DKG Blame (#196)

* Standardize the DLEq serialization function naming They mismatched from the rest of the project. This commit is technically incomplete as it doesn't update the dkg crate. * Rewrite DKG encryption to enable per-message decryption without side effects This isn't technically true as I already know a break in this which I'll correct for shortly. Does update documentation to explain the new scheme. Required for blame. * Add a verifiable system for blame during the FROST DKG Previously, if sent an invalid key share, the participant would realize that and could accuse the sender. Without further evidence, either the accuser or the accused could be guilty. Now, the accuser has a proof the accused is in the wrong. Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how locally complete keys still need group acknowledgement before the protocol can be complete and provides a way for others to verify blame, even after a locally successful run. If any blame is cast, the protocol is no longer considered complete-able (instead aborting). Further accusations of blame can still be handled however. Updates documentation on network behavior. Also starts to remove "OnDrop". We now use Zeroizing for anything which should be zeroized on drop. This is a lot more piece-meal and reduces clones. * Tweak Zeroizing and Debug impls Expands Zeroizing to be more comprehensive. Also updates Zeroizing<CachedPreprocess([u8; 32])> to CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done and last step before exposing the copy-able [u8; 32]. Removes private keys from Debug. * Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages Mentioned a few commits ago, now fixed. This wouldn't have affected Serai, which aborts on failure, nor any DKG currently supported. It's just about ensuring the DKG encryption is robust and proper. * Finish moving dleq from ser/deser to write/read * Add tests for dkg blame * Add a FROST test for invalid signature shares * Batch verify encrypted messages' ephemeral keys' PoP
2025-12-08 12:19:24 +00:00 · 2023-01-01 01:54:18 -05:00
parent 3b4c600c60
commit 5b3c9bf5d0
21 changed files with 1003 additions and 238 deletions
--- a/crypto/frost/src/sign.rs
+++ b/crypto/frost/src/sign.rs
@@ -7,11 +7,14 @@ use std::{
 use rand_core::{RngCore, CryptoRng, SeedableRng};
 use rand_chacha::ChaCha20Rng;

-use zeroize::{Zeroize, ZeroizeOnDrop, Zeroizing};
+use zeroize::{Zeroize, Zeroizing};

 use transcript::Transcript;

-use group::{ff::PrimeField, GroupEncoding};
+use group::{
+  ff::{Field, PrimeField},
+  GroupEncoding,
+};
 use multiexp::BatchVerifier;

 use crate::{
@@ -46,6 +49,7 @@ impl<T: Writable> Writable for Vec<T> {
 /// Pairing of an Algorithm with a ThresholdKeys instance and this specific signing set.
 #[derive(Clone, Zeroize)]
 pub struct Params<C: Curve, A: Algorithm<C>> {
+  // Skips the algorithm due to being too large a bound to feasibly enforce on users
  #[zeroize(skip)]
  algorithm: A,
  keys: ThresholdKeys<C>,
@@ -78,8 +82,11 @@ impl<C: Curve, A: Addendum> Writable for Preprocess<C, A> {
 /// A cached preprocess. A preprocess MUST only be used once. Reuse will enable third-party
 /// recovery of your private key share. Additionally, this MUST be handled with the same security
 /// as your private key share, as knowledge of it also enables recovery.
-#[derive(Zeroize, ZeroizeOnDrop)]
-pub struct CachedPreprocess(pub [u8; 32]);
+// Directly exposes the [u8; 32] member to void needing to route through std::io interfaces.
+// Still uses Zeroizing internally so when users grab it, they have a higher likelihood of
+// appreciating how to handle it and don't immediately start copying it just by grabbing it.
+#[derive(Zeroize)]
+pub struct CachedPreprocess(pub Zeroizing<[u8; 32]>);

 /// Trait for the initial state machine of a two-round signing protocol.
 pub trait PreprocessMachine {
@@ -110,11 +117,11 @@ impl<C: Curve, A: Algorithm<C>> AlgorithmMachine<C, A> {

  fn seeded_preprocess(
    self,
-    seed: Zeroizing<CachedPreprocess>,
+    seed: CachedPreprocess,
  ) -> (AlgorithmSignMachine<C, A>, Preprocess<C, A::Addendum>) {
    let mut params = self.params;

