: Party A's partial signature
  • s_b: Party B's partial signature

Returns:

  • The combined signature s
  • Error if inputs are invalid

func CombinePublicKeys 

func CombinePublicKeys(publicA, publicB *secp256k1.PublicKey) (*secp256k1.PublicKey, error)

CombinePublicKeys combines two public keys by adding their points on the curve

func ComputeHash 

func ComputeHash(message []byte) []byte

ComputeHash computes the SHA-256 hash of the input message.

This function computes the SHA-256 hash of the message bytes, which is used as the input to the ECDSA signature computation.

Parameters:

  • message: the message bytes to hash

Returns:

  • The 32-byte SHA-256 hash

func ComputeNoncePublic 

func ComputeNoncePublic(k *big.Int) (*secp256k1.PublicKey, error)

ComputeNoncePublic computes the public nonce point R = k * G.

This function multiplies the nonce scalar k by the generator point G on the secp256k1 curve, returning the resulting point R.

Parameters:

  • k: the nonce scalar

Returns:

  • The public nonce point R = k * G
  • Error if k is invalid

func ComputePartialSignature 

func ComputePartialSignature(ki, z, alpha_i, di *big.Int) (*big.Int, error)

ComputePartialSignature computes a party's partial signature component.

This function computes the partial signature s_i for party i using: 

s_i = k_i * z + alpha_i * d_i

where:

  • k_i: the party's nonce share
  • z: the message hash (as a scalar)
  • alpha_i: the party's additive share of the nonce product
  • d_i: the party's private key scalar

Parameters:

  • k_i: the party's nonce share
  • z: the message hash as a big.Int
  • alpha_i: the party's additive share
  • d_i: the party's private key scalar

Returns:

  • The partial signature s_i
  • Error if inputs are invalid

func ComputePublicShare 

func ComputePublicShare(secret []byte) (*secp256k1.PublicKey, error)

ComputePublicShare computes the public share (public key) from a secret share

func GenerateNonceShare 

func GenerateNonceShare() (*big.Int, error)

GenerateNonceShare generates a cryptographically secure random scalar for the nonce.

This function generates a random scalar k in the range [1, n-1] where n is the order of the secp256k1 curve. This scalar is used as a nonce share in the DKLS signing protocol.

When the protocol package is in deterministic (fixed) mode the output is derived from the seeded counter-based hash source so that repeated calls produce the same sequence of values.

Returns:

  • A valid secp256k1 scalar
  • Error if random generation fails

func GenerateOTInputs 

func GenerateOTInputs() ([2]*big.Int, error)

GenerateOTInputs generates two random scalar inputs for the OT sender

func GenerateOpenSSLVerifyCommand 

func GenerateOpenSSLVerifyCommand(sigR, sigS, message, pubKey string) string

GenerateOpenSSLVerifyCommand generates an OpenSSL command string to verify an ECDSA signature externally.

Parameters:

  • sigR: Hex-encoded R component of the signature (32 bytes)
  • sigS: Hex-encoded S component of the signature (32 bytes)
  • message: Hex-encoded message to verify
  • pubKey: Hex-encoded public key (64 bytes for x||y without 0x04 prefix)

Returns the openssl dgst command string that can be executed to verify the signature.

func GenerateRandomBytes 

func GenerateRandomBytes(length int) ([]byte, error)

GenerateRandomBytes generates cryptographically secure random bytes

func GenerateSecretShare 

func GenerateSecretShare() ([]byte, error)

GenerateSecretShare generates a cryptographically random 32-byte secret share

func GenerateSecretShareFixed 

func GenerateSecretShareFixed(seed int64) []byte

GenerateSecretShareFixed generates a deterministic 32-byte secret share from a seed

func IsDeterministic 

func IsDeterministic() bool

IsDeterministic returns true if deterministic mode is currently active.

func IsOnCurve 

func IsOnCurve(x, y []byte) bool

IsOnCurve verifies that a given (x, y) coordinate pair satisfies the secp256k1 equation y^2 = x^3 + 7 mod p. It handles affine coordinates and edge cases. x and y are expected to be 32-byte slices representing the coordinates.

func MultiplicativeToAdditive 

func MultiplicativeToAdditive(ka, kb *big.Int) (alpha, beta *big.Int, err error)

MultiplicativeToAdditive converts the product of two multiplicative shares into additive shares (alpha, beta) such that alpha + beta = k_a * k_b mod n.

