Support multiple key shares per validator (#416)

* Update the coordinator to give key shares based on weight, not based on existence

Participants are now identified by their starting index. While this compiles,
the following is unimplemented:

1) A conversion for DKG `i` values. It assumes the threshold `i` values used
will be identical for the MuSig signature used to confirm the DKG.
2) Expansion from compressed values to full values before forwarding to the
processor.

* Add a fn to the DkgConfirmer to convert `i` values as needed

Also removes TODOs regarding Serai ensuring validator key uniqueness +
validity. The current infra achieves both.

* Have the Tributary DB track participation by shares, not by count

* Prevent a node from obtaining 34% of the maximum amount of key shares

This is actually mainly intended to set a bound on message sizes in the
coordinator. Message sizes are amplified by the amount of key shares held, so
setting an upper bound on said amount lets it determine constants. While that
upper bound could be 150, that'd be unreasonable and increase the potential for
DoS attacks.

* Correct the mechanism to detect if sufficient accumulation has occured

It used to check if the latest accumulation hit the required threshold. Now,
accumulations may jump past the required threshold. The required mechanism is
to check the threshold wasn't prior met and is now met.

* Finish updating the coordinator to handle a multiple key share per validator environment

* Adjust stategy re: preventing noce reuse in DKG Confirmer

* Add TODOs regarding dropped transactions, add possible TODO fix

* Update tests/coordinator

This doesn't add new multi-key-share tests, it solely updates the existing
single key-share tests to compile and run, with the necessary fixes to the
coordinator.

* Update processor key_gen to handle generating multiple key shares at once

* Update SubstrateSigner

* Update signer, clippy

* Update processor tests

* Update processor docker tests

substrate/validator-sets/pallet/src/lib.rs

@@ -355,6 +355,8 @@ pub mod pallet {
     NotEnoughAllocated,
     /// Allocation would cause the validator set to no longer achieve fault tolerance.
     AllocationWouldRemoveFaultTolerance,
+    /// Allocation would cause the validator set to never be able to achieve fault tolerance.
+    AllocationWouldPreventFaultTolerance,
     /// Deallocation would remove the participant from the set, despite the validator not
     /// specifying so.
     DeallocationWouldRemoveParticipant,
@@ -410,6 +412,7 @@ pub mod pallet {
       system_address(b"validator-sets").into()
     }
 
+    // is_bft returns if the network is able to survive any single node becoming byzantine.
     fn is_bft(network: NetworkId) -> bool {
       let allocation_per_key_share = AllocationPerKeyShare::<T>::get(network).unwrap().0;
 
@@ -454,6 +457,7 @@ pub mod pallet {
       let increased_key_shares =
         (old_allocation / allocation_per_key_share) < (new_allocation / allocation_per_key_share);
 
+      // Check if the net exhibited the ability to handle any single node becoming byzantine
       let mut was_bft = None;
       if increased_key_shares {
         was_bft = Some(Self::is_bft(network));
@@ -463,12 +467,19 @@ pub mod pallet {
       Self::set_allocation(network, account, Amount(new_allocation));
       Self::deposit_event(Event::AllocationIncreased { validator: account, network, amount });
 
+      // Error if the net no longer can handle any single node becoming byzantine
       if let Some(was_bft) = was_bft {
         if was_bft && (!Self::is_bft(network)) {
           Err(Error::<T>::AllocationWouldRemoveFaultTolerance)?;
         }
       }
 
+      // The above is_bft calls are only used to check a BFT net doesn't become non-BFT
+      // Check here if this call would prevent a non-BFT net from *ever* becoming BFT
+      if (new_allocation / allocation_per_key_share) >= (MAX_KEY_SHARES_PER_SET / 3).into() {
+        Err(Error::<T>::AllocationWouldPreventFaultTolerance)?;
+      }
+
       if InSet::<T>::contains_key(Self::in_set_key(network, account)) {
         TotalAllocatedStake::<T>::set(
           network,
@@ -739,6 +750,7 @@ pub mod pallet {
         Err(Error::InsufficientAllocation) |
         Err(Error::NotEnoughAllocated) |
         Err(Error::AllocationWouldRemoveFaultTolerance) |
+        Err(Error::AllocationWouldPreventFaultTolerance) |
         Err(Error::DeallocationWouldRemoveParticipant) |
         Err(Error::DeallocationWouldRemoveFaultTolerance) |
         Err(Error::NonExistentDeallocation) |

substrate/validator-sets/primitives/src/lib.rs

@@ -18,7 +18,7 @@ use serai_primitives::NetworkId;
 /// The maximum amount of key shares per set.
 pub const MAX_KEY_SHARES_PER_SET: u32 = 150;
 // Support keys up to 96 bytes (BLS12-381 G2).
-const MAX_KEY_LEN: u32 = 96;
+pub const MAX_KEY_LEN: u32 = 96;
 
 /// The type used to identify a specific session of validators.
 #[derive(
@@ -97,10 +97,12 @@ pub fn set_keys_message(set: &ValidatorSet, key_pair: &KeyPair) -> Vec<u8> {
 /// maximum.
 ///
 /// Reduction occurs by reducing each validator in a reverse round-robin.
-pub fn amortize_excess_key_shares(validators: &mut [(Public, u64)]) {
-  let total_key_shares = validators.iter().map(|(_, shares)| shares).sum::<u64>();
-  for i in
-    0 .. usize::try_from(total_key_shares.saturating_sub(MAX_KEY_SHARES_PER_SET.into())).unwrap()
+pub fn amortize_excess_key_shares(validators: &mut [(Public, u16)]) {
+  let total_key_shares = validators.iter().map(|(_, shares)| shares).sum::<u16>();
+  for i in 0 .. usize::try_from(
+    total_key_shares.saturating_sub(u16::try_from(MAX_KEY_SHARES_PER_SET).unwrap()),
+  )
+  .unwrap()
   {
     validators[validators.len() - ((i % validators.len()) + 1)].1 -= 1;
   }