Blind Schnorr Signatures

[nickfarrow]

Blind schnorr signatures

Todo:

• proptest
• docs & synopsis
• fn BlindingTweaks::from_values(alpha, beta)
• Improved method for needs_negations?
• Move frost and musig nonce.rs stuff to binonce and introduce a singular nonce that generates with even-Y (don't have to manually negate in tests & everywhere) Just derive_nonce!() for now
• wrapper. Instead follow: Blind Schnorr Signatures and Signed ElGamal Encryption
  in the Algebraic Group Model .
• A better wrapper that stores some basic ID / context for maximum N sessions, returning None when sessions are maxed out. Do not give out any signatures until all N sessions are connected.
• Do not also tweak public key (t)
• Check whether nonce belongs to current signing session at start of sign()
• Decide whether max_sessions can be 1 and whether to immediately sign (never concurrent)
• Decide whether already_signed is appropriate.
• BlindSigner::drain_sign or something to sign remaining

maybe insecure -- do not use

[nickfarrow]

227b6f2 is an attempt to make this secure (still almost certainly insecure -- do not use).

To safely sign, the signing server should use safe_blind_sign_multiple for N SignRequests where 1 of N requests are dropped. From my reading this makes parallel signing attacks too difficult as you are unable to rely on all sessions (is 1 of N always sufficient?).

I doubt this API is ideal (particularly if async), but it's somewhere to start

[LLFourn]

Nice work. Left some comments. The big picture comment I have is whether we can via the API prevent a user from opening more parallel sessions than they should be allowed to given the difficultly of the modified ROS problem. e.g. if you try and open one when you already have too many open you get an None back.

[nickfarrow]

I'd like to clean up the multiple uses of "blinded" and "tweaked". The struct Blinder is a bit confusing as to what is disguised and what is not.

[nickfarrow]

These changes have introduced a BlindSigner to manage the state of a signing server in order to be secure against an adversary trying to forge a signature by solving the ROS problem.

The BlindSigner uses its internal schnorr nonce_gen() and a sid to generate nonces.

Users' requests are processed with sequential calls to sign on SignatureRequests, returning nothing until the BlindSigner receives max_sessions requests. Then it will sign all-but-one of the signature requests (in order to avoid concurrent singing attacks) and forget all the nonces

I have made it so that you can set max_sessions to 1, resulting in instant signing and never "disconnecting". I have also exposed BlindSigner::sign_single which should never be called in parallel (documented).

[nickfarrow]

Latest commits make steps to more safely handle state and a clearer distinction between parallel and single-call execution. There is now a sign_all_but_one to drain all signature requests that were loaded into sign, can be called whenever instead of waiting for max_sessions number of signatures.