Given multiplicative shares k_a and k_b, this function computes additive shares alpha and beta where:

  • alpha + beta = k_a * k_b (mod n)
  • alpha is computed as k_a * k_b - beta
  • beta is a random value in [0, n)

This is used in the DKLS protocol to convert multiplicative shares of the nonce product into additive shares that can be combined to produce the final signature.

func NewSecp256k1Curve 

func NewSecp256k1Curve() elliptic.Curve

NewSecp256k1Curve returns a new secp256k1 curve instance

func ParseSchnorrSignature 

func ParseSchnorrSignature(sig []byte) (r, s *big.Int, err error)

ParseSchnorrSignature decodes a 64-byte secp256k1 Schnorr wire-format signature produced by SerializeSchnorrSignature. It returns the r x-coordinate (as a *big.Int) and the s scalar. The caller can recover the full R point from r using the curve if needed; for Schnorr verification under our scheme the full uncompressed R point is carried separately.

func SerializeSchnorrSignature 

func SerializeSchnorrSignature(sigR *secp256k1.PublicKey, sigS *big.Int) ([]byte, error)

SerializeSchnorrSignature encodes a FROST/Schnorr (R, S) pair into the standard 64-byte secp256k1 Schnorr wire format: 

bytes  0-31 : x-coordinate of R (big-endian, zero-padded to 32 bytes)
bytes 32-63 : s scalar           (big-endian, zero-padded to 32 bytes)

This matches the format used by BIP-340 / libsecp256k1.

func SetDeterministic 

func SetDeterministic(seed int64)

SetDeterministic activates deterministic (fixed) mode for all cryptographic operations in the protocol package. The given seed is used to initialise the counter-based deterministic byte source.

Call SetDeterministic(0) to reset to non-deterministic (OS entropy) mode.

func SimulateOT 

func SimulateOT(senderInputs [2]*big.Int, receiverChoice int) (*big.Int, error)

SimulateOT simulates oblivious transfer semantics for educational demonstration.

In a 1-out-of-2 OT protocol:

  • The sender has two inputs: input0 and input1
  • The receiver has a choice bit: 0 or 1
  • The receiver learns only the input corresponding to their choice
  • The sender learns nothing about the receiver's choice

This function simulates the OT outcome without implementing full OT crypto, ensuring educational correctness for the DKLS ceremony demonstration.

Parameters:

  • senderInputs: array of two scalars [input0, input1]
  • receiverChoice: the receiver's choice bit (0 or 1)

Returns:

  • The selected input based on receiver's choice
  • Error if inputs are invalid

func ValidateSchnorrEncoding 

func ValidateSchnorrEncoding(sig []byte) error

ValidateSchnorrEncoding checks that a serialised Schnorr signature has the correct 64-byte length and that both the r and s components are within the valid scalar range [1, n-1]. It returns a non-nil error describing the first violation found.

func VerifyECDSA 

func VerifyECDSA(pubKey *secp256k1.PublicKey, message []byte, sig *ECDSASignature) bool

VerifyECDSA verifies sig against the SHA-256 hash of message using pubKey.

func VerifyECDSASignature 

func VerifyECDSASignature(r, s *big.Int, publicKey *secp256k1.PublicKey, hash []byte) (bool, error)

VerifyECDSASignature verifies an ECDSA signature (r, s) against a public key.

This function verifies that the signature (r, s) is valid for the given message hash and public key using standard ECDSA verification on secp256k1.

Parameters:

  • r: the r component of the signature
  • s: the s component of the signature
  • publicKey: the public key to verify against
  • hash: the message hash

Returns:

  • true if the signature is valid
  • false if the signature is invalid
  • Error if inputs are invalid

func VerifySchnorrSignature 

func VerifySchnorrSignature(publicKey *secp256k1.PublicKey, sigR *secp256k1.PublicKey, sigS *big.Int, message []byte) (bool, error)

VerifySchnorrSignature verifies a Schnorr signature (R, S) against a public key and message.

