Update DKGs

Signed-off-by: Denis Varlakov <denis@dfns.co>

cggmp21-keygen/src/non_threshold.rs

@@ -103,11 +103,13 @@ mod unambiguous {
     #[derive(udigest::Digestable)]
     #[udigest(tag = prefixed!("schnorr_pok"))]
     #[udigest(bound = "")]
-    pub struct SchnorrPok<'a> {
+    pub struct SchnorrPok<'a, E: Curve> {
         pub sid: ExecutionId<'a>,
         pub prover: u16,
         #[udigest(as_bytes)]
         pub rid: &'a [u8],
+        pub X: &'a generic_ec::NonZero<generic_ec::Point<E>>,
+        pub sch_commit: &'a generic_ec_zkp::schnorr_pok::Commit<E>,
     }
 
     #[derive(udigest::Digestable)]
@@ -175,7 +177,7 @@ where
     let my_decommitment = MsgRound2 {
         rid,
         X: X_i,
-        sch_commit,
+        sch_commit: sch_commit.clone(),
         #[cfg(feature = "hd-wallet")]
         chain_code: chain_code_local,
         decommit: {
@@ -307,6 +309,8 @@ where
         sid,
         prover: i,
         rid: rid.as_ref(),
+        X: &X_i,
+        sch_commit: &sch_commit,
     });
     let challenge = schnorr_pok::Challenge { nonce: challenge };
 
@@ -337,6 +341,8 @@ where
             sid,
             prover: j,
             rid: rid.as_ref(),
+            X: &decom.X,
+            sch_commit: &decom.sch_commit,
         });
         let challenge = schnorr_pok::Challenge { nonce: challenge };
         sch_proof

shell.nix

@@ -1,16 +1,9 @@
-let # Rust
-  pkgs = import <nixpkgs> { overlays = [ rustOverlay ]; };
-  lib = pkgs.lib;
-  isDarwin = pkgs.hostPlatform.isDarwin;
+# shell for compiling latex spec
 
-  rustVersion = "1.75.0";
-  rustOverlay = import (builtins.fetchTarball "https://github.com/oxalica/rust-overlay/archive/master.tar.gz");
+let
+  pkgs = import <nixpkgs> {};
+  isDarwin = pkgs.hostPlatform.isDarwin;
 
-  rust = pkgs.rust-bin.stable.${rustVersion}.default.override {
-    extensions = [
-      "rust-src" # for rust-analyzer
-    ];
-  };
   # Latex
   tex = (pkgs.texlive.combine {
     inherit (pkgs.texlive) scheme-small
@@ -20,7 +13,7 @@ let # Rust
 in pkgs.stdenv.mkDerivation {
   name = "signers-env";
   nativeBuildInputs = [
-    rust pkgs.rust-analyzer tex pkgs.gnum4
+    tex
   ];
-  buildInputs = lib.optionals isDarwin [pkgs.darwin.apple_sdk.frameworks.Security];
+  buildInputs = pkgs.lib.optionals isDarwin [pkgs.darwin.apple_sdk.frameworks.Security];
 }

spec/main.tex

@@ -73,9 +73,12 @@
 
 \newcommand{\?}[1]{\stackrel{?}{#1}}
 
+\newcommand{\Bit}{\ensuremath{\{0{,}1\}}}
+
 \newcommand{\todo}[1]{\textbf{\color{Red}{TBD: #1}}}
 
 \renewcommand{\labelitemi}{--}
+\renewcommand{\labelitemiii}{--}
 
 \title{{\bf CGGMP Specification}}
 \author{
@@ -335,22 +338,22 @@ \subsubsection{Security Guidelines}
 \subsection{Unambiguous encoding}
 We require unambiguous encode function 
 
-$$\Encode{tag} : X_1 \times X_2 \times \dots \times X_n \to \{0, 1\}^*$$
+$$\Encode{tag} : X_1 \times X_2 \times \dots \times X_n \to \Bit^*$$
 
 which takes arguments $x_1 \in X_1, \dots, x_n \in X_n$ and produces their unambiguous bytes encoding.
 $X_i$ can be any domain that has bytes representation. E.g. if we encode an integer, then $X_i$ is set
 of all integers, or if we encode a UTF-8 string, then $X_i$ is set of all valid UTF-8 strings.
 
