From 9c013541d0cb8f936809f90999c5db00ccd45078 Mon Sep 17 00:00:00 2001 From: Ivo Kubjas Date: Tue, 12 Dec 2023 14:37:11 +0100 Subject: [PATCH] refactor: use constant security parameters --- fs-dkr/src/add_party_message.rs | 8 ++-- fs-dkr/src/refresh_message.rs | 10 ++--- fs-dkr/src/test.rs | 67 +++++++++++--------------------- src/refresh/rounds.rs | 69 ++++++--------------------------- src/refresh/state_machine.rs | 30 +++----------- src/utilities/mod.rs | 32 --------------- 6 files changed, 48 insertions(+), 168 deletions(-) diff --git a/fs-dkr/src/add_party_message.rs b/fs-dkr/src/add_party_message.rs index 8388bd4..1aeaf51 100644 --- a/fs-dkr/src/add_party_message.rs +++ b/fs-dkr/src/add_party_message.rs @@ -44,7 +44,7 @@ use tss_core::zkproof::prm::{PiPrmProof, PiPrmStatement, PiPrmWitness}; /// Message used by new parties to join the protocol. #[derive(Clone, Deserialize, Serialize, Debug)] #[serde(bound = "E: Curve, H: Digest + Clone")] -pub struct JoinMessage { +pub struct JoinMessage { pub(crate) ek: EncryptionKey, pub(crate) dk_correctness_proof: NiCorrectKeyProof, pub(crate) party_index: Option, @@ -82,7 +82,7 @@ fn generate_dlog_statement_proofs( )) } -impl JoinMessage { +impl JoinMessage { pub fn set_party_index(&mut self, new_party_index: u16) { self.party_index = Some(new_party_index); } @@ -139,9 +139,9 @@ impl JoinMessage { /// (multiple parties can be added/replaced at once). pub fn collect( &self, - refresh_messages: &[RefreshMessage], + refresh_messages: &[RefreshMessage], paillier_key: Keys, - join_messages: &[JoinMessage], + join_messages: &[JoinMessage], new_t: u16, new_n: u16, current_t: u16, diff --git a/fs-dkr/src/refresh_message.rs b/fs-dkr/src/refresh_message.rs index 1cbdc55..1985c83 100644 --- a/fs-dkr/src/refresh_message.rs +++ b/fs-dkr/src/refresh_message.rs @@ -31,7 +31,7 @@ use tss_core::{ // Everything here can be broadcasted #[derive(Debug, Clone, Deserialize, Serialize)] #[serde(bound = "E: Curve, H: Digest + Clone")] -pub struct RefreshMessage { +pub struct RefreshMessage { pub(crate) old_party_index: u16, pub(crate) party_index: u16, pdl_proof_vec: Vec>, @@ -50,13 +50,13 @@ pub struct RefreshMessage { pub hash_choice: HashChoice, } -impl RefreshMessage { +impl RefreshMessage { pub fn distribute( old_party_index: u16, local_key: &mut LocalKey, new_t: u16, new_n: u16, - ) -> FsDkrResult<(RefreshMessage, DecryptionKey)> { + ) -> FsDkrResult<(RefreshMessage, DecryptionKey)> { assert!(new_t <= new_n / 2); let secret = local_key.keys_linear.x_i.clone(); // secret share old key @@ -263,7 +263,7 @@ impl RefreshMessage { } pub fn replace( - new_parties: &[JoinMessage], + new_parties: &[JoinMessage], key: &mut LocalKey, old_to_new_map: &HashMap, new_t: u16, @@ -355,7 +355,7 @@ impl RefreshMessage { refresh_messages: &[Self], local_key: &mut LocalKey, new_dk: DecryptionKey, - join_messages: &[JoinMessage], + join_messages: &[JoinMessage], current_t: u16, ) -> FsDkrResult<()> { let new_n = refresh_messages.len() + join_messages.len(); diff --git a/fs-dkr/src/test.rs b/fs-dkr/src/test.rs index 0e74403..2cf2899 100644 --- a/fs-dkr/src/test.rs +++ b/fs-dkr/src/test.rs @@ -39,7 +39,7 @@ mod tests { let mut keys = simulate_keygen(t, n); let old_keys = keys.clone(); - simulate_dkr::<{ crate::M_SECURITY }>(&mut keys, None); + simulate_dkr(&mut keys, None); // check that sum of old keys is equal to sum of new keys let old_linear_secret_key: Vec<_> = (0..old_keys.len()) @@ -78,10 +78,10 @@ mod tests { let mut keys = simulate_keygen(2, 5); let offline_sign = simulate_offline_stage(keys.clone(), &[1, 2, 3]); simulate_signing(offline_sign, b"ZenGo"); - simulate_dkr::<{ crate::M_SECURITY }>(&mut keys, None); + simulate_dkr(&mut keys, None); let offline_sign = simulate_offline_stage(keys.clone(), &[2, 3, 4]); simulate_signing(offline_sign, b"ZenGo"); - simulate_dkr::<{ crate::M_SECURITY }>(&mut keys, None); + simulate_dkr(&mut keys, None); let offline_sign = simulate_offline_stage(keys, &[1, 3, 5]); simulate_signing(offline_sign, b"ZenGo"); } @@ -91,35 +91,26 @@ mod tests { let mut keys = simulate_keygen(2, 5); let offline_sign = simulate_offline_stage(keys.clone(), &[1, 2, 3]); simulate_signing(offline_sign, b"ZenGo"); - simulate_dkr_removal::<{ crate::M_SECURITY }>( - &mut keys, - [1].to_vec(), - None, - ); + simulate_dkr_removal(&mut keys, [1].to_vec(), None); let offline_sign = simulate_offline_stage(keys.clone(), &[2, 3, 4]); simulate_signing(offline_sign, b"ZenGo"); - simulate_dkr_removal::<{ crate::M_SECURITY }>( - &mut keys, - [1, 2].to_vec(), - None, - ); + simulate_dkr_removal(&mut keys, [1, 2].to_vec(), None); let offline_sign = simulate_offline_stage(keys, &[3, 4, 5]); simulate_signing(offline_sign, b"ZenGo"); } #[test] fn test_add_party_with_permute() { - fn simulate_replace( + fn simulate_replace( keys: &mut Vec>, party_indices: &[u16], old_to_new_map: &HashMap, t: u16, n: u16, ) -> FsDkrResult<()> { - fn generate_join_messages_and_keys( + fn generate_join_messages_and_keys( number_of_new_parties: usize, - ) -> (Vec>, Vec) - { + ) -> (Vec>, Vec) { // the new party generates it's join message to start joining // the computation (0..number_of_new_parties) @@ -127,14 +118,12 @@ mod tests { .unzip() } - fn generate_refresh_parties_replace( + fn generate_refresh_parties_replace( keys: &mut [LocalKey], old_to_new_map: &HashMap, - join_messages: &[JoinMessage], - ) -> ( - Vec>, - Vec, - ) { + join_messages: &[JoinMessage], + ) -> (Vec>, Vec) + { let new_n = (&keys.len() + join_messages.len()) as u16; keys.iter_mut() .map(|key| { @@ -153,9 +142,7 @@ mod tests { // each party that wants to join generates a join message and a pair // of paillier keys. let (mut join_messages, new_keys) = - generate_join_messages_and_keys::<{ crate::M_SECURITY }>( - party_indices.len(), - ); + generate_join_messages_and_keys(party_indices.len()); // each new party has to be informed through offchannel // communication what party index it has been assigned @@ -229,14 +216,7 @@ mod tests { old_to_new_map.insert(6, 5); // Simulate the replace - simulate_replace::<{ crate::M_SECURITY }>( - &mut keys, - &[2, 7], - &old_to_new_map, - t, - n, - ) - .unwrap(); + simulate_replace(&mut keys, &[2, 7], &old_to_new_map, t, n).unwrap(); // check that sum