Schnorr verification equation: s*G = R + e*P where:

  • R is the nonce point (public key)
  • S is the signature scalar
  • P is the public key
  • e = H(R || message || P) is the challenge
  • G is the generator point

Parameters:

  • publicKey: The public key to verify against (combined public key P)
  • sigR: The R component of the signature (nonce point)
  • sigS: The S component of the signature (scalar)
  • message: The message that was signed

Returns true if the signature is valid, false otherwise.

func VerifySignature 

func VerifySignature(pubkey, sigR, sigS, message string) (bool, error)

VerifySignature verifies an ECDSA signature against a message and public key using secp256k1 curve.

Parameters:

  • pubkey: Hex-encoded public key (64 bytes for x||y uncompressed, or 33 bytes for compressed)
  • sigR: Hex-encoded R component of the signature (32 bytes, may have leading zeros)
  • sigS: Hex-encoded S component of the signature (32 bytes, may have leading zeros)
  • message: Hex-encoded message to verify

Returns true if the signature is valid, false otherwise.

Types

type Ceremony 

type Ceremony struct {
	// Configuration
	FixedMode bool
	Message   []byte
	Speed     string
	NoColor   bool

	// Party A state
	PartyAKey *secp256k1.PrivateKey
	PartyAPub *secp256k1.PublicKey

	// Party B state
	PartyBKey *secp256k1.PrivateKey
	PartyBPub *secp256k1.PublicKey

	// Shared/derived state
	PhantomKey *secp256k1.PublicKey
	SignatureR *big.Int
	SignatureS *big.Int

	// Current scene
	CurrentScene int

	// Keygen phase state
	KeygenState *KeygenState

	// Signing phase state
	SigningState *SigningState

	// OT (Oblivious Transfer) phase state
	OTState *OTState

	// MTA (Message Transfer Agreement) phase state
	MTAState *MTAState

	// Verify phase state
	VerifyState *VerifyState

	// Signing intermediate results (populated by SignMessage)
	SigningResult *SigningResult

	// Progress tracking
	CurrentPhase  int // 0=keygen, 1=signing, 2=OT, 3=MTA, 4=verify
	PhaseComplete map[int]bool
	// contains filtered or unexported fields
}

Ceremony represents the TSS signing ceremony state, aggregating all protocol phases

func NewCeremony 

func NewCeremony(fixedMode bool, message string, speed string, noColor bool) (*Ceremony, error)

NewCeremony creates a new ceremony instance

func NewCeremonyFromConfig 

func NewCeremonyFromConfig(config *CeremonyConfig) (*Ceremony, error)

NewCeremonyFromConfig creates a new Ceremony instance from a CeremonyConfig

func (*Ceremony) CompletePhase 

func (c *Ceremony) CompletePhase() error

CompletePhase marks the current phase as complete and advances to the next phase

func (*Ceremony) GetConfig 

func (c *Ceremony) GetConfig() *CeremonyConfig

GetConfig returns a CeremonyConfig based on the current ceremony state

func (*Ceremony) GetCurrentPhase 

func (c *Ceremony) GetCurrentPhase() int

GetCurrentPhase returns the current phase index

func (*Ceremony) GetCurrentPhaseName 

func (c *Ceremony) GetCurrentPhaseName() string

GetCurrentPhaseName returns the name of the current phase

func (*Ceremony) GetOpenSSLVerifyCmd 

func (c *Ceremony) GetOpenSSLVerifyCmd() string

GetOpenSSLVerifyCmd returns an openssl one-liner to verify the ceremony signature.

func (*Ceremony) GetPartyAPubKeyHex 

func (c *Ceremony) GetPartyAPubKeyHex() string

GetPartyAPubKeyHex returns Party A's public key as hex string

func (*Ceremony) GetPartyBPubKeyHex 

func (c *Ceremony) GetPartyBPubKeyHex() string

GetPartyBPubKeyHex returns Party B's public key as hex string

func (*Ceremony) GetPhantomPubKeyHex 

func (c *Ceremony) GetPhantomPubKeyHex() string

GetPhantomPubKeyHex returns the phantom public key as hex string

func (*Ceremony) GetPhaseName 

func (c *Ceremony) GetPhaseName(phase int) string

GetPhaseName returns the name of a phase

func (*Ceremony) GetPubKeyDERHex 

func (c *Ceremony) GetPubKeyDERHex() string

GetPubKeyDERHex returns the combined public key as a DER-encoded SubjectPublicKeyInfo hex string suitable for openssl.

