Refactor of Refresh & Recovery procedures

ferveo/Cargo.toml

@@ -22,7 +22,7 @@ ark-serialize = "0.4"
 ark-std = "0.4"
 bincode = "1.3"
 ferveo-common = { package = "ferveo-common-pre-release", path = "../ferveo-common", version = "^0.1.1" }
-group-threshold-cryptography = { package = "group-threshold-cryptography-pre-release", path = "../tpke", features = ["api"], version = "^0.2.0" }
+group-threshold-cryptography = { package = "group-threshold-cryptography-pre-release", path = "../tpke", features = ["api", "test-common"], version = "^0.2.0" }
 hex = "0.4.3"
 itertools = "0.10.5"
 measure_time = "0.8"

ferveo/src/dkg.rs

@@ -10,7 +10,7 @@ use serde_with::serde_as;
 
 use crate::{
     aggregate, utils::is_sorted, AggregatedPvss, Error, EthereumAddress,
-    PubliclyVerifiableParams, PubliclyVerifiableSS, Pvss, Result, Validator,
+    PubliclyVerifiableParams, PubliclyVerifiableSS, Result, Validator,
 };
 
 #[derive(Copy, Clone, Debug, Serialize, Deserialize)]
@@ -156,7 +156,7 @@ impl<E: Pairing> PubliclyVerifiableDkg<E> {
         rng: &mut R,
     ) -> Result<PubliclyVerifiableSS<E>> {
         use ark_std::UniformRand;
-        Pvss::<E>::new(&E::ScalarField::rand(rng), self, rng)
+        PubliclyVerifiableSS::<E>::new(&E::ScalarField::rand(rng), self, rng)
     }
 
     /// Aggregate all received PVSS messages into a single message, prepared to post on-chain
@@ -279,7 +279,7 @@ impl<E: Pairing> PubliclyVerifiableDkg<E> {
     pub fn deal(
         &mut self,
         sender: &Validator<E>,
-        pvss: &Pvss<E>,
+        pvss: &PubliclyVerifiableSS<E>,
     ) -> Result<()> {
         // Add the ephemeral public key and pvss transcript
         let (sender_address, _) = self
@@ -306,11 +306,11 @@ pub struct Aggregation<E: Pairing> {
 
 #[derive(Serialize, Deserialize, Clone, Debug)]
 #[serde(bound(
-    serialize = "AggregatedPvss<E>: Serialize, Pvss<E>: Serialize",
-    deserialize = "AggregatedPvss<E>: DeserializeOwned, Pvss<E>: DeserializeOwned"
+    serialize = "AggregatedPvss<E>: Serialize, PubliclyVerifiableSS<E>: Serialize",
+    deserialize = "AggregatedPvss<E>: DeserializeOwned, PubliclyVerifiableSS<E>: DeserializeOwned"
 ))]
 pub enum Message<E: Pairing> {
-    Deal(Pvss<E>),
+    Deal(PubliclyVerifiableSS<E>),
     Aggregate(Aggregation<E>),
 }
 
@@ -355,7 +355,7 @@ pub(crate) mod test_common {
         my_index: usize,
     ) -> TestSetup {
         let keypairs = gen_keypairs(shares_num);
-        let mut validators = gen_validators(&keypairs);
+        let mut validators = gen_validators(&keypairs.as_slice());
         validators.sort();
         let me = validators[my_index].clone();
         let dkg = PubliclyVerifiableDkg::new(

ferveo/src/lib.rs

@@ -17,13 +17,15 @@ pub mod api;
 pub mod dkg;
 pub mod primitives;
 pub mod pvss;
+pub mod refresh;
 pub mod validator;
 
 mod utils;
 
 pub use dkg::*;
 pub use primitives::*;
 pub use pvss::*;
+pub use refresh::*;
 pub use validator::*;
 
 #[derive(Debug, thiserror::Error)]
@@ -212,7 +214,7 @@ mod test_dkg_full {
                 &dkg,
                 aad,
                 &ciphertext.header().unwrap(),
-                &validator_keypairs,
+                validator_keypairs.as_slice(),
             );
 
             let plaintext = tpke::decrypt_with_shared_secret(
@@ -308,7 +310,7 @@ mod test_dkg_full {
                 &dkg,
                 aad,
                 &ciphertext.header().unwrap(),
-                &validator_keypairs,
+                validator_keypairs.as_slice(),
             );
 
         izip!(
@@ -355,7 +357,10 @@ mod test_dkg_full {
     fn test_dkg_simple_tdec_share_recovery() {
         let rng = &mut test_rng();
 
-        let (dkg, validator_keypairs) = setup_dealt_dkg_with_n_validators(3, 4);
+        let security_threshold = 3;
+        let shares_num = 4;
+        let (dkg, validator_keypairs) =
+            setup_dealt_dkg_with_n_validators(security_threshold, shares_num);
         let msg = "my-msg".as_bytes().to_vec();
         let aad: &[u8] = "my-aad".as_bytes();
         let public_key = &dkg.public_key();
@@ -368,29 +373,33 @@ mod test_dkg_full {
             &dkg,
             aad,
             &ciphertext.header().unwrap(),
-            &validator_keypairs,
+            validator_keypairs.as_slice(),
         );
 
