Update the spec

[survived]

The spec is currently in state of chaos:

• main.tex is poorly formatted as several people were writing and rewriting it with different style preferences. E.g. different part of the spec use 2 space indent, while others use 4 space
• Large parts of the spec are commented out, which should probably be deleted or addressed (if it's kind of todo remark)
• Sometimes different notations are used
• Sometimes spec doesn't reflect what happens in the code

The idea of this PR is to update the spec sources to have uniform formatting, make sources easier to read, preferably use a formatting tool and integrate it into CI. Also, unify notations and sync specs and the code where they are not synced.

In addition to that, I also want to make types of the messages received during the protocols explicit, e.g.

• instead of "Upon receiving $\psi_j$ from all parties, ..."
• say this: "Upon receiving $\psi_j \in \mathbb F_q$ from all parties, ..."

which explicitly says that the implementation does need to check that we received integer in $\mathbb F_q$.

Progress:

• Aux gen
• DKG (threshold & non-threshold)
• Signing
• Unify formatting & find fmt tool

[github-actions]

The spec was successfully compiled. PDF is available here.

[github-actions]

Benchmark Result

Benchmarks

RUST_TESTS_SEED=c1bb4399ff43dc8b7995a638acf6eb124321dfd657fa8ccbb89ac764f3d78053
n = 3

Non-threshold DKG
Protocol Performance:
  - Protocol took 520.03µs to complete
In particular:
  - Stage: 5.95µs
    - Setup networking: 5.69µs (95.6%)
    - Unstaged: 260.00ns (4.4%)
  - Round 1: 145.03µs
    - Sample x_i, rid_i, chain_code: 64.95µs (44.8%)
    - Sample schnorr commitment: 57.98µs (40.0%)
    - Commit to public data: 21.80µs (15.0%)
    - Unstaged: 300.00ns (0.2%)
  - Round 2: 1.24µs
    - Hash received msgs (reliability check): 1.07µs (86.3%)
    - Unstaged: 170.00ns (13.7%)
  - Round 3: 272.00ns
    - Assert other parties hashed messages (reliability check): 141.00ns (51.8%)
    - Unstaged: 131.00ns (48.2%)
  - Round 4: 66.97µs
    - Validate decommitments: 32.53µs (48.6%)
    - Calculate chain_code: 611.00ns (0.9%)
    - Calculate challege rid: 33.40µs (49.9%)
    - Prove knowledge of `x_i`: 290.00ns (0.4%)
    - Unstaged: 130.00ns (0.2%)
  - Round 5: 300.56µs
    - Validate schnorr proofs: 295.83µs (98.4%)
    - Unstaged: 4.73µs (1.6%)


Threshold DKG
Protocol Performance:
  - Protocol took 1.28ms to complete
In particular:
  - Stage: 2.25µs
    - Setup networking: 2.18µs (96.9%)
    - Unstaged: 70.00ns (3.1%)
  - Round 1: 199.93µs
    - Sample rid_i, schnorr commitment, polynomial, chain_code: 174.93µs (87.5%)
    - Commit to public data: 24.77µs (12.4%)
    - Unstaged: 240.00ns (0.1%)
  - Round 2: 1.29µs
    - Hash received msgs (reliability check): 1.14µs (88.3%)
    - Unstaged: 151.00ns (11.7%)
  - Round 3: 380.00ns
    - Assert other parties hashed messages (reliability check): 260.00ns (68.4%)
    - Unstaged: 120.00ns (31.6%)
  - Round 4: 780.04µs
    - Validate decommitments: 48.30µs (6.2%)
    - Validate data size: 280.00ns (0.0%)
    - Validate Feldmann VSS: 347.31µs (44.5%)
    - Compute rid: 160.00ns (0.0%)
    - Compute chain_code: 521.00ns (0.1%)
    - Compute Ys: 349.98µs (44.9%)
    - Compute sigma: 330.00ns (0.0%)
    - Calculate challenge: 32.80µs (4.2%)
    - Prove knowledge of `sigma_i`: 220.00ns (0.0%)
    - Unstaged: 140.00ns (0.0%)
  - Round 5: 297.93µs
    - Validate schnorr proofs: 296.36µs (99.5%)
    - Derive resulting public key and other data: 1.30µs (0.4%)
    - Unstaged: 270.00ns (0.1%)


