Create a dedicated crate for the DKG (#141)

* Add dkg crate

* Remove F_len and G_len

They're generally no longer used.

* Replace hash_to_vec with a provided method around associated type H: Digest

Part of trying to minimize this trait so it can be moved elsewhere. Vec, 
which isn't std, may have been a blocker.

* Encrypt secret shares within the FROST library

Reduces requirements on callers in order to be correct.

* Update usage of Zeroize within FROST

* Inline functions in key_gen

There was no reason to have them separated as they were. sign probably 
has the same statement available, yet that isn't the focus right now.

* Add a ciphersuite package which provides hash_to_F

* Set the Ciphersuite version to something valid

* Have ed448 export Scalar/FieldElement/Point at the top level

* Move FROST over to Ciphersuite

* Correct usage of ff in ciphersuite

* Correct documentation handling

* Move Schnorr signatures to their own crate

* Remove unused feature from schnorr

* Fix Schnorr tests

* Split DKG into a separate crate

* Add serialize to Commitments and SecretShare

Helper for buf = vec![]; .write(buf).unwrap(); buf

* Move FROST over to the new dkg crate

* Update Monero lib to latest FROST

* Correct ethereum's usage of features

* Add serialize to GeneratorProof

* Add serialize helper function to FROST

* Rename AddendumSerialize to WriteAddendum

* Update processor

* Slight fix to processor

crypto/dkg/src/tests/frost.rs

@@ -0,0 +1,81 @@
+use std::collections::HashMap;
+
+use rand_core::{RngCore, CryptoRng};
+
+use crate::{
+  Ciphersuite, ThresholdParams, ThresholdCore,
+  frost::{SecretShare, Commitments, KeyGenMachine},
+  tests::{THRESHOLD, PARTICIPANTS, clone_without},
+};
+
+/// Fully perform the FROST key generation algorithm.
+pub fn frost_gen<R: RngCore + CryptoRng, C: Ciphersuite>(
+  rng: &mut R,
+) -> HashMap<u16, ThresholdCore<C>> {
+  let mut machines = HashMap::new();
+  let mut commitments = HashMap::new();
+  for i in 1 ..= PARTICIPANTS {
+    let machine = KeyGenMachine::<C>::new(
+      ThresholdParams::new(THRESHOLD, PARTICIPANTS, i).unwrap(),
+      "DKG Test Key Generation".to_string(),
+    );
+    let (machine, these_commitments) = machine.generate_coefficients(rng);
+    machines.insert(i, machine);
+
+    commitments.insert(
+      i,
+      Commitments::read::<&[u8]>(
+        &mut these_commitments.serialize().as_ref(),
+        ThresholdParams { t: THRESHOLD, n: PARTICIPANTS, i: 1 },
+      )
+      .unwrap(),
+    );
+  }
+
+  let mut secret_shares = HashMap::new();
+  let mut machines = machines
+    .drain()
+    .map(|(l, machine)| {
+      let (machine, mut shares) =
+        machine.generate_secret_shares(rng, clone_without(&commitments, &l)).unwrap();
+      let shares = shares
+        .drain()
+        .map(|(l, share)| {
+          (l, SecretShare::<C::F>::read::<&[u8]>(&mut share.serialize().as_ref()).unwrap())
+        })
+        .collect::<HashMap<_, _>>();
+      secret_shares.insert(l, shares);
+      (l, machine)
+    })
+    .collect::<HashMap<_, _>>();
+
+  let mut verification_shares = None;
+  let mut group_key = None;
+  machines
+    .drain()
+    .map(|(i, machine)| {
+      let mut our_secret_shares = HashMap::new();
+      for (l, shares) in &secret_shares {
+        if i == *l {
+          continue;
+        }
+        our_secret_shares.insert(*l, shares[&i].clone());
+      }
+      let these_keys = machine.complete(rng, our_secret_shares).unwrap();
+
+      // Verify the verification_shares are agreed upon
+      if verification_shares.is_none() {
+        verification_shares = Some(these_keys.verification_shares());
+      }
+      assert_eq!(verification_shares.as_ref().unwrap(), &these_keys.verification_shares());
+
+      // Verify the group keys are agreed upon
+      if group_key.is_none() {
+        group_key = Some(these_keys.group_key());
+      }
+      assert_eq!(group_key.unwrap(), these_keys.group_key());
+
+      (i, these_keys)
+    })
+    .collect::<HashMap<_, _>>()
+}