-        // Now, we're going to recover a new share at a random point and check that the shared secret is still the same
-
-        // Our random point
-        let x_r = Fr::rand(rng);
-
         // Remove one participant from the contexts and all nested structure
         let removed_validator_addr =
             dkg.validators.keys().last().unwrap().clone();
         let mut remaining_validators = dkg.validators.clone();
-        remaining_validators.remove(&removed_validator_addr);
+        remaining_validators
+            .remove(&removed_validator_addr)
+            .unwrap();
+        // dkg.vss.remove(&removed_validator_addr); // TODO: Test whether it makes any difference
 
         // Remember to remove one domain point too
         let mut domain_points = dkg.domain.elements().collect::<Vec<_>>();
         domain_points.pop().unwrap();
 
+        // Now, we're going to recover a new share at a random point,
+        // and check that the shared secret is still the same.
+
+        // Our random point:
+        let x_r = Fr::rand(rng);
+
         // Each participant prepares an update for each other participant
         let share_updates = remaining_validators
             .keys()
             .map(|v_addr| {
-                let deltas_i = tpke::prepare_share_updates_for_recovery::<E>(
+                let deltas_i = prepare_share_updates_for_recovery::<E>(
                     &domain_points,
                     &dkg.pvss_params.h.into_affine(),
                     &x_r,
@@ -402,15 +411,17 @@ mod test_dkg_full {
             .collect::<HashMap<_, _>>();
 
         // Participants share updates and update their shares
-        let pvss_aggregated = aggregate(&dkg.vss);
 
         // Now, every participant separately:
+        // TODO: Move this logic outside tests (see #162, #163)
         let updated_shares: Vec<_> = remaining_validators
             .iter()
-            .map(|(validator_address, validator)| {
-                // Receives updates from other participants
-                let updates_for_participant =
-                    share_updates.get(validator_address).unwrap();
+            .map(|(_validator_address, validator)| {
+                // Current participant receives updates from other participants
+                let updates_for_participant: Vec<_> = share_updates
+                    .values()
+                    .map(|updates| *updates.get(validator.share_index).unwrap())
+                    .collect();
 
                 // Each validator uses their decryption key to update their share
                 let decryption_key = validator_keypairs
@@ -419,28 +430,37 @@ mod test_dkg_full {
                     .decryption_key;
 
                 // Creates updated private key shares
+                // TODO: Why not using dkg.aggregate()?
+                let pvss_aggregated = aggregate(&dkg.vss);
                 pvss_aggregated.update_private_key_share_for_recovery(
                     &decryption_key,
                     validator.share_index,
-                    updates_for_participant,
+                    updates_for_participant.as_slice(),
                 )
             })
             .collect();
 
+        // TODO: Rename updated_private_shares to something that doesn't imply mutation (see #162, #163)
+
         // Now, we have to combine new share fragments into a new share
-        let new_private_key_share =
-            tpke::recover_share_from_updated_private_shares(
-                &x_r,
-                &domain_points,
-                &updated_shares,
-            );
+        let new_private_key_share = recover_share_from_updated_private_shares(
+            &x_r,
+            &domain_points,
+            &updated_shares,
+        );
 
         // Get decryption shares from remaining participants
+        let mut remaining_validator_keypairs = validator_keypairs;
+        remaining_validator_keypairs
+            .pop()
+            .expect("Should have a keypair");
         let mut decryption_shares: Vec<DecryptionShareSimple<E>> =
-            validator_keypairs
+            remaining_validator_keypairs
                 .iter()
                 .enumerate()
                 .map(|(share_index, validator_keypair)| {
+                    // TODO: Why not using dkg.aggregate()?
+                    let pvss_aggregated = aggregate(&dkg.vss);
                     pvss_aggregated
                         .make_decryption_share_simple(
                             &ciphertext.header().unwrap(),
@@ -466,73 +486,120 @@ mod test_dkg_full {
             .unwrap(),
         );
 
+        domain_points.push(x_r);
+        assert_eq!(domain_points.len(), shares_num as usize);
+        assert_eq!(decryption_shares.len(), shares_num as usize);
+
+        // Maybe parametrize this test with [1..] and [..threshold]
+        let domain_points = &domain_points[1..];
+        let decryption_shares = &decryption_shares[1..];
+        assert_eq!(domain_points.len(), security_threshold as usize);
+        assert_eq!(decryption_shares.len(), security_threshold as usize);
+
         let lagrange = tpke::prepare_combine_simple::<E>(&domain_points);
         let new_shared_secret =
             tpke::share_combine_simple::<E>(&decryption_shares, &lagrange);
 
-        assert_eq!(old_shared_secret, new_shared_secret);
+        assert_eq!(
+            old_shared_secret, new_shared_secret,
+            "Shared secret reconstruction failed"
+        );
     }
 
