DKG Blame (#196)

* Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2025-12-08 12:19:24 +00:00 · 2023-01-01 01:54:18 -05:00
parent 3b4c600c60
commit 5b3c9bf5d0
21 changed files with 1003 additions and 238 deletions
--- a/crypto/dkg/src/lib.rs
+++ b/crypto/dkg/src/lib.rs
@@ -6,7 +6,10 @@
 //! Additional utilities around them, such as promotion from one generator to another, are also
 //! provided.

-use core::{fmt::Debug, ops::Deref};
+use core::{
+  fmt::{Debug, Formatter},
+  ops::Deref,
+};
 use std::{io::Read, sync::Arc, collections::HashMap};

 use thiserror::Error;
@@ -34,8 +37,8 @@ pub mod promote;
 pub mod tests;

 /// Various errors possible during key generation/signing.
-#[derive(Clone, Copy, PartialEq, Eq, Debug, Error)]
-pub enum DkgError {
+#[derive(Clone, PartialEq, Eq, Debug, Error)]
+pub enum DkgError<B: Clone + PartialEq + Eq + Debug> {
  #[error("a parameter was 0 (required {0}, participants {1})")]
  ZeroParameter(u16, u16),
  #[error("invalid amount of required participants (max {1}, got {0})")]
@@ -54,19 +57,19 @@ pub enum DkgError {

  #[error("invalid proof of knowledge (participant {0})")]
  InvalidProofOfKnowledge(u16),
-  #[error("invalid share (participant {0})")]
-  InvalidShare(u16),
+  #[error("invalid share (participant {participant}, blame {blame})")]
+  InvalidShare { participant: u16, blame: Option<B> },

  #[error("internal error ({0})")]
  InternalError(&'static str),
 }

 // Validate a map of values to have the expected included participants
-pub(crate) fn validate_map<T>(
+pub(crate) fn validate_map<T, B: Clone + PartialEq + Eq + Debug>(
  map: &HashMap<u16, T>,
  included: &[u16],
  ours: u16,
-) -> Result<(), DkgError> {
+) -> Result<(), DkgError<B>> {
  if (map.len() + 1) != included.len() {
    Err(DkgError::InvalidParticipantQuantity(included.len(), map.len() + 1))?;
  }
@@ -100,7 +103,7 @@ pub struct ThresholdParams {
 }

 impl ThresholdParams {
-  pub fn new(t: u16, n: u16, i: u16) -> Result<ThresholdParams, DkgError> {
+  pub fn new(t: u16, n: u16, i: u16) -> Result<ThresholdParams, DkgError<()>> {
    if (t == 0) || (n == 0) {
      Err(DkgError::ZeroParameter(t, n))?;
    }
@@ -149,7 +152,7 @@ pub fn lagrange<F: PrimeField>(i: u16, included: &[u16]) -> F {

 /// Keys and verification shares generated by a DKG.
 /// Called core as they're expected to be wrapped into an Arc before usage in various operations.
-#[derive(Clone, PartialEq, Eq, Debug)]
+#[derive(Clone, PartialEq, Eq)]
 pub struct ThresholdCore<C: Ciphersuite> {
  /// Threshold Parameters.
  params: ThresholdParams,
@@ -162,6 +165,17 @@ pub struct ThresholdCore<C: Ciphersuite> {
  verification_shares: HashMap<u16, C::G>,
 }

+impl<C: Ciphersuite> Debug for ThresholdCore<C> {
+  fn fmt(&self, fmt: &mut Formatter<'_>) -> Result<(), core::fmt::Error> {
+    fmt
+      .debug_struct("ThresholdCore")
+      .field("params", &self.params)
+      .field("group_key", &self.group_key)
+      .field("verification_shares", &self.verification_shares)
+      .finish_non_exhaustive()
+  }
+}
+
 impl<C: Ciphersuite> Zeroize for ThresholdCore<C> {
  fn zeroize(&mut self) {
    self.params.zeroize();
@@ -179,8 +193,12 @@ impl<C: Ciphersuite> ThresholdCore<C> {
    secret_share: Zeroizing<C::F>,
    verification_shares: HashMap<u16, C::G>,
  ) -> ThresholdCore<C> {
-    #[cfg(debug_assertions)]
-    validate_map(&verification_shares, &(0 ..= params.n).collect::<Vec<_>>(), 0).unwrap();
+    debug_assert!(validate_map::<_, ()>(
+      &verification_shares,
+      &(0 ..= params.n).collect::<Vec<_>>(),
+      0
+    )
+    .is_ok());