of old keys is equal to sum of new keys let old_linear_secret_key: Vec<_> = (0..all_keys.len()) .map(|i| all_keys[i].keys_linear.x_i.clone()) @@ -278,11 +258,11 @@ mod tests { let offline_sign = simulate_offline_stage(keys.clone(), &[1, 2, 3]); simulate_signing(offline_sign, b"ZenGo"); // Change threshold to 1 (i.e quorum size = 2). - simulate_dkr::<{ crate::M_SECURITY }>(&mut keys, Some(1)); + simulate_dkr(&mut keys, Some(1)); let offline_sign = simulate_offline_stage(keys.clone(), &[3, 4]); simulate_signing(offline_sign, b"ZenGo"); // Change threshold to back to 2 (i.e quorum size = 3). - simulate_dkr::<{ crate::M_SECURITY }>(&mut keys, Some(2)); + simulate_dkr(&mut keys, Some(2)); let offline_sign = simulate_offline_stage(keys, &[1, 3, 5]); simulate_signing(offline_sign, b"ZenGo"); } @@ -299,17 +279,17 @@ mod tests { simulation.run().unwrap() } - fn simulate_dkr_removal( + fn simulate_dkr_removal( keys: &mut Vec>, remove_party_indices: Vec, new_t_option: Option, ) { let mut broadcast_messages: HashMap< usize, - Vec>, + Vec>, > = HashMap::new(); let mut new_dks: HashMap = HashMap::new(); - let mut refresh_messages: Vec> = + let mut refresh_messages: Vec> = Vec::new(); let mut party_key: HashMap> = HashMap::new(); // TODO: Verify this is correct @@ -389,14 +369,11 @@ mod tests { } } - fn simulate_dkr( + fn simulate_dkr( keys: &mut Vec>, new_t_option: Option, - ) -> ( - Vec>, - Vec, - ) { - let mut broadcast_vec: Vec> = + ) -> (Vec>, Vec) { + let mut broadcast_vec: Vec> = Vec::new(); let mut new_dks: Vec = Vec::new(); let keys_len = keys.len(); diff --git a/src/refresh/rounds.rs b/src/refresh/rounds.rs index c9f3894..f29d7f8 100644 --- a/src/refresh/rounds.rs +++ b/src/refresh/rounds.rs @@ -15,13 +15,7 @@ use crate::utilities::sha2::Sha256; pub enum PartyType { Existing(Box>), - New( - Box<( - JoinMessage, - Keys, - u16, - )>, - ), + New(Box<(JoinMessage, Keys, u16)>), } use super::state_machine::{Round0Messages, Round1Messages}; @@ -38,17 +32,7 @@ pub struct Round0 { impl Round0 { pub fn proceed(self, mut output: O) -> Result where - O: Push< - Msg< - Option< - JoinMessage< - Secp256k1, - Sha256, - { crate::utilities::STAT_PARAM }, - >, - >, - >, - >, + O: Push>>>, { match self.local_key_option { Some(local_key) => { @@ -112,34 +96,15 @@ pub struct Round1 { impl Round1 { pub fn proceed( self, - input: BroadcastMsgs< - Option< - JoinMessage< - Secp256k1, - Sha256, - { crate::utilities::STAT_PARAM }, - >, - >, - >, + input: BroadcastMsgs>>, mut output: O, ) -> Result where - O: Push< - Msg< - Option< - RefreshMessage< - Secp256k1, - Sha256, - { crate::utilities::STAT_PARAM }, - >, - >, - >, - >, + O: Push>>>, { let join_message_option_vec = input.into_vec(); - let mut join_message_vec: Vec< - JoinMessage, - > = Vec::new(); + let mut join_message_vec: Vec> = + Vec::new(); for join_message_option in join_message_option_vec.into_iter().flatten() { join_message_vec.push(join_message_option) @@ -210,11 +175,8 @@ impl Round1 { pub struct Round2 { pub party_type: PartyType, - pub join_messages: - Vec>, - pub refresh_message: Option< - RefreshMessage, - >, + pub join_messages: Vec>, + pub refresh_message: Option>, pub new_paillier_decryption_key: DecryptionKey, new_t: u16, new_n: u16, @@ -224,21 +186,12 @@ pub struct Round2 { impl Round2 { pub fn proceed( self, - input: BroadcastMsgs< - Option< - RefreshMessage< - Secp256k1, - Sha256, - { crate::utilities::STAT_PARAM }, - >, - >, - >, + input: BroadcastMsgs>>, ) -> Result> { let refresh_message_option_vec = input.into_vec_including_me(self.refresh_message); - let mut refresh_message_vec: Vec< - RefreshMessage, - > = Vec::new(); + let mut refresh_message_vec: Vec> = + Vec::new(); for refresh_message_option in refresh_message_option_vec.into_iter().flatten() { diff --git a/src/refresh/state_machine.rs b/src/refresh/state_machine.rs index e4bccf0..1d23c51 100644 --- a/src/refresh/state_machine.rs +++ b/src/refresh/state_machine.rs @@ -19,20 +19,10 @@ use crate::utilities::sha2::Sha256; use std::{collections::HashMap, fmt, mem::replace, time::Duration}; use thiserror::Error; -pub type Round0Messages = Store< - BroadcastMsgs< - Option< - JoinMessage, - >, - >, ->; -pub type Round1Messages = Store< - BroadcastMsgs< - Option< - RefreshMessage, - >, - >, ->; +pub type Round0Messages = + Store>>>; +pub type Round1Messages = + Store>>>; pub struct KeyRefresh { // Current round @@ -401,16 +391,8 @@ pub struct ProtocolMessage(M); #[derive(Debug, Clone, Serialize, Deserialize)] #[allow(clippy::large_enum_variant)] enum M { - Round1( - Option< - JoinMessage, - >, - ), - Round2( - Option< - RefreshMessage, - >, - ), + Round1(Option>), + Round2(Option>), } // Error diff --git a/src/utilities/mod.rs b/src/utilities/mod.rs index cc5d9c7..62488e3 100644 --- a/src/utilities/mod.rs +++ b/src/utilities/mod.rs @@ -1,33 +1 @@ pub mod sha2; - -pub const SEC_PARAM: usize = 256; -pub const SEC_BYTES: usize = SEC_PARAM / 8; -pub const OT_PARAM: usize = 128; -pub const OT_BYTES: usize = OT_PARAM / 8; -pub const STAT_PARAM: usize = 80; - -// ZK_MOD_ITERATIONS is the number of iterations that are performed to prove the -// validity of a Paillier-Blum modulus N. -// Theoretically, the number of iterations corresponds to the statistical -// security parameter, and would be 80. -// The way it is used in the refresh protocol ensures that the prover cannot -// guess in advance the secret ρ used to instantiate the hash function. -// Since sampling primes is expensive, we argue that the security can be -// reduced. -pub const ZK_MOD_ITERATIONS: usize = 12; - -#[allow(clippy::identity_op)] -pub const L: usize = 1 * SEC_PARAM; // = 256 -pub const L_PRIME: usize = 5 * SEC_PARAM; // = 1280 -pub const EPSILON: usize = 2 * SEC_PARAM; // = 512 -pub const L_PLUS_EPSILON: usize = L + EPSILON; // = 768 -pub const L_PRIME_PLUS_EPSILON: usize = L_PRIME + EPSILON; // = 1792 - -pub const BITS_INT_MODN: usize = 8 * SEC_PARAM; // = 2048 -pub const BYTES_INT_MODN: usize = BITS_INT_MODN / 8; // = 256 - -pub const BITS_BLUM_PRIME: usize = 4 * SEC_PARAM; // = 1024 -pub const BITS_PAILLIER: usize = 2 * BITS_BLUM_PRIME; // = 2048 - -pub const BYTES_PAILLIER: usize = BITS_PAILLIER / 8; // = 256 -pub const BYTES_CIPHERTEXT: usize = 2 * BYTES_PAILLIER; // = 512