 Encoding function should satisfy these properties:
 \begin{itemize}
-\item {\bf Unambiguousy.} For fixed $x_1 \in X_1, \dots, x_n \in X_n$, $\Encode{tag}(x_1, \dots, x_n)$
-    outputs a bytestring unique for input arguments, i.e.:
+\item {\bf Injectivity.} $\Encode{tag}(x_1, \dots, x_n)$ has to be a one-to-one function, i.e. for each
+    set of arguments, $\Encode{}$ returns their byte-repesentation which is unique to those arguments.
 
     \begin{equation*}
     \begin{split}
-    & \forall x_1 \in X_1, \dots, x_n \in X_n \\
-    & \forall x'_1 \in X_1, \dots, x'_n \in X_n: (x_1 \ne x'_1 \lor \dots \lor x_n \ne x'_n) \\
-    & \Encode{tag}(x_1, \dots, x_n) \ne \Encode{tag}(x'_1, \dots, x'_n)
+    & \forall x_1,x'_1 \in X_1^2, \dots, x_n,x'_n \in X_n^2, \\
+    & (x_1 \ne x'_1 \lor \dots \lor x_n \ne x'_n) \implies
+      \Encode{tag}(x_1, \dots, x_n) \ne \Encode{tag}(x'_1, \dots, x'_n)
     \end{split}
     \end{equation*}
 \item {\bf Tag-dependence.} Tag should be unambiguously encoded into the output, so
@@ -591,7 +594,7 @@ \subsubsection{Interactive Version of the Proof}
 
   \item Given $N$, the challenge $y_1, \ldots, y_m$, and local state that includes $p, q, w$, the prover does the following for $i=1,\ldots,m$:
     \begin{enumerate}
-      \item Compute $a_i, b_i \in \{0,1\}$ such that $y'_i = (-1)^{a_i} w^{b_i} y_i \bmod N$ is a quadratic residue  modulo~$N$.
+      \item Compute $a_i, b_i \in \Bit$ such that $y'_i = (-1)^{a_i} w^{b_i} y_i \bmod N$ is a quadratic residue  modulo~$N$.
       \item Let $x_i$ be the principal\footnote{This means that $x_i$ is itself a quadratic residue.} 4th root of $y'_i$ modulo~$N$.
       \item Compute $N' = N^{-1} \bmod \phi(N)$ and set $z_i = y_i ^ {N'} \bmod N$.
     \end{enumerate}
@@ -634,7 +637,7 @@ \subsubsection{Interactive Version of the Proof}
     \end{itemize}
 The prover then sends first message $\{A_i\}_{i=1}^m$ and maintains local (secret) state $\{a_i\}_{i=1}^m$.
 
-  \item For $i=1, \ldots, m$, the verifier chooses $e_i \leftarrow \{0,1\}$, and sends $\{e_i\}_{i=1}^m$ to the prover.
+  \item For $i=1, \ldots, m$, the verifier chooses $e_i \leftarrow \Bit$, and sends $\{e_i\}_{i=1}^m$ to the prover.
 
   \item On input $N, s, t$, the challenge $\{e_i\}_{i=1}^m$, and local state including $\phi(N), \lambda$, and the $\{a_i\}_{i=1}^m$, for $i=1, \ldots, m$ the prover computes $z_i= a_i + e_i \cdot \lambda \bmod \phi(N)$. It sends $\{z_i\}_{i=1}^m$ to the verifier.
 
@@ -802,7 +805,7 @@ \subsection{\proof{sch}: Schnorr Proof of Knowledge}
     \item $\commit{sch}() \to (A; \alpha)$ \\
     $\alpha \gets \Z_q \\
     A = \alpha \cdot G$ \\
-    return $(\alpha, A)$
+    return $(A, \alpha)$
 