Auxiliary data generation protocol
Protocol Performance:
  - Protocol took 9.61s to complete
In particular:
  - Stage: 14.87µs
    - Retrieve auxiliary data: 190.00ns (1.3%)
    - Setup networking: 14.61µs (98.3%)
    - Unstaged: 70.00ns (0.5%)
  - Round 1: 1.17s
    - Retrieve primes (p and q): 90.00ns (0.0%)
    - Compute paillier decryption key (N): 5.94µs (0.0%)
    - Generate auxiliary params r, λ, t, s: 9.12ms (0.8%)
    - Prove Πprm (ψˆ_i): 1.16s (99.2%)
    - Sample random bytes: 2.72µs (0.0%)
    - Compute hash commitment and sample decommitment: 308.31µs (0.0%)
    - Unstaged: 240.00ns (0.0%)
  - Round 2: 2.30µs
    - Hash received msgs (reliability check): 1.88µs (82.0%)
    - Unstaged: 412.00ns (18.0%)
  - Round 3: 451.00ns
    - Assert other parties hashed messages (reliability check): 291.00ns (64.5%)
    - Unstaged: 160.00ns (35.5%)
  - Round 4: 5.93s
    - Validate round 1 decommitments: 596.22µs (0.0%)
    - Validate П_prm (ψ_i): 2.31s (39.0%)
    - Add together shared random bytes: 1.26µs (0.0%)
    - Compute П_mod (ψ_i): 3.45s (58.1%)
    - Assemble security params for П_fac (ф_i): 6.07µs (0.0%)
    - Compute П_fac (ф_i^j): 172.23ms (2.9%)
    - Unstaged: 1.03µs (0.0%)
  - Round 5: 2.51s
    - Validate ψ_j (П_mod): 2.34s (93.1%)
    - Validate ф_j (П_fac): 173.28ms (6.9%)
    - Assemble auxiliary info: 145.97µs (0.0%)
    - Unstaged: 852.00ns (0.0%)


Signing protocol
Protocol Performance:
  - Protocol took 1.60s to complete
In particular:
  - Stage: 145.05µs
    - Map t-out-of-n protocol to t-out-of-t: 74.59µs (51.4%)
    - Retrieve auxiliary data: 65.93µs (45.5%)
    - Precompute execution id and security params: 601.00ns (0.4%)
    - Setup networking: 3.83µs (2.6%)
    - Unstaged: 101.00ns (0.1%)
  - Round 1: 117.41ms
    - Generate local ephemeral secrets (k_i, y_i, p_i, v_i): 48.92µs (0.0%)
    - Encrypt G_i and K_i: 35.90ms (30.6%)
    - Prove ψ0_j: 81.46ms (69.4%)
    - Unstaged: 752.00ns (0.0%)
  - Round 2: 14.67µs
    - Hash received msgs (reliability check): 14.47µs (98.6%)
    - Unstaged: 201.00ns (1.4%)
  - Round 3: 808.33ms
    - Assert other parties hashed messages (reliability check): 831.00ns (0.0%)
    - Verify psi0 proofs: 92.68ms (11.5%)
    - Sample random r, hat_r, s, hat_s, beta, hat_beta: 11.56µs (0.0%)
    - Encrypt D_ji: 70.68ms (8.7%)
    - Encrypt F_ji: 35.94ms (4.4%)
    - Encrypt hat_D_ji: 70.53ms (8.7%)
    - Encrypt hat_F_ji: 35.91ms (4.4%)
    - Prove psi_ji: 209.68ms (25.9%)
    - Prove psiˆ_ji: 211.22ms (26.1%)
    - Prove psi_prime_ji : 81.68ms (10.1%)
    - Unstaged: 1.39µs (0.0%)
  - Round 4: 576.97ms
    - Retrieve auxiliary data: 3.69µs (0.0%)
    - Validate psi: 165.46ms (28.7%)
    - Validate hat_psi: 165.15ms (28.6%)
    - Validate psi_prime: 92.73ms (16.1%)
    - Compute Gamma, Delta_i, delta_i, chi_i: 72.11ms (12.5%)
    - Prove psi_prime_prime: 81.52ms (14.1%)
    - Unstaged: 472.00ns (0.0%)
  - Presig output: 93.16ms
    - Validate psi_prime_prime: 93.02ms (99.9%)
    - Calculate presignature: 134.13µs (0.1%)
    - Unstaged: 1.02µs (0.0%)
  - Partial signing: 8.42µs
  - Signature reconstruction: 197.29µs

[survived]

A few thoughts after having gone through aux gen protocol

[survived]

Note: previous params set has failed on CI: https://github.com/LFDT-Lockness/cggmp21/actions/runs/12690901369/job/35372765003

[survived]

@maurges can you take a look before I start rewriting all proofs?

[maurges]

@maurges can you take a look before I start rewriting all proofs?

Looks good, go ahead

[survived]

Can you check this out? @maurges I've updated all proofs, next I want to update the protocol specs, so they also use algorithmic, but I want to let you review the proofs first, so you could see changes in the protocol that I had to make due to changes in the proofs

Overall, there's no significant changes, I just unified notation, and sometimes rearranged order of arguments. I also reviewed again all ZK proofs implementations to be aligned with the spec, all looks good.

[survived]

@maurges the final touch: I updated all protocols to use algorithmic for consistency. That's all I wanted to do within this PR

[survived]

well, not counting automatic formatting, but turns out that easier to migrate to typst...

[survived]

(@maurges it's ready for the final review)

[maurges]

In provisioning protocol: don't see this in the code, and don't see it being used in the description neither

[maurges]

A line in n-of-n keygen got fucked up a bit. May be my pdflatex bug

[maurges]

n out of n presigning round 1: in the other places you write j \in [n] \minus {i}. You use this old notation in a couple of other places in this protocol

[survived]

A line in n-of-n keygen got fucked up a bit. May be my pdflatex bug

Looks fine on my end:

[maurges]

Looks good. I'd like to have one rephrasing in discussion here #128 (review) and that's it