     #[test]
-    fn simple_tdec_share_refreshing() {
+    fn test_dkg_simple_tdec_share_refreshing() {
         let rng = &mut test_rng();
-        let (dkg, validator_keypairs) = setup_dealt_dkg_with_n_validators(3, 4);
 
+        let security_threshold = 3;
+        let shares_num = 4;
+        let (dkg, validator_keypairs) =
+            setup_dealt_dkg_with_n_validators(security_threshold, shares_num);
         let msg = "my-msg".as_bytes().to_vec();
         let aad: &[u8] = "my-aad".as_bytes();
-        let public_key = dkg.public_key();
+        let public_key = &dkg.public_key();
         let ciphertext =
-            tpke::encrypt::<E>(SecretBox::new(msg), aad, &public_key, rng)
+            tpke::encrypt::<E>(SecretBox::new(msg), aad, public_key, rng)
                 .unwrap();
 
-        let pvss_aggregated = aggregate(&dkg.vss);
-
         // Create an initial shared secret
         let (_, _, old_shared_secret) = make_shared_secret_simple_tdec(
             &dkg,
             aad,
             &ciphertext.header().unwrap(),
-            &validator_keypairs,
+            validator_keypairs.as_slice(),
         );
 
-        // Now, we're going to refresh the shares and check that the shared secret is the same
+        let domain_points = dkg.domain.elements().collect::<Vec<_>>();
 
-        // Dealer computes a new random polynomial with constant term x_r = 0
-        let polynomial = tpke::make_random_polynomial_at::<E>(
-            dkg.dkg_params.security_threshold as usize,
-            &Fr::zero(),
-            rng,
-        );
+        // Each participant prepares an update for each other participant
+        let share_updates = dkg
+            .validators
+            .keys()
+            .map(|v_addr| {
+                let deltas_i = prepare_share_updates_for_refresh::<E>(
+                    &domain_points,
+                    &dkg.pvss_params.h.into_affine(),
+                    dkg.dkg_params.security_threshold as usize,
+                    rng,
+                );
+                (v_addr.clone(), deltas_i)
+            })
+            .collect::<HashMap<_, _>>();
 
-        // Dealer shares the polynomial with participants
+        // Participants share updates and update their shares
+
+        // Now, every participant separately:
+        // TODO: Move this logic outside tests (see #162, #163)
+        let updated_shares: Vec<_> = dkg
+            .validators
+            .iter()
+            .map(|(_validator_address, validator)| {
+                // Current participant receives updates from other participants
+                let updates_for_participant: Vec<_> = share_updates
+                    .values()
+                    .map(|updates| *updates.get(validator.share_index).unwrap())
+                    .collect();
+
+                // Each validator uses their decryption key to update their share
+                let decryption_key = validator_keypairs
+                    .get(validator.share_index)
+                    .unwrap()
+                    .decryption_key;
+
+                // Creates updated private key shares
+                // TODO: Why not using dkg.aggregate()?
+                let pvss_aggregated = aggregate(&dkg.vss);
+                pvss_aggregated.update_private_key_share_for_recovery(
+                    &decryption_key,
+                    validator.share_index,
+                    updates_for_participant.as_slice(),
+                )
+            })
+            .collect();
 
-        // Participants computes new decryption shares
-        let new_decryption_shares: Vec<DecryptionShareSimple<E>> =
+        // Get decryption shares, now with refreshed private shares:
+        let decryption_shares: Vec<DecryptionShareSimple<E>> =
             validator_keypairs
                 .iter()
                 .enumerate()
-                .map(|(validator_address, validator_keypair)| {
-                    pvss_aggregated
-                        .refresh_decryption_share(
-                            &ciphertext.header().unwrap(),
-                            aad,
-                            &validator_keypair.decryption_key,
-                            validator_address,
-                            &polynomial,
-                            &dkg,
-                        )
-                        .unwrap()
+                .map(|(share_index, validator_keypair)| {
+                    DecryptionShareSimple::create(
+                        &validator_keypair.decryption_key,
+                        &updated_shares.get(share_index).unwrap(),
+                        &ciphertext.header().unwrap(),
+                        aad,
+                        &dkg.pvss_params.g_inv(),
+                    )
+                    .unwrap()
                 })
                 .collect();
 
-        // Create a new shared secret
-        let domain = &dkg.domain.elements().collect::<Vec<_>>();
-        // TODO: Combine `tpke::prepare_combine_simple` and `tpke::share_combine_simple` into
-        //  one function and expose it in the tpke::api?
-        let lagrange_coeffs = tpke::prepare_combine_simple::<E>(domain);
+        let lagrange = tpke::prepare_combine_simple::<E>(
+            &domain_points[..security_threshold as usize],
+        );
         let new_shared_secret = tpke::share_combine_simple::<E>(
-            &new_decryption_shares,
-            &lagrange_coeffs,
+            &decryption_shares[..security_threshold as usize],
+            &lagrange,
         );
 
         assert_eq!(old_shared_secret, new_shared_secret);