-    let mut rng = ChaCha20Rng::from_seed(seed.0);
+    let mut rng = ChaCha20Rng::from_seed(*seed.0);
    // Get a challenge to the existing transcript for use when proving for the commitments
    let commitments_challenge = params.algorithm.transcript().challenge(b"commitments");
    let (nonces, commitments) = Commitments::new::<_, A::Transcript>(
@@ -153,7 +160,7 @@ impl<C: Curve, A: Algorithm<C>> AlgorithmMachine<C, A> {
      commitments_challenge: self.params.algorithm.transcript().challenge(b"commitments"),

      params: self.params,
-      seed: Zeroizing::new(CachedPreprocess([0; 32])),
+      seed: CachedPreprocess(Zeroizing::new([0; 32])),

      nonces,
      preprocess,
@@ -174,7 +181,7 @@ impl<C: Curve, A: Algorithm<C>> PreprocessMachine for AlgorithmMachine<C, A> {
    self,
    rng: &mut R,
  ) -> (Self::SignMachine, Preprocess<C, A::Addendum>) {
-    let mut seed = Zeroizing::new(CachedPreprocess([0; 32]));
+    let mut seed = CachedPreprocess(Zeroizing::new([0; 32]));
    rng.fill_bytes(seed.0.as_mut());
    self.seeded_preprocess(seed)
  }
@@ -188,6 +195,12 @@ impl<C: Curve> Writable for SignatureShare<C> {
    writer.write_all(self.0.to_repr().as_ref())
  }
 }
+#[cfg(any(test, feature = "tests"))]
+impl<C: Curve> SignatureShare<C> {
+  pub(crate) fn invalidate(&mut self) {
+    self.0 += C::F::one();
+  }
+}

 /// Trait for the second machine of a two-round signing protocol.
 pub trait SignMachine<S>: Sized {
@@ -206,14 +219,14 @@ pub trait SignMachine<S>: Sized {
  /// of it enables recovery of your private key share. Third-party recovery of a cached preprocess
  /// also enables recovery of your private key share, so this MUST be treated with the same
  /// security as your private key share.
-  fn cache(self) -> Zeroizing<CachedPreprocess>;
+  fn cache(self) -> CachedPreprocess;

  /// Create a sign machine from a cached preprocess. After this, the preprocess should be fully
  /// deleted, as it must never be reused. It is
  fn from_cache(
    params: Self::Params,
    keys: Self::Keys,
-    cache: Zeroizing<CachedPreprocess>,
+    cache: CachedPreprocess,
  ) -> Result<Self, FrostError>;

  /// Read a Preprocess message. Despite taking self, this does not save the preprocess.
@@ -235,10 +248,11 @@ pub trait SignMachine<S>: Sized {
 #[derive(Zeroize)]
 pub struct AlgorithmSignMachine<C: Curve, A: Algorithm<C>> {
  params: Params<C, A>,
-  seed: Zeroizing<CachedPreprocess>,
+  seed: CachedPreprocess,

  commitments_challenge: <A::Transcript as Transcript>::Challenge,
  pub(crate) nonces: Vec<Nonce<C>>,
+  // Skips the preprocess due to being too large a bound to feasibly enforce on users
  #[zeroize(skip)]
  pub(crate) preprocess: Preprocess<C, A::Addendum>,
  pub(crate) blame_entropy: [u8; 32],
@@ -251,14 +265,14 @@ impl<C: Curve, A: Algorithm<C>> SignMachine<A::Signature> for AlgorithmSignMachi
  type SignatureShare = SignatureShare<C>;
  type SignatureMachine = AlgorithmSignatureMachine<C, A>;

-  fn cache(self) -> Zeroizing<CachedPreprocess> {
+  fn cache(self) -> CachedPreprocess {
    self.seed
  }

  fn from_cache(
    algorithm: A,
    keys: ThresholdKeys<C>,
-    cache: Zeroizing<CachedPreprocess>,
+    cache: CachedPreprocess,
  ) -> Result<Self, FrostError> {
    let (machine, _) = AlgorithmMachine::new(algorithm, keys)?.seeded_preprocess(cache);
    Ok(machine)