func (*Ceremony) GetSignatureDERHex 

func (c *Ceremony) GetSignatureDERHex() string

GetSignatureDERHex returns the ECDSA signature as a DER-encoded hex string.

func (*Ceremony) GetSignatureHex 

func (c *Ceremony) GetSignatureHex() (string, string)

GetSignatureHex returns the signature as hex strings (R, S)

func (*Ceremony) GetSpeedDelay 

func (c *Ceremony) GetSpeedDelay() float64

GetSpeedDelay returns the delay multiplier based on speed setting

func (*Ceremony) GetState 

func (c *Ceremony) GetState() *CeremonyState

GetState returns the current ceremony state

func (*Ceremony) Init 

func (c *Ceremony) Init() error

Init initializes the ceremony state and prepares it for execution

func (*Ceremony) IsComplete 

func (c *Ceremony) IsComplete() bool

IsComplete returns true if all phases have been completed

func (*Ceremony) IsFixedMode 

func (c *Ceremony) IsFixedMode() bool

IsFixedMode returns true if the ceremony is running in fixed/deterministic mode

func (*Ceremony) IsPhaseComplete 

func (c *Ceremony) IsPhaseComplete(phase int) bool

IsPhaseComplete returns whether a phase is complete

func (*Ceremony) MarkPhaseComplete 

func (c *Ceremony) MarkPhaseComplete(phase int)

MarkPhaseComplete marks a phase as complete

func (*Ceremony) Reset 

func (c *Ceremony) Reset()

Reset resets the ceremony state while preserving configuration

func (*Ceremony) SetCurrentPhase 

func (c *Ceremony) SetCurrentPhase(phase int)

SetCurrentPhase sets the current phase index

func (*Ceremony) SignMessage 

func (c *Ceremony) SignMessage() error

SignMessage performs the DKLS threshold signing ceremony. It runs the full protocol: nonce generation, OT, MtA, partial signatures, and combines them into a valid ECDSA signature over the combined public key.

func (*Ceremony) StartPhase 

func (c *Ceremony) StartPhase(phase int) error

StartPhase begins execution of a specific phase

type CeremonyConfig 

type CeremonyConfig struct {
	// FixedMode enables deterministic runs with fixed seeds for testing
	FixedMode bool

	// Message is the plaintext message to sign (optional, defaults to demo message)
	Message string

	// Speed controls animation speed: "slow", "normal", or "fast"
	Speed string

	// NoColor disables ANSI color output
	NoColor bool

	// FixedSeed is used for deterministic key generation when FixedMode is true
	FixedSeed uint64

	// ParticipantCount is the number of participants in the ceremony (default: 2)
	ParticipantCount int

	// Threshold is the minimum number of participants required to sign (default: 2)
	Threshold int

	// UseFROST enables FROST (Schnorr) signing instead of DKLS (ECDSA)
	UseFROST bool

	// ShowSecurityProof enables display of security proof details
	ShowSecurityProof bool

	// SkipScenes is a list of scene numbers to skip during the ceremony
	SkipScenes []int
}

CeremonyConfig holds configuration for the TSS signing ceremony

func DefaultCeremonyConfig 

func DefaultCeremonyConfig() *CeremonyConfig

DefaultCeremonyConfig returns a CeremonyConfig with default values

func (*CeremonyConfig) Validate 

func (c *CeremonyConfig) Validate() error

Validate checks that the configuration is valid

type CeremonyState 

type CeremonyState struct {
	CurrentPhase  int
	PhaseComplete map[int]bool
	KeygenState   *KeygenState
	SigningState  *SigningState
	OTState       *OTState
	MTAState      *MTAState
	VerifyState   *VerifyState
	IsInitialized bool
	IsComplete    bool
}

