From 4e222791dad3cde339aa65d9b5f52929b96f74f4 Mon Sep 17 00:00:00 2001
From: LLFourn <lloyd.fourn@gmail.com>
Date: Tue, 30 Jul 2024 12:52:30 +1000
Subject: [PATCH] [frost] add Frost::aggregate_binonces

So it's clearer how you can avoid a coordinator
---
 schnorr_fun/src/binonce.rs       |  4 ++--
 schnorr_fun/src/frost/mod.rs     | 31 +++++++++++++++++++++----------
 schnorr_fun/src/frost/session.rs |  7 ++++++-
 3 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/schnorr_fun/src/binonce.rs b/schnorr_fun/src/binonce.rs
index daa1fee8..1d7d27ce 100644
--- a/schnorr_fun/src/binonce.rs
+++ b/schnorr_fun/src/binonce.rs
@@ -62,8 +62,8 @@ impl<Z> HashInto for Nonce<Z> {
 
 impl Nonce<Zero> {
     /// Adds a bunch of binonces together (one for each party signing usually).
-    pub fn aggregate(nonces: impl Iterator<Item = Nonce<impl ZeroChoice>>) -> Self {
-        let agg = nonces.fold([Point::zero(); 2], |acc, nonce| {
+    pub fn aggregate(nonces: impl IntoIterator<Item = Nonce>) -> Self {
+        let agg = nonces.into_iter().fold([Point::zero(); 2], |acc, nonce| {
             [g!(acc[0] + nonce.0[0]), g!(acc[1] + nonce.0[1])]
         });
 
diff --git a/schnorr_fun/src/frost/mod.rs b/schnorr_fun/src/frost/mod.rs
index c9c4ebca..0f4d8707 100644
--- a/schnorr_fun/src/frost/mod.rs
+++ b/schnorr_fun/src/frost/mod.rs
@@ -703,20 +703,31 @@ impl<H: Digest<OutputSize = U32> + Clone, NG> Frost<H, NG> {
         Ok((secret_share_with_image, keygen.frost_poly))
     }
 
+    /// Aggregate the nonces of the signers so you can start a [`party_sign_session`] without a
+    /// coordinator.
+    ///
+    /// [`party_sign_session`]: Self::party_sign_session
+    pub fn aggregate_binonces(
+        &self,
+        nonces: impl IntoIterator<Item = Nonce>,
+    ) -> binonce::Nonce<Zero> {
+        binonce::Nonce::aggregate(nonces)
+    }
+
     /// Start party signing session
     pub fn party_sign_session(
         &self,
-        shared_key: Point<EvenY>,
+        public_key: Point<EvenY>,
         parties: BTreeSet<PartyIndex>,
-        agg_binonce: Nonce<Zero>,
+        agg_binonce: binonce::Nonce<Zero>,
         message: Message,
     ) -> PartySignSession {
-        let binding_coeff = self.binding_coefficient(shared_key, agg_binonce, message);
+        let binding_coeff = self.binding_coefficient(public_key, agg_binonce, message);
         let (final_nonce, binonce_needs_negation) = agg_binonce.bind(binding_coeff);
-        let challenge = self.schnorr.challenge(&final_nonce, &shared_key, message);
+        let challenge = self.schnorr.challenge(&final_nonce, &public_key, message);
 
         PartySignSession {
-            shared_key,
+            public_key,
             parties,
             binding_coeff,
             challenge,
@@ -736,22 +747,22 @@ impl<H: Digest<OutputSize = U32> + Clone, NG> Frost<H, NG> {
     /// If the number of nonces is less than the threshold.
     pub fn coordinator_sign_session(
         &self,
-        frost_poly: &SharedKey<EvenY>,
+        shared_key: &SharedKey<EvenY>,
         mut nonces: BTreeMap<PartyIndex, Nonce>,
         message: Message,
     ) -> CoordinatorSignSession {
-        if nonces.len() < frost_poly.threshold() {
+        if nonces.len() < shared_key.threshold() {
             panic!("nonces' length was less than the threshold");
         }
 
         let agg_binonce = binonce::Nonce::aggregate(nonces.values().cloned());
 
-        let binding_coeff = self.binding_coefficient(frost_poly.key(), agg_binonce, message);
+        let binding_coeff = self.binding_coefficient(shared_key.key(), agg_binonce, message);
         let (final_nonce, binonce_needs_negation) = agg_binonce.bind(binding_coeff);
 
         let challenge = self
             .schnorr
-            .challenge(&final_nonce, &frost_poly.key(), message);
+            .challenge(&final_nonce, &shared_key.key(), message);
 
         for nonce in nonces.values_mut() {
             nonce.conditional_negate(binonce_needs_negation);
@@ -799,7 +810,7 @@ impl<H: Digest<OutputSize = U32> + Clone, NG> Frost<H, NG> {
         secret_share: &PairedSecretShare<EvenY>,
         secret_nonce: NonceKeyPair,
     ) -> Scalar<Public, Zero> {
-        if session.shared_key != secret_share.shared_key() {
+        if session.public_key != secret_share.shared_key() {
             panic!("the share's shared key is not the same as the shared key of the session");
         }
         let secret_share = secret_share.secret_share();
diff --git a/schnorr_fun/src/frost/session.rs b/schnorr_fun/src/frost/session.rs
index 835838da..9f12e1b0 100644
--- a/schnorr_fun/src/frost/session.rs
+++ b/schnorr_fun/src/frost/session.rs
@@ -63,7 +63,7 @@ impl CoordinatorSignSession {
     serde(crate = "crate::fun::serde")
 )]
 pub struct PartySignSession {
-    pub(crate) shared_key: Point<EvenY>,
+    pub(crate) public_key: Point<EvenY>,
     pub(crate) parties: BTreeSet<Scalar<Public>>,
     pub(crate) challenge: Scalar<Public, Zero>,
     pub(crate) binonce_needs_negation: bool,
@@ -76,4 +76,9 @@ impl PartySignSession {
     pub fn final_nonce(&self) -> Point<EvenY> {
         self.final_nonce
     }
+
+    /// The public key the session was started under
+    pub fn public_key(&self) -> Point<EvenY> {
+        self.public_key
+    }
 }