crypto/dkg/src/tests/mod.rs

@@ -0,0 +1,69 @@
+use std::collections::HashMap;
+
+use rand_core::{RngCore, CryptoRng};
+
+use group::ff::Field;
+
+use ciphersuite::Ciphersuite;
+
+use crate::{ThresholdCore, ThresholdKeys, lagrange};
+
+/// FROST generation test.
+pub mod frost;
+use frost::frost_gen;
+
+// Promotion test.
+mod promote;
+use promote::test_generator_promotion;
+
+/// Constant amount of participants to use when testing.
+pub const PARTICIPANTS: u16 = 5;
+/// Constant threshold of participants to use when signing.
+pub const THRESHOLD: u16 = ((PARTICIPANTS / 3) * 2) + 1;
+
+/// Clone a map without a specific value.
+pub fn clone_without<K: Clone + std::cmp::Eq + std::hash::Hash, V: Clone>(
+  map: &HashMap<K, V>,
+  without: &K,
+) -> HashMap<K, V> {
+  let mut res = map.clone();
+  res.remove(without).unwrap();
+  res
+}
+
+/// Recover the secret from a collection of keys.
+pub fn recover_key<C: Ciphersuite>(keys: &HashMap<u16, ThresholdKeys<C>>) -> C::F {
+  let first = keys.values().next().expect("no keys provided");
+  assert!(keys.len() >= first.params().t().into(), "not enough keys provided");
+  let included = keys.keys().cloned().collect::<Vec<_>>();
+
+  let group_private = keys.iter().fold(C::F::zero(), |accum, (i, keys)| {
+    accum + (keys.secret_share() * lagrange::<C::F>(*i, &included))
+  });
+  assert_eq!(C::generator() * group_private, first.group_key(), "failed to recover keys");
+  group_private
+}
+
+/// Generate threshold keys for tests.
+pub fn key_gen<R: RngCore + CryptoRng, C: Ciphersuite>(
+  rng: &mut R,
+) -> HashMap<u16, ThresholdKeys<C>> {
+  let res = frost_gen(rng)
+    .drain()
+    .map(|(i, core)| {
+      assert_eq!(
+        &ThresholdCore::<C>::deserialize::<&[u8]>(&mut core.serialize().as_ref()).unwrap(),
+        &core
+      );
+      (i, ThresholdKeys::new(core))
+    })
+    .collect();
+  assert_eq!(C::generator() * recover_key(&res), res[&1].group_key());
+  res
+}
+
+/// Run the test suite on a ciphersuite.
+pub fn test_ciphersuite<R: RngCore + CryptoRng, C: Ciphersuite>(rng: &mut R) {
+  key_gen::<_, C>(rng);
+  test_generator_promotion::<_, C>(rng);
+}

crypto/dkg/src/tests/promote.rs

@@ -0,0 +1,60 @@
+use std::{marker::PhantomData, collections::HashMap};
+
+use rand_core::{RngCore, CryptoRng};
+
+use zeroize::Zeroize;
+
+use group::Group;
+
+use ciphersuite::Ciphersuite;
+
+use crate::{
+  promote::{GeneratorPromotion, GeneratorProof},
+  tests::{clone_without, key_gen, recover_key},
+};
+
+#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
+struct AltGenerator<C: Ciphersuite> {
+  _curve: PhantomData<C>,
+}
+
+impl<C: Ciphersuite> Ciphersuite for AltGenerator<C> {
+  type F = C::F;
+  type G = C::G;
+  type H = C::H;
+
+  const ID: &'static [u8] = b"Alternate Ciphersuite";
+
+  fn generator() -> Self::G {
+    C::G::generator() * <C as Ciphersuite>::hash_to_F(b"DKG Promotion Test", b"generator")
+  }
+
+  fn hash_to_F(dst: &[u8], data: &[u8]) -> Self::F {
+    <C as Ciphersuite>::hash_to_F(dst, data)
+  }
+}
+
+// Test promotion of threshold keys to another generator
+pub(crate) fn test_generator_promotion<R: RngCore + CryptoRng, C: Ciphersuite>(rng: &mut R) {
+  let keys = key_gen::<_, C>(&mut *rng);
+
+  let mut promotions = HashMap::new();
+  let mut proofs = HashMap::new();
+  for (i, keys) in &keys {
+    let (promotion, proof) =
+      GeneratorPromotion::<_, AltGenerator<C>>::promote(&mut *rng, keys.clone());
+    promotions.insert(*i, promotion);
+    proofs.insert(*i, GeneratorProof::<C>::read::<&[u8]>(&mut proof.serialize().as_ref()).unwrap());
+  }
+
+  let new_group_key = AltGenerator::<C>::generator() * recover_key(&keys);
+  for (i, promoting) in promotions.drain() {
+    let promoted = promoting.complete(&clone_without(&proofs, &i)).unwrap();
+    assert_eq!(keys[&i].params(), promoted.params());
+    assert_eq!(keys[&i].secret_share(), promoted.secret_share());
+    assert_eq!(new_group_key, promoted.group_key());
+    for (l, verification_share) in promoted.verification_shares() {
+      assert_eq!(AltGenerator::<C>::generator() * keys[&l].secret_share(), verification_share);
+    }
+  }
+}