CeremonyState represents the overall state of the ceremony

type ECDSASignature 

type ECDSASignature struct {
	R *big.Int
	S *big.Int
}

ECDSASignature holds the R and S components of an ECDSA signature.

func DecodeDER 

func DecodeDER(derBytes []byte) (*ECDSASignature, error)

DecodeDER parses a DER-encoded ECDSA signature.

func SignECDSA 

func SignECDSA(privKey *secp256k1.PrivateKey, message []byte) (*ECDSASignature, error)

SignECDSA signs message (SHA-256 hashed) with privKey and returns the signature.

func (*ECDSASignature) EncodeDER 

func (sig *ECDSASignature) EncodeDER() ([]byte, error)

EncodeDER encodes an ECDSA signature into DER (ASN.1) format compatible with OpenSSL.

func (*ECDSASignature) HexR 

func (sig *ECDSASignature) HexR() string

HexR returns the R component as a hex string.

func (*ECDSASignature) HexS 

func (sig *ECDSASignature) HexS() string

HexS returns the S component as a hex string.

type ECDSAVerifier 

type ECDSAVerifier struct {
	// contains filtered or unexported fields
}

ECDSAVerifier provides ECDSA signature verification functionality.

func NewECDSAVerifier 

func NewECDSAVerifier(pubKey *secp256k1.PublicKey) *ECDSAVerifier

NewECDSAVerifier creates a new ECDSAVerifier with the given public key.

func NewECDSAVerifierFromHex 

func NewECDSAVerifierFromHex(pubKeyHex string) (*ECDSAVerifier, error)

NewECDSAVerifierFromHex creates a new ECDSAVerifier from a hex-encoded public key. The public key can be:

  • 64 bytes (x||y without 0x04 prefix)
  • 33 bytes (compressed format)
  • 65 bytes (uncompressed format with 0x04 prefix)

func (*ECDSAVerifier) Verify 

func (v *ECDSAVerifier) Verify(message []byte, r, s *big.Int) bool

Verify verifies an ECDSA signature against a message. Returns true if the signature is valid, false otherwise.

func (*ECDSAVerifier) VerifyHex 

func (v *ECDSAVerifier) VerifyHex(sigR, sigS, message string) (bool, error)

VerifyHex verifies an ECDSA signature given hex-encoded components. Parameters:

  • sigR: Hex-encoded R component (32 bytes)
  • sigS: Hex-encoded S component (32 bytes)
  • message: Hex-encoded message to verify

Returns true if the signature is valid, false otherwise.

func (*ECDSAVerifier) VerifyWithSignature 

func (v *ECDSAVerifier) VerifyWithSignature(message []byte, sig *ECDSASignature) bool

VerifyWithSignature verifies an ECDSA signature given an ECDSASignature struct.

type FROSTConfig 

type FROSTConfig struct {
	Fixed   bool
	Message []byte
}

FROSTConfig holds configuration for FROST signing

type FROSTParty 

type FROSTParty struct {
	ID         int
	Secret     *big.Int             // Secret share x_i
	Public     *secp256k1.PublicKey // Public share P_i = x_i * G
	Nonce      *big.Int             // Nonce share k_i
	NoncePoint *secp256k1.PublicKey // Nonce point R_i = k_i * G
	PartialSig *big.Int             // Partial signature s_i
}

FROSTParty represents a party in the FROST protocol

type FROSTSignature 

type FROSTSignature struct {
	R *secp256k1.PublicKey // Combined nonce point R
	S *big.Int             // Combined signature scalar s
}

FROSTSignature represents a FROST Schnorr signature

type FROSTSigner 

type FROSTSigner struct {
	Parties []*FROSTParty
	P       *secp256k1.PublicKey // Combined public key P = P_A + P_B
	R       *secp256k1.PublicKey // Combined nonce point R = R_A + R_B
	E       *big.Int             // Challenge e = H(R, message, P)
	S       *big.Int             // Final signature s = s_A + s_B
	Fixed   bool                 // Use fixed values for deterministic runs
}

FROSTSigner manages the FROST signing protocol for 2-of-2 threshold

func NewFROSTSigner 

func NewFROSTSigner(config FROSTConfig) (*FROSTSigner, error)