    let t = (1 ..= params.t).collect::<Vec<_>>();
    ThresholdCore {
@@ -220,15 +238,15 @@ impl<C: Ciphersuite> ThresholdCore<C> {
    serialized
  }

-  pub fn deserialize<R: Read>(reader: &mut R) -> Result<ThresholdCore<C>, DkgError> {
+  pub fn deserialize<R: Read>(reader: &mut R) -> Result<ThresholdCore<C>, DkgError<()>> {
    {
      let missing = DkgError::InternalError("ThresholdCore serialization is missing its curve");
      let different = DkgError::InternalError("deserializing ThresholdCore for another curve");

      let mut id_len = [0; 4];
-      reader.read_exact(&mut id_len).map_err(|_| missing)?;
+      reader.read_exact(&mut id_len).map_err(|_| missing.clone())?;
      if u32::try_from(C::ID.len()).unwrap().to_be_bytes() != id_len {
-        Err(different)?;
+        Err(different.clone())?;
      }

      let mut id = vec![0; C::ID.len()];
@@ -273,27 +291,42 @@ impl<C: Ciphersuite> ThresholdCore<C> {
 /// Threshold keys usable for signing.
 #[derive(Clone, Debug, Zeroize)]
 pub struct ThresholdKeys<C: Ciphersuite> {
-  /// Core keys.
+  // Core keys.
+  // If this is the last reference, the underlying keys will be dropped. When that happens, the
+  // private key present within it will be zeroed out (as it's within Zeroizing).
  #[zeroize(skip)]
  core: Arc<ThresholdCore<C>>,

-  /// Offset applied to these keys.
+  // Offset applied to these keys.
  pub(crate) offset: Option<C::F>,
 }

 /// View of keys passed to algorithm implementations.
-#[derive(Clone, Zeroize)]
+#[derive(Clone)]
 pub struct ThresholdView<C: Ciphersuite> {
  offset: C::F,
  group_key: C::G,
  included: Vec<u16>,
  secret_share: Zeroizing<C::F>,
-  #[zeroize(skip)]
  original_verification_shares: HashMap<u16, C::G>,
-  #[zeroize(skip)]
  verification_shares: HashMap<u16, C::G>,
 }

+impl<C: Ciphersuite> Zeroize for ThresholdView<C> {
+  fn zeroize(&mut self) {
+    self.offset.zeroize();
+    self.group_key.zeroize();
+    self.included.zeroize();
+    self.secret_share.zeroize();
+    for (_, share) in self.original_verification_shares.iter_mut() {
+      share.zeroize();
+    }
+    for (_, share) in self.verification_shares.iter_mut() {
+      share.zeroize();
+    }
+  }
+}
+
 impl<C: Ciphersuite> ThresholdKeys<C> {
  pub fn new(core: ThresholdCore<C>) -> ThresholdKeys<C> {
    ThresholdKeys { core: Arc::new(core), offset: None }
@@ -338,7 +371,7 @@ impl<C: Ciphersuite> ThresholdKeys<C> {
    self.core.serialize()
  }

-  pub fn view(&self, included: &[u16]) -> Result<ThresholdView<C>, DkgError> {
+  pub fn view(&self, included: &[u16]) -> Result<ThresholdView<C>, DkgError<()>> {
    if (included.len() < self.params().t.into()) || (usize::from(self.params().n) < included.len())
    {
      Err(DkgError::InvalidSigningSet)?;