     \item $\challenge{sch}() \to e$ \\
     return $e \gets \Z_q$
@@ -854,7 +857,7 @@ \subsection{Provisioning Protocol}
      \item Sample  $r \gets \Z_{N_i}^{*}$ and $\lambda \gets \Z_\phi$,
         and compute $t_i = r_i^2 \bmod N_i$ and $s_i = t_i^\lambda \bmod N_i$.
       \item Compute $\hat{\psi}_i = \proveni{prm}^L((\sid, i), (N_i, s_i, t_i), (\phi, \lambda))$.
-      \item Sample $\rho_i, u_i \leftarrow \{0,1\}^\kappa$, 
+      \item Sample $\rho_i, u_i \leftarrow \Bit^\kappa$, 
         and compute $V_i =
         H(\Encode{hash\_com}(\sid, n, i, N_i, s_i, t_i, \hat{\psi}_i, \rho_i, u_i))$.
       \item Send $V_i$ to all parties.
@@ -867,7 +870,7 @@ \subsection{Provisioning Protocol}
       \item ({\bf Reliability check.}) Optionally, if the reliability check is enabled:
     \begin{itemize}
         \item 
-        Compute $h_i = H(\Encode{echo}(V_0, \dots, V_{n-1}))$ and 
+        Compute $h_i = H(\Encode{echo}(\sid, V_0, \dots, V_{n-1}))$ and 
             send $h_i$ to all parties.
 
 
@@ -939,38 +942,41 @@ \subsubsection{Non-Threshold (i.e., $n$-out-of-$n$) Key Generation}
 \begin{itemize}
     \item Sample $x_i \gets \Z_q$, 
           and set $X_i = x_i \cdot G$.
-    \item Sample $\rid_i \gets \{0,1\}^\kappa$.
+    \item Sample $\rid_i \gets \Bit^\kappa$.
     \item Compute $(A_i; \tau_i) = \commit{sch}()$.
     \item {\bf (HD-wallets.)} 
     \begin{itemize}
-      \item If HD-wallets support enabled, sample local chain code contribution $c_i \gets \{0,1\}^{256}$ (32-bytes string)
+      \item If HD-wallets support enabled, sample local chain code contribution $c_i \gets \Bit^{256}$ (32-bytes string)
       \item Otherwise, set $c_i = \bot$
     \end{itemize}
-    \item Sample $u_i \gets \{0,1\}^\kappa$
-          and set $V_i = H(\Encode{hash\_com}(\sid, n, i, \rid_i, X_i, A_i, u_i, c_i))$.
+    \item Sample $u_i \gets \Bit^\kappa$
+          and set $V_i = H(\Encode{hash\_com}(\sid, i, \rid_i, X_i, A_i, u_i, c_i))$.
     \item Send $V_i$ to all parties.
 \end{itemize}
 
-\item[\bf Round 2.] Upon receiving $V_j$ from all parties:
+\item[\bf Round 2.] Upon receiving $V_j \in \Bit^\kappa$ from all parties:
 \begin{itemize}
     \item {\bf (Reliability check.)} Optionally, if the reliability check is enabled:
 \begin{itemize}
-    \item Compute $h_i = H(\Encode{echo}(V_0, \dots, V_{n-1}))$ and
+    \item Compute $h_i = H(\Encode{echo}(\sid, V_0, \dots, V_{n-1}))$ and
         send $h_i$ to all parties.
 
-    \item Upon receiving $h_j$ from all other parties: abort if $h_i \neq h_j$ for some $j\in [n]$.
+    \item Upon receiving $h_j \in \Bit^\kappa$ from all other parties: abort if $h_i \neq h_j$ for some $j\in [n]$.
 \end{itemize}
     \item Send $(\rid_i, X_i, A_i, u_i, c_i)$ to all parties.
     \end{itemize}
 
 \item[\bf Round 3.] 
     Upon receiving $(\rid_j, X_j, A_j, u_j, c_j)$ from all other parties:
     \begin{itemize}
+    \item Abort if $(\rid_j, X_j, A_j, u_j) \notin (\Bit^\kappa, \E, \E, \Bit^\kappa)$
+          for some $j \in [n]$
     \item Abort if $V_j \neq H(\Encode{hash\_com}(\sid, n, j, \rid_j, X_j, A_j, u_j, c_j))$
           for some $j \in [n]$.
     \item Set $\rid = \bigoplus_j \rid_j$.
     \item {\bf (HD-wallets.)} If HD-wallets support enabled:
     \begin{itemize}
+      \item Check that $c_j \? \in \Bit^{256}$ for all $j \in [n]$
       \item Set chain code $c = \bigoplus_j c_j$
     \end{itemize}
     \item Set $e_i = \challengeni{sch}(\sid, i, \rid, X_i, A_i)$
@@ -979,7 +985,7 @@ \subsubsection{Non-Threshold (i.e., $n$-out-of-$n$) Key Generation}
     \end{itemize}
 