NewFROSTSigner creates a new FROST signer with two parties

func (*FROSTSigner) AggregateSignatures 

func (fs *FROSTSigner) AggregateSignatures() error

AggregateSignatures combines partial signatures into final signature s = s_A + s_B (mod n)

func (*FROSTSigner) ComputeChallenge 

func (fs *FROSTSigner) ComputeChallenge(message []byte) error

ComputeChallenge computes the challenge e = H(R || message || P)

func (*FROSTSigner) ComputePartialSignatures 

func (fs *FROSTSigner) ComputePartialSignatures() error

ComputePartialSignatures computes partial signatures for all parties s_i = k_i + e * x_i (mod n)

func (*FROSTSigner) GenerateNonces 

func (fs *FROSTSigner) GenerateNonces() error

GenerateNonces generates nonce shares for all parties

func (*FROSTSigner) GenerateNoncesWithFixed 

func (fs *FROSTSigner) GenerateNoncesWithFixed(fixed bool) error

GenerateNoncesWithFixed generates nonce shares for all parties, optionally using fixed values

func (*FROSTSigner) GetCombinedPublicKey 

func (fs *FROSTSigner) GetCombinedPublicKey() *secp256k1.PublicKey

GetCombinedPublicKey returns the combined public key P

func (*FROSTSigner) GetPartyPublic 

func (fs *FROSTSigner) GetPartyPublic(id int) *secp256k1.PublicKey

GetPartyPublic returns a party's public share

func (*FROSTSigner) GetPartySecret 

func (fs *FROSTSigner) GetPartySecret(id int) *big.Int

GetPartySecret returns a party's secret share (for testing/debugging)

func (*FROSTSigner) Sign 

func (fs *FROSTSigner) Sign(message []byte) (*FROSTSignature, error)

Sign performs the complete FROST signing protocol

type FrostAnimatedScene 

type FrostAnimatedScene struct {
	// contains filtered or unexported fields
}

FrostAnimatedScene represents the FROST signing animation at the protocol level It provides step-by-step progression through the FROST signing process

func NewFrostAnimatedScene 

func NewFrostAnimatedScene(config FROSTConfig) *FrostAnimatedScene

NewFrostAnimatedScene creates a new FROST animated scene with the given configuration

func (*FrostAnimatedScene) Aggregate 

func (s *FrostAnimatedScene) Aggregate() (*FrostAnimatedStep, error)

Aggregate executes the signature aggregation step of the FROST animation This step visualizes the combination of partial signatures from all participants into the final group signature s = s_A + s_B (mod n).

func (*FrostAnimatedScene) Cleanup 

func (s *FrostAnimatedScene) Cleanup()

Cleanup releases resources and resets the scene state

func (*FrostAnimatedScene) GetCombinedPublicKey 

func (s *FrostAnimatedScene) GetCombinedPublicKey() *secp256k1.PublicKey

GetCombinedPublicKey returns the combined public key

func (*FrostAnimatedScene) GetCurrentStep 

func (s *FrostAnimatedScene) GetCurrentStep() int

GetCurrentStep returns the current step index

func (*FrostAnimatedScene) GetPartyNoncePoint 

func (s *FrostAnimatedScene) GetPartyNoncePoint(id int) *secp256k1.PublicKey

GetPartyNoncePoint returns a party's nonce point

func (*FrostAnimatedScene) GetPartyNonceShare 

func (s *FrostAnimatedScene) GetPartyNonceShare(id int) *big.Int

GetPartyNonceShare returns a party's nonce share

func (*FrostAnimatedScene) GetPartyPartialSig 

func (s *FrostAnimatedScene) GetPartyPartialSig(id int) *big.Int

GetPartyPartialSig returns a party's partial signature

func (*FrostAnimatedScene) GetPartyPublicShare 

func (s *FrostAnimatedScene) GetPartyPublicShare(id int) *secp256k1.PublicKey

GetPartyPublicShare returns a party's public share

func (*FrostAnimatedScene) GetPartySecretShare 

func (s *FrostAnimatedScene) GetPartySecretShare(id int) *big.Int

GetPartySecretShare returns a party's secret share (for testing/debugging)

