Do the minimal amount of work for dkg to compile under no-std

The Substrate runtime requires access to the MuSig key aggregation function.

\#279 related.

Cargo.lock

@@ -2032,6 +2032,7 @@ dependencies = [
  "rand_core 0.6.4",
  "schnorr-signatures",
  "serde",
+ "std-shims",
  "thiserror",
  "zeroize",
 ]
@@ -8775,6 +8776,7 @@ version = "0.1.0"
 dependencies = [
  "ciphersuite",
  "dalek-ff-group",
+ "dkg",
  "flexible-transcript",
  "minimal-ed448",
  "monero-generators",

crypto/dkg/Cargo.toml

@@ -13,26 +13,30 @@ all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
 
 [dependencies]
-thiserror = "1"
+thiserror = { version = "1", default-features = false, optional = true }
 
-rand_core = "0.6"
+rand_core = { version = "0.6", default-features = false }
 
-zeroize = { version = "^1.5", features = ["zeroize_derive"] }
+zeroize = { version = "^1.5", default-features = false, features = ["zeroize_derive"] }
+
+std-shims = { version = "0.1", path = "../../common/std-shims", default-features = false }
 
 serde = { version = "1", features = ["derive"], optional = true }
 
-transcript = { package = "flexible-transcript", path = "../transcript", version = "0.3", features = ["recommended"] }
-chacha20 = { version = "0.9", features = ["zeroize"] }
+transcript = { package = "flexible-transcript", path = "../transcript", version = "0.3", default-features = false, features = ["recommended"] }
+chacha20 = { version = "0.9", default-features = false, features = ["zeroize"] }
 
-ciphersuite = { path = "../ciphersuite", version = "0.3", features = ["std"] }
-multiexp = { path = "../multiexp", version = "0.3", features = ["batch"] }
+ciphersuite = { path = "../ciphersuite", version = "0.3", default-features = false }
+multiexp = { path = "../multiexp", version = "0.3", default-features = false, features = ["batch"] }
 
 schnorr = { package = "schnorr-signatures", path = "../schnorr", version = "0.4" }
-dleq = { path = "../dleq", version = "0.3", features = ["serialize"] }
+dleq = { path = "../dleq", version = "0.3", default-features = false, features = ["serialize"] }
 
 [dev-dependencies]
-ciphersuite = { path = "../ciphersuite", version = "0.3", features = ["ristretto"] }
+ciphersuite = { path = "../ciphersuite", version = "0.3", default-features = false, features = ["ristretto"] }
 
 [features]
+std = ["thiserror", "std-shims/std", "ciphersuite/std", "multiexp/std", "schnorr/std", "dleq/std"]
 serde = ["dep:serde"]
 tests = ["rand_core/getrandom"]
+default = ["std"]

crypto/dkg/src/lib.rs

@@ -1,35 +1,27 @@
 #![cfg_attr(docsrs, feature(doc_auto_cfg))]
 #![doc = include_str!("../README.md")]
 
-use core::{
-  fmt::{self, Debug},
-  ops::Deref,
-};
-use std::{io, sync::Arc, collections::HashMap};
+use core::fmt::{self, Debug};
 
+#[cfg(feature = "std")]
 use thiserror::Error;
 
-use zeroize::{Zeroize, Zeroizing};
-
-use ciphersuite::{
-  group::{
-    ff::{Field, PrimeField},
-    GroupEncoding,
-  },
-  Ciphersuite,
-};
-
-/// Encryption types and utilities used to secure DKG messages.
-pub mod encryption;
+use zeroize::Zeroize;
 
 /// MuSig-style key aggregation.
 pub mod musig;
 
+/// Encryption types and utilities used to secure DKG messages.
+#[cfg(feature = "std")]
+pub mod encryption;
+
 /// The distributed key generation protocol described in the
 /// [FROST paper](https://eprint.iacr.org/2020/852).
+#[cfg(feature = "std")]
 pub mod frost;
 
 /// Promote keys between ciphersuites.
+#[cfg(feature = "std")]
 pub mod promote;
 
