absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-09 20:59:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6ed5592d22e31054b2bc8dfa92d827251ff8237f
serai/crypto/dkg/src/promote.rs
Luke Parker 5b3c9bf5d0 DKG Blame (#196) 
* Standardize the DLEq serialization function naming

They mismatched from the rest of the project.

This commit is technically incomplete as it doesn't update the dkg crate.

* Rewrite DKG encryption to enable per-message decryption without side effects

This isn't technically true as I already know a break in this which I'll
correct for shortly.

Does update documentation to explain the new scheme. Required for blame.

* Add a verifiable system for blame during the FROST DKG

Previously, if sent an invalid key share, the participant would realize that
and could accuse the sender. Without further evidence, either the accuser
or the accused could be guilty. Now, the accuser has a proof the accused is
in the wrong.

Reworks KeyMachine to return BlameMachine. This explicitly acknowledges how
locally complete keys still need group acknowledgement before the protocol
can be complete and provides a way for others to verify blame, even after a
locally successful run.

If any blame is cast, the protocol is no longer considered complete-able
(instead aborting). Further accusations of blame can still be handled however.

Updates documentation on network behavior.

Also starts to remove "OnDrop". We now use Zeroizing for anything which should
be zeroized on drop. This is a lot more piece-meal and reduces clones.

* Tweak Zeroizing and Debug impls

Expands Zeroizing to be more comprehensive.

Also updates Zeroizing<CachedPreprocess([u8; 32])> to
CachedPreprocess(Zeroizing<[u8; 32]>) so zeroizing is the first thing done
and last step before exposing the copy-able [u8; 32].

Removes private keys from Debug.

* Fix a bug where adversaries could claim to be using another user's encryption keys to learn their messages

Mentioned a few commits ago, now fixed.

This wouldn't have affected Serai, which aborts on failure, nor any DKG
currently supported. It's just about ensuring the DKG encryption is robust and
proper.

* Finish moving dleq from ser/deser to write/read

* Add tests for dkg blame

* Add a FROST test for invalid signature shares

* Batch verify encrypted messages' ephemeral keys' PoP
2023-01-01 01:54:18 -05:00

132 lines
3.8 KiB
Rust
Raw Blame History

use core::{marker::PhantomData, ops::Deref};
use std::{
io::{self, Read, Write},
sync::Arc,
collections::HashMap,
};
use rand_core::{RngCore, CryptoRng};
use group::GroupEncoding;
use ciphersuite::Ciphersuite;
use transcript::{Transcript, RecommendedTranscript};
use dleq::DLEqProof;
use crate::{DkgError, ThresholdCore, ThresholdKeys, validate_map};
/// Promote a set of keys to another Ciphersuite definition.
pub trait CiphersuitePromote<C2: Ciphersuite> {
#[doc(hidden)]
#[allow(non_snake_case)]
fn _bound_C2(_c2: C2) {
panic!()
}
fn promote(self) -> ThresholdKeys<C2>;
}
fn transcript<G: GroupEncoding>(key: G, i: u16) -> RecommendedTranscript {
let mut transcript = RecommendedTranscript::new(b"DKG Generator Promotion v0.2");
transcript.append_message(b"group_key", key.to_bytes());
transcript.append_message(b"participant", i.to_be_bytes());
transcript
}
/// Proof of valid promotion to another generator.
#[derive(Clone, Copy)]
pub struct GeneratorProof<C: Ciphersuite> {
share: C::G,
proof: DLEqProof<C::G>,
}
impl<C: Ciphersuite> GeneratorProof<C> {
pub fn write<W: Write>(&self, writer: &mut W) -> io::Result<()> {
writer.write_all(self.share.to_bytes().as_ref())?;
self.proof.write(writer)
}
pub fn read<R: Read>(reader: &mut R) -> io::Result<GeneratorProof<C>> {
Ok(GeneratorProof {
share: <C as Ciphersuite>::read_G(reader)?,
proof: DLEqProof::read(reader)?,
})
}
pub fn serialize(&self) -> Vec<u8> {
let mut buf = vec![];
self.write(&mut buf).unwrap();
buf
}
}
/// Promote a set of keys from one curve to another, where the elliptic curve is the same.
/// Since the Ciphersuite trait additionally specifies a generator, this provides an O(n) way to
/// update the generator used with keys. The key generation protocol itself is exponential.
pub struct GeneratorPromotion<C1: Ciphersuite, C2: Ciphersuite> {
base: ThresholdKeys<C1>,
proof: GeneratorProof<C1>,
_c2: PhantomData<C2>,
}
impl<C1: Ciphersuite, C2: Ciphersuite> GeneratorPromotion<C1, C2>
where
C2: Ciphersuite<F = C1::F, G = C1::G>,
{
/// Begin promoting keys from one curve to another. Returns a proof this share was properly
/// promoted.
pub fn promote<R: RngCore + CryptoRng>(
rng: &mut R,
base: ThresholdKeys<C1>,
) -> (GeneratorPromotion<C1, C2>, GeneratorProof<C1>) {
// Do a DLEqProof for the new generator
let proof = GeneratorProof {
share: C2::generator() * base.secret_share().deref(),
proof: DLEqProof::prove(
rng,
&mut transcript(base.core.group_key(), base.params().i),
&[C1::generator(), C2::generator()],
base.secret_share(),
),
};
(GeneratorPromotion { base, proof, _c2: PhantomData::<C2> }, proof)
}
/// Complete promotion by taking in the proofs from all other participants.
pub fn complete(
self,
proofs: &HashMap<u16, GeneratorProof<C1>>,
) -> Result<ThresholdKeys<C2>, DkgError<()>> {
let params = self.base.params();
validate_map(proofs, &(1 ..= params.n).collect::<Vec<_>>(), params.i)?;
let original_shares = self.base.verification_shares();
let mut verification_shares = HashMap::new();
verification_shares.insert(params.i, self.proof.share);
for (i, proof) in proofs {
let i = *i;
proof
.proof
.verify(
&mut transcript(self.base.core.group_key(), i),
&[C1::generator(), C2::generator()],
&[original_shares[&i], proof.share],
)
.map_err(|_| DkgError::InvalidProofOfKnowledge(i))?;
verification_shares.insert(i, proof.share);
}
Ok(ThresholdKeys {
core: Arc::new(ThresholdCore::new(
params,
self.base.secret_share().clone(),
verification_shares,
)),
offset: None,
})
}
}
Reference in New Issue View Git Blame Copy Permalink