func (*FrostAnimatedScene) GetSignature 

func (s *FrostAnimatedScene) GetSignature() *FROSTSignature

GetSignature returns the final FROST signature if available

func (*FrostAnimatedScene) GetStepDescription 

func (s *FrostAnimatedScene) GetStepDescription() string

GetStepDescription returns the description of the current step

func (*FrostAnimatedScene) GetStepName 

func (s *FrostAnimatedScene) GetStepName() string

GetStepName returns the name of the current step

func (*FrostAnimatedScene) GetTotalSteps 

func (s *FrostAnimatedScene) GetTotalSteps() int

GetTotalSteps returns the total number of steps

func (*FrostAnimatedScene) Init 

func (s *FrostAnimatedScene) Init() error

Init initializes the FROST signer and prepares the animation steps

func (*FrostAnimatedScene) KeyGen 

func (s *FrostAnimatedScene) KeyGen() (*FrostAnimatedStep, error)

KeyGen executes the key generation step of the FROST animation This step visualizes the generation of individual secret shares and public keys for each participant, then combines them into the shared public key.

func (*FrostAnimatedScene) NonceGen 

func (s *FrostAnimatedScene) NonceGen() (*FrostAnimatedStep, error)

NonceGen executes the nonce generation step of the FROST animation This step visualizes the generation of nonce shares and nonce points for each participant, then combines them into the shared nonce point R.

func (*FrostAnimatedScene) PartialSig 

func (s *FrostAnimatedScene) PartialSig() (*FrostAnimatedStep, error)

PartialSig executes the partial signature computation step of the FROST animation This step visualizes each participant computing their partial signature s_i = k_i + e * x_i (mod n), where k_i is the nonce share, e is the challenge, and x_i is the secret share.

func (*FrostAnimatedScene) Run 

func (s *FrostAnimatedScene) Run() (*FrostAnimatedStep, error)

Run executes the current step of the animation and returns the step data

type FrostAnimatedStep 

type FrostAnimatedStep struct {
	Name        string
	Description string
	PartyAData  map[string]interface{}
	PartyBData  map[string]interface{}
	SharedData  map[string]interface{}
}

FrostAnimatedStep represents a single step in the FROST signing animation

type HashMessage 

type HashMessage struct {
	// Message is the original message bytes.
	Message []byte
	// Hash is the SHA-256 hash of the message.
	Hash []byte
}

HashMessage represents a message and its SHA-256 hash.

func NewHashMessage 

func NewHashMessage(message []byte) *HashMessage

NewHashMessage creates a new HashMessage by computing the SHA-256 hash of the input message.

Parameters:

  • message: the message bytes to hash

Returns:

  • A pointer to a HashMessage struct containing the original message and its hash

type KeygenState 

type KeygenState struct {
	// Party A key material
	PartyAKey []byte
	PartyAPub []byte

	// Party B key material
	PartyBKey []byte
	PartyBPub []byte

	// Shared key material
	PhantomPub []byte

	// Keygen progress
	KeysGenerated     bool
	PublicKeysDerived bool
}

KeygenState holds state for the key generation phase

type MTAState 

type MTAState struct {
	// Party A MTA data
	PartyAMTAData []byte
	PartyAMTASig  []byte

	// Party B MTA data
	PartyBMTAData []byte
	PartyBMTASig  []byte

	// MTA progress
	MTAInitiated bool
	MTAVerified  bool
}

MTAState holds state for the Message Transfer Agreement phase

type OTError 

type OTError struct {
	// contains filtered or unexported fields
}

OTError represents an error with OT protocol parameters

func (*OTError) Error 

func (e *OTError) Error() string

type OTState 

type OTState struct {
	// Party A OT inputs
	PartyAOTInput  []byte
	PartyAOTOutput []byte

	// Party B OT inputs
	PartyBOTInput  []byte
	PartyBOTOutput []byte

	// OT progress
	OTInitiated bool
	OTCompleted bool
}

OTState holds state for the Oblivious Transfer phase

type ScalarError 

type ScalarError struct {
	// contains filtered or unexported fields
}

ScalarError represents an error with scalar values

func (*ScalarError) Error 

func (e *ScalarError) Error() string

type Signature 

type Signature struct {
	R *big.Int
	S *big.Int
}

Signature represents an ECDSA signature with r and s components

func Sign 

func Sign(Ra, Rb *secp256k1.PublicKey, sa, sb *big.Int) (*Signature, *secp256k1.PublicKey, error)

Sign performs the DKLS threshold ECDSA signing ceremony.

This function integrates CombineNonces into the signing flow by: 1. Adding the two nonce public points Ra and Rb to get R = Ra + Rb 2. Extracting r = x mod n from the combined point 3. Combining the partial signatures sa and sb to get s = sa + sb mod n 4. Returning the final signature (r, s)

Parameters:

  • Ra: Party A's nonce public point
  • Rb: Party B's nonce public point
  • sa: Party A's partial signature
  • sb: Party B's partial signature

Returns:

  • The final ECDSA signature (r, s)
  • The combined nonce public point R
  • Error if inputs are invalid

type Signer 

type Signer struct {
	// contains filtered or unexported fields
}

Signer holds a secp256k1 private key and provides ECDSA signing functionality.

func NewSigner 

func NewSigner() (*Signer, error)

NewSigner generates a new random secp256k1 private key and derives the public key.

func NewSignerFromBytes 

func NewSignerFromBytes(keyBytes []byte) (*Signer, error)

NewSignerFromBytes creates a Signer from raw 32-byte private key scalar.

func (*Signer) PublicKey 

func (s *Signer) PublicKey() *secp256k1.PublicKey

PublicKey returns the signer's secp256k1 public key.

func (*Signer) PublicKeyCompressedHex 

func (s *Signer) PublicKeyCompressedHex() string

PublicKeyCompressedHex returns the compressed public key as a hex string.

func (*Signer) PublicKeyHex 

func (s *Signer) PublicKeyHex() string

PublicKeyHex returns the uncompressed public key (without 0x04 prefix) as a hex string.

func (*Signer) Sign 

func (s *Signer) Sign(message []byte) (*big.Int, *big.Int, error)

Sign hashes message with SHA-256 and produces a standard ECDSA signature. Returns the (R, S) components as *big.Int values.

func (*Signer) SignHex 

func (s *Signer) SignHex(message []byte) (rHex, sHex string, err error)

SignHex hashes message with SHA-256, signs it, and returns (R, S) as hex strings.

func (*Signer) Verify 

func (s *Signer) Verify(message []byte, r, sigS *big.Int) bool

Verify checks an ECDSA (R, S) signature against the SHA-256 hash of message using the signer's own public key.

type SigningError 

type SigningError struct {
	// contains filtered or unexported fields
}

SigningError represents an error with signing protocol parameters

func (*SigningError) Error 

func (e *SigningError) Error() string

type SigningResult 

type SigningResult struct {
	// Nonces
	NonceA    *big.Int
	NonceB    *big.Int
	NonceAPub *secp256k1.PublicKey
	NonceBPub *secp256k1.PublicKey
	CombinedR *secp256k1.PublicKey

	// OT demonstration values
	OTInputs [2]*big.Int
	OTChoice int
	OTOutput *big.Int

	// MtA
	Alpha *big.Int
	Beta  *big.Int

	// Partial signatures
	PartialSigA *big.Int
	PartialSigB *big.Int

	// Final values
	R    *big.Int
	S    *big.Int
	Hash []byte
}

SigningResult holds all intermediate values from the DKLS signing ceremony for display in the TUI.

type SigningState 

type SigningState struct {
	// Message to sign
	Message []byte

	// Partial signatures
	PartyAPartialSig []byte
	PartyBPartialSig []byte

	// Combined signature components
	SignatureR []byte
	SignatureS []byte

	// Signing progress
	MessageHashed        bool
	PartialSigsGenerated bool
	SignatureCombined    bool
}

SigningState holds state for the signing phase

type VerifyState 

type VerifyState struct {
	// Signature to verify
	SignatureR []byte
	SignatureS []byte

	// Public key for verification
	PublicKey []byte

	// Message hash
	MessageHash []byte

	// Verification result
	IsValid  bool
	Verified bool
}

VerifyState holds state for the verification phase

Source Files

View all Source files
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.