 \item[\bf Output.] 
-    Upon receiving $\psi_j$ from all other parties:
+    Upon receiving $\psi_j \in \Fq$ from all other parties:
     \begin{itemize}
     \item 
         For all $j \ne i$:
@@ -1011,33 +1017,33 @@ \subsubsection{Threshold (i.e., $t$-out-of-$n$) Key Generation}
 
   \item[\textbf{Round 1.}] \
     \begin{itemize}
-      \item Sample $s_{i,0}, \ldots, s_{i,{t-1}} \gets \Z_q$. 
+      \item Sample $s_{i,0}, \ldots, s_{i,{t-1}} \gets \Z_q^t$. 
             Set $\vec S_i = (s_{i,k} \cdot G)_{k \in [t]}$.
-            Let $f_i(x) = \sum_{k \in [t]} s_{i,k} \cdot x^k$ and $F_i(x) = f(x) \cdot G$.
+            Let $f_i(x) = \sum_{k \in [t]} s_{i,k} \cdot x^k$ and $F_i(x) = f_i(x) \cdot G$.
       \item Compute $\sigma_{i,j} = f_i(j + 1)$ for all $j \in [n]$.
-      \item Sample $\rid_i \gets \{0,1\}^\kappa$.
-      \item Compute $(A_i, \tau_i) \gets \commit{sch}()$. % $(r_i, h_i) \gets \commit{sch}()$
+      \item Sample $\rid_i \gets \Bit^\kappa$.
+      \item Compute $(A_i; \tau_i) \gets \commit{sch}()$. % $(r_i, h_i) \gets \commit{sch}()$
       \item {\bf (HD-wallets.)} 
       \begin{itemize}
-        \item If HD-wallets support enabled, sample local chain code contribution $c_i \gets \{0,1\}^{128}$ (32-bytes string)
+        \item If HD-wallets support enabled, sample local chain code contribution $c_i \gets \Bit^{256}$ (32-bytes string)
         \item Otherwise, set $c_i = \bot$
       \end{itemize}
 
-      \item Sample $u_i \gets \{0,1\}^\kappa$
-        and compute $V_i = H(\Encode{hash\_com}(\sid, n, i, t, \rid_i, \vec{S_i}, A_i, u_i, c_i))$.
+      \item Sample $u_i \gets \Bit^\kappa$
+        and compute $V_i = H(\Encode{hash\_com}(\sid, i, \rid_i, \vec{S_i}, A_i, u_i, c_i))$.
       \item Send $V_i$ to all parties.
     \end{itemize}
 
 
   \item[\textbf{Round 2.}] 
- Upon receiving $V_j$ from all parties:
+    Upon receiving $V_j \in \Bit^\kappa$ from all parties:
     \begin{itemize}
       \item {\bf (Reliability check.)} Optionally, if the reliability check is enabled:
     \begin{itemize}
         \item 
-        Compute $h_i = H(\Encode{echo}(V_0, \cdots, V_{n-1}))$, and send $h_i$ to all parties.
+        Compute $h_i = H(\Encode{echo}(\sid, V_0, \dots, V_{n-1}))$, and send $h_i$ to all parties.
 