 /// Tests for application-provided curves and algorithms.
@@ -70,45 +62,66 @@ impl fmt::Display for Participant {
 }
 
 /// Various errors possible during key generation.
-#[derive(Clone, PartialEq, Eq, Debug, Error)]
+#[derive(Clone, PartialEq, Eq, Debug)]
+#[cfg_attr(feature = "std", derive(Error))]
 pub enum DkgError<B: Clone + PartialEq + Eq + Debug> {
   /// A parameter was zero.
-  #[error("a parameter was 0 (threshold {0}, participants {1})")]
+  #[cfg_attr(feature = "std", error("a parameter was 0 (threshold {0}, participants {1})"))]
   ZeroParameter(u16, u16),
   /// The threshold exceeded the amount of participants.
-  #[error("invalid threshold (max {1}, got {0})")]
+  #[cfg_attr(feature = "std", error("invalid threshold (max {1}, got {0})"))]
   InvalidThreshold(u16, u16),
   /// Invalid participant identifier.
-  #[error("invalid participant (0 < participant <= {0}, yet participant is {1})")]
+  #[cfg_attr(
+    feature = "std",
+    error("invalid participant (0 < participant <= {0}, yet participant is {1})")
+  )]
   InvalidParticipant(u16, Participant),
 
   /// Invalid signing set.
-  #[error("invalid signing set")]
+  #[cfg_attr(feature = "std", error("invalid signing set"))]
   InvalidSigningSet,
   /// Invalid amount of participants.
-  #[error("invalid participant quantity (expected {0}, got {1})")]
+  #[cfg_attr(feature = "std", error("invalid participant quantity (expected {0}, got {1})"))]
   InvalidParticipantQuantity(usize, usize),
   /// A participant was duplicated.
-  #[error("duplicated participant ({0})")]
+  #[cfg_attr(feature = "std", error("duplicated participant ({0})"))]
   DuplicatedParticipant(Participant),
   /// A participant was missing.
-  #[error("missing participant {0}")]
+  #[cfg_attr(feature = "std", error("missing participant {0}"))]
   MissingParticipant(Participant),
 
   /// An invalid proof of knowledge was provided.
-  #[error("invalid proof of knowledge (participant {0})")]
+  #[cfg_attr(feature = "std", error("invalid proof of knowledge (participant {0})"))]
   InvalidProofOfKnowledge(Participant),
   /// An invalid DKG share was provided.
-  #[error("invalid share (participant {participant}, blame {blame})")]
+  #[cfg_attr(feature = "std", error("invalid share (participant {participant}, blame {blame})"))]
   InvalidShare { participant: Participant, blame: Option<B> },
 }
 
-// Validate a map of values to have the expected included participants
-pub(crate) fn validate_map<T, B: Clone + PartialEq + Eq + Debug>(
+#[cfg(feature = "std")]
+mod lib {
+  pub use super::*;
+
+  use core::ops::Deref;
+  use std::{io, sync::Arc, collections::HashMap};
+
+  use zeroize::Zeroizing;
+
+  use ciphersuite::{
+    group::{
+      ff::{Field, PrimeField},
+      GroupEncoding,
+    },
+    Ciphersuite,
+  };
+
+  // Validate a map of values to have the expected included participants
+  pub(crate) fn validate_map<T, B: Clone + PartialEq + Eq + Debug>(
     map: &HashMap<Participant, T>,
     included: &[Participant],
     ours: Participant,
-) -> Result<(), DkgError<B>> {
+  ) -> Result<(), DkgError<B>> {
     if (map.len() + 1) != included.len() {
       Err(DkgError::InvalidParticipantQuantity(included.len(), map.len() + 1))?;
     }
@@ -127,30 +140,28 @@ pub(crate) fn validate_map<T, B: Clone + PartialEq + Eq + Debug>(
     }
 
     Ok(())
-}
+  }
 
-/// Parameters for a multisig.
-// These fields should not be made public as they should be static
-#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
-#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
-pub struct ThresholdParams {
+  /// Parameters for a multisig.
+  // These fields should not be made public as they should be static
+  #[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
+  #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
+  pub struct ThresholdParams {
     /// Participants needed to sign on behalf of the group.
-  t: u16,
+    pub(crate) t: u16,
     /// Amount of participants.
-  n: u16,
+    pub(crate) n: u16,
     /// Index of the participant being acted for.
-  i: Participant,
-}
+    pub(crate) i: Participant,
+  }
 
-impl ThresholdParams {
+  impl ThresholdParams {
     /// Create a new set of parameters.
     pub fn new(t: u16, n: u16, i: Participant) -> Result<ThresholdParams, DkgError<()>> {
       if (t == 0) || (n == 0) {
         Err(DkgError::ZeroParameter(t, n))?;
       }
 
-    // When t == n, this shouldn't be used (MuSig2 and other variants of MuSig exist for a reason),
-    // but it's not invalid to do so
       if t > n {
         Err(DkgError::InvalidThreshold(t, n))?;
       }
@@ -173,10 +184,10 @@ impl ThresholdParams {
     pub fn i(&self) -> Participant {
       self.i
     }
-}
+  }
 
-/// Calculate the lagrange coefficient for a signing set.
-pub fn lagrange<F: PrimeField>(i: Participant, included: &[Participant]) -> F {
+  /// Calculate the lagrange coefficient for a signing set.
+  pub fn lagrange<F: PrimeField>(i: Participant, included: &[Participant]) -> F {
     let i_f = F::from(u64::from(u16::from(i)));
 
     let mut num = F::ONE;
@@ -194,24 +205,24 @@ pub fn lagrange<F: PrimeField>(i: Participant, included: &[Participant]) -> F {
     // Safe as this will only be 0 if we're part of the above loop
     // (which we have an if case to avoid)
     num * denom.invert().unwrap()
-}
+  }
 
-/// Keys and verification shares generated by a DKG.
-/// Called core as they're expected to be wrapped into an Arc before usage in various operations.
-#[derive(Clone, PartialEq, Eq)]
-pub struct ThresholdCore<C: Ciphersuite> {
+  /// Keys and verification shares generated by a DKG.
+  /// Called core as they're expected to be wrapped into an Arc before usage in various operations.
+  #[derive(Clone, PartialEq, Eq)]
+  pub struct ThresholdCore<C: Ciphersuite> {
     /// Threshold Parameters.
-  params: ThresholdParams,
+    pub(crate) params: ThresholdParams,
 
     /// Secret share key.
-  secret_share: Zeroizing<C::F>,
+    pub(crate) secret_share: Zeroizing<C::F>,
     /// Group key.
-  group_key: C::G,
+    pub(crate) group_key: C::G,
     /// Verification shares.
-  verification_shares: HashMap<Participant, C::G>,
-}
+    pub(crate) verification_shares: HashMap<Participant, C::G>,
+  }
 
-impl<C: Ciphersuite> fmt::Debug for ThresholdCore<C> {
+  impl<C: Ciphersuite> fmt::Debug for ThresholdCore<C> {
     fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
       fmt
         .debug_struct("ThresholdCore")
@@ -220,9 +231,9 @@ impl<C: Ciphersuite> fmt::Debug for ThresholdCore<C> {
         .field("verification_shares", &self.verification_shares)
         .finish_non_exhaustive()
     }
-}
+  }
 
-impl<C: Ciphersuite> Zeroize for ThresholdCore<C> {
+  impl<C: Ciphersuite> Zeroize for ThresholdCore<C> {
     fn zeroize(&mut self) {
       self.params.zeroize();
       self.secret_share.zeroize();
@@ -231,15 +242,15 @@ impl<C: Ciphersuite> Zeroize for ThresholdCore<C> {
         share.zeroize();
       }
     }
-}
+  }
 
-impl<C: Ciphersuite> ThresholdCore<C> {
+  impl<C: Ciphersuite> ThresholdCore<C> {
     pub(crate) fn new(
       params: ThresholdParams,
       secret_share: Zeroizing<C::F>,
       verification_shares: HashMap<Participant, C::G>,
     ) -> ThresholdCore<C> {
-    let t = (1 ..= params.t).map(Participant).collect::<Vec<_>>();
+      let t = (1 ..= params.t()).map(Participant).collect::<Vec<_>>();
       ThresholdCore {
         params,
         secret_share,
@@ -338,33 +349,33 @@ impl<C: Ciphersuite> ThresholdCore<C> {
         verification_shares,
       ))
     }
-}
+  }
 
-/// Threshold keys usable for signing.
-#[derive(Clone, Debug, Zeroize)]
-pub struct ThresholdKeys<C: Ciphersuite> {
+  /// Threshold keys usable for signing.
+  #[derive(Clone, Debug, Zeroize)]
+  pub struct ThresholdKeys<C: Ciphersuite> {
     // Core keys.
     // If this is the last reference, the underlying keys will be dropped. When that happens, the
     // private key present within it will be zeroed out (as it's within Zeroizing).
     #[zeroize(skip)]
-  core: Arc<ThresholdCore<C>>,
+    pub(crate) core: Arc<ThresholdCore<C>>,
 
     // Offset applied to these keys.
     pub(crate) offset: Option<C::F>,
-}
+  }
 
-/// View of keys, interpolated and offset for usage.
-#[derive(Clone)]
-pub struct ThresholdView<C: Ciphersuite> {
+  /// View of keys, interpolated and offset for usage.
+  #[derive(Clone)]
+  pub struct ThresholdView<C: Ciphersuite> {
     offset: C::F,
     group_key: C::G,
     included: Vec<Participant>,
     secret_share: Zeroizing<C::F>,
     original_verification_shares: HashMap<Participant, C::G>,
     verification_shares: HashMap<Participant, C::G>,
-}
+  }
 
-impl<C: Ciphersuite> fmt::Debug for ThresholdView<C> {
+  impl<C: Ciphersuite> fmt::Debug for ThresholdView<C> {
     fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
       fmt
         .debug_struct("ThresholdView")
@@ -375,9 +386,9 @@ impl<C: Ciphersuite> fmt::Debug for ThresholdView<C> {
         .field("verification_shares", &self.verification_shares)
         .finish_non_exhaustive()
     }
-}
+  }
 
-impl<C: Ciphersuite> Zeroize for ThresholdView<C> {
+  impl<C: Ciphersuite> Zeroize for ThresholdView<C> {
     fn zeroize(&mut self) {
       self.offset.zeroize();
       self.group_key.zeroize();
@@ -390,9 +401,9 @@ impl<C: Ciphersuite> Zeroize for ThresholdView<C> {
         share.zeroize();
       }
     }
-}
+  }
 
-impl<C: Ciphersuite> ThresholdKeys<C> {
+  impl<C: Ciphersuite> ThresholdKeys<C> {
     /// Create a new set of ThresholdKeys from a ThresholdCore.
     pub fn new(core: ThresholdCore<C>) -> ThresholdKeys<C> {
       ThresholdKeys { core: Arc::new(core), offset: None }
@@ -445,14 +456,16 @@ impl<C: Ciphersuite> ThresholdKeys<C> {
     /// Obtain a view of these keys, with any offset applied, interpolated for the specified signing
     /// set.
     pub fn view(&self, mut included: Vec<Participant>) -> Result<ThresholdView<C>, DkgError<()>> {
-    if (included.len() < self.params().t.into()) || (usize::from(self.params().n) < included.len())
+      if (included.len() < self.params().t.into()) ||
+        (usize::from(self.params().n()) < included.len())
       {
         Err(DkgError::InvalidSigningSet)?;
       }
       included.sort();
 
-    let mut secret_share =
-      Zeroizing::new(lagrange::<C::F>(self.params().i, &included) * self.secret_share().deref());
+      let mut secret_share = Zeroizing::new(
+        lagrange::<C::F>(self.params().i(), &included) * self.secret_share().deref(),
+      );
 
       let mut verification_shares = self.verification_shares();
       for (i, share) in verification_shares.iter_mut() {
@@ -475,15 +488,15 @@ impl<C: Ciphersuite> ThresholdKeys<C> {
         included,
       })
     }
-}
+  }
 
-impl<C: Ciphersuite> From<ThresholdCore<C>> for ThresholdKeys<C> {
+  impl<C: Ciphersuite> From<ThresholdCore<C>> for ThresholdKeys<C> {
     fn from(keys: ThresholdCore<C>) -> ThresholdKeys<C> {
       ThresholdKeys::new(keys)
     }
-}
+  }
 
-impl<C: Ciphersuite> ThresholdView<C> {
+  impl<C: Ciphersuite> ThresholdView<C> {
     /// Return the offset for this view.
     pub fn offset(&self) -> C::F {
       self.offset
@@ -513,4 +526,7 @@ impl<C: Ciphersuite> ThresholdView<C> {
     pub fn verification_share(&self, l: Participant) -> C::G {
       self.verification_shares[&l]
     }
+  }
 }
+#[cfg(feature = "std")]
+pub use lib::*;

crypto/dkg/src/musig.rs

@@ -1,16 +1,24 @@
+#[cfg(feature = "std")]
 use core::ops::Deref;
-use std::collections::{HashSet, HashMap};
+use std_shims::collections::HashSet;
+#[cfg(feature = "std")]
+use std_shims::collections::HashMap;
 
+#[cfg(feature = "std")]
 use zeroize::Zeroizing;
 
 use transcript::{Transcript, RecommendedTranscript};
 
+#[cfg(feature = "std")]
+use ciphersuite::group::ff::Field;
 use ciphersuite::{
-  group::{ff::Field, Group, GroupEncoding},
+  group::{Group, GroupEncoding},
   Ciphersuite,
 };
 
-use crate::{Participant, DkgError, ThresholdParams, ThresholdCore, lagrange};
+use crate::DkgError;
+#[cfg(feature = "std")]
+use crate::{Participant, ThresholdParams, ThresholdCore, lagrange};
 
 fn check_keys<C: Ciphersuite>(keys: &[C::G]) -> Result<u16, DkgError<()>> {
   if keys.is_empty() {
@@ -59,6 +67,7 @@ pub fn musig_key<C: Ciphersuite>(keys: &[C::G]) -> Result<C::G, DkgError<()>> {
 /// A n-of-n non-interactive DKG which does not guarantee the usability of the resulting key.
 ///
 /// Creating an aggregate key with a list containing duplicated public keys returns an error.
+#[cfg(feature = "std")]
 pub fn musig<C: Ciphersuite>(
   private_key: &Zeroizing<C::F>,
   keys: &[C::G],

crypto/dkg/src/tests/frost.rs

@@ -2,8 +2,10 @@ use std::collections::HashMap;
 
 use rand_core::{RngCore, CryptoRng};
 
+use ciphersuite::Ciphersuite;
+
 use crate::{
-  Ciphersuite, Participant, ThresholdParams, ThresholdCore,
+  Participant, ThresholdParams, ThresholdCore,
   frost::{KeyGenMachine, SecretShare, KeyMachine},
   encryption::{EncryptionKeyMessage, EncryptedMessage},
   tests::{THRESHOLD, PARTICIPANTS, clone_without},

tests/no-std/Cargo.toml

@@ -26,7 +26,7 @@ multiexp = { path = "../../crypto/multiexp", default-features = false, features
 # dleq = { path = "../../crypto/dleq" }
 schnorr-signatures = { path = "../../crypto/schnorr", default-features = false }
 
-# dkg = { path = "../../crypto/dkg" }
+dkg = { path = "../../crypto/dkg", default-features = false }
 # modular-frost = { path = "../../crypto/frost" }
 # frost-schnorrkel = { path = "../../crypto/schnorrkel" }