-        \item Upon receiving $h_j$ from all  parties: abort if 
+        \item Upon receiving $h_j \in \Bit^\kappa$ from all  parties: abort if 
         $h_i \neq h_j$ for some $j \in [n]$.
     \end{itemize}
       \item Send $(\rid_i, \vec{S}_i, A_i, u_i, c_i)$ to all parties.
@@ -1049,15 +1055,19 @@ \subsubsection{Threshold (i.e., $t$-out-of-$n$) Key Generation}
     \begin{itemize}
       \item For each party $j \neq i$:
         \begin{itemize}
-        \item Check that $\vec{S}_j$ has length $t$.
-        \item Assert $V_j = H(\Encode{hash\_com}(\sid, n, j, t, \rid_j, \vec{S}_j, A_j, u_j, c_j))$.
+        \item Check that $(\rid_j, \vec{S}_j, A_j, u_j) \? \in (\Bit^\kappa, \E^t, \E, \Bit^\kappa)$
+          \begin{itemize}
+          \item Note: make sure that $\vec{S}_j$ has length $t$
+          \end{itemize}
+        \item Assert $V_j \? = H(\Encode{hash\_com}(\sid, n, j, t, \rid_j, \vec{S}_j, A_j, u_j, c_j))$.
         \item Define 
           $F_j(x) = \sum_{k \in [t]} x^k \cdot S_{j,k}$.
-        \item Assert $\sigma_{j,i} \cdot G  = F_j(i + 1)$.
+        \item Assert $\sigma_{j,i} \cdot G \? = F_j(i + 1)$.
         \end{itemize}
         \item Compute $\rid = \bigoplus_{j \in [n]} \rid_j$.
         \item {\bf (HD-wallets.)} If HD-wallets support enabled:
         \begin{itemize}
+          \item Check that $c_j \? \in \Bit^{256}$ for all $j \in [n]$
           \item Set chain code $c = \bigoplus_{j \in [n]} c_j$
         \end{itemize}
         \item Let $F(x) = \sum_{k \in [t]} x^k \cdot \left(\sum_{j\in [n]} S_{j,k}\right) = \sum_{j \in [n]} F_j(x)$. 
@@ -1071,13 +1081,13 @@ \subsubsection{Threshold (i.e., $t$-out-of-$n$) Key Generation}
     \end{itemize}
 
   \item[\textbf{Output.}] 
-  Upon receiving $\psi_j$ from all parties:
+  Upon receiving $\psi_j \in \Fq$ from all parties:
     \begin{itemize}
       \item For $j \neq i$:
       set $e_j = \challengeni{sch}(\sid, j, \rid, X_j, A_j)$ and 
       assert $\verify{sch}(\psi_j, A_j, e_j, X_j)$.
       \item Compute $Y = \sum_{j \in [n]} S_{j,0}$.
-      \item Create identity mapping $I : [n] \to \Z_q \setminus 0$,
+      \item Create identity mapping $I : [n] \to \Z_q \setminus \{0\}$,
         $I(i) = i + 1$.
       \item Return $(Y, x_i, \vec{X}, I, c)$.
     \end{itemize}
@@ -1117,7 +1127,7 @@ \subsubsection{Non-Threshold ($n$-out-of-$n$) Presigning} \label{section:orig-pr
     \begin{itemize}
      \item {\bf (Reliability check.)} Optionally, if the reliability check is enabled:
     \begin{itemize}
-        \item Compute $h_i = H(\Encode{echo}(K_0, G_0, \cdots, K_{n-1}, G_{n-1}))$
+        \item Compute $h_i = H(\Encode{echo}(\sid, K_0, G_0, \cdots, K_{n-1}, G_{n-1}))$
         and 
         send $h_i$ to all parties.
 
@@ -1391,8 +1401,8 @@ \section{Original presigning protocol}
       compute $(A_i^j, \tau_i^j) \gets \commit{sch}()$. Set
         $\vec{A_i} = (A_i^j)_{j \in [n]}, \vec{\tau} = (\tau_i^j)_{j \in [n]}$.
         %\jnote{We could potentially optimize this so only one proof is needed}
-      \item Sample $\rho_i \gets \{0,1\}^\kappa$.
-      \item Sample nonce $u_i \gets \{0,1\}^\kappa$ % another value in code
+      \item Sample $\rho_i \gets \Bit^\kappa$.
+      \item Sample nonce $u_i \gets \Bit^\kappa$ % another value in code
         and compute $V_i =
         H(\sid\| n\| i\| \vec{X}_i\| \vec{A}_i\| N_i\| s_i\| t_i\| \hat{\psi}_i\| \rho_i\| u_i)$.
       \item Broadcast $V_i$ to all parties.
@@ -1401,7 +1411,7 @@ \section{Original presigning protocol}
     \item[\bf Reliability check.] Optionally, if reliability check is enabled:
     \begin{itemize}
         \item Upon receiving $V_j$ from all parties:
-        set $h_i = H(\Encode{echo}(V_0, \dots, V_{n-1}))$
+        set $h_i = H(\Encode{echo}(\sid, V_0, \dots, V_{n-1}))$
             and send $h_i$ to all parties.
 
         \item Upon receiving $h_j$ from all  parties: