Merge pull request #406 from EspressoSystems/ax/reshare-core

Key resharing for Feldman VSS

Author: alxiong

timeboost-crypto/src/feldman.rs

@@ -6,13 +6,14 @@ use ark_serialize::{CanonicalSerialize, SerializationError, serialize_to_vec};
 use ark_std::marker::PhantomData;
 use ark_std::rand::Rng;
 use derive_more::{Deref, From, IntoIterator};
+use rayon::prelude::*;
 use serde::{Deserialize, Serialize};
 use serde_with::serde_as;
-use std::{iter::successors, num::NonZeroUsize};
+use std::{iter::successors, num::NonZeroUsize, ops::Add};
 
 use crate::{
-    interpolation::interpolate,
-    traits::dkg::{VerifiableSecretSharing, VssError},
+    interpolation::{interpolate, interpolate_in_exponent},
+    traits::dkg::{KeyResharing, VerifiableSecretSharing, VssError},
 };
 
 /// Feldman VSS: <https://www.cs.umd.edu/~gasarch/TOPICS/secretsharing/feldmanVSS.pdf>
@@ -152,27 +153,26 @@ impl<C: CurveGroup> VerifiableSecretSharing for FeldmanVss<C> {
 
     fn reconstruct(
         pp: &Self::PublicParam,
-        shares: impl Iterator<Item = (usize, Self::SecretShare)>,
+        shares: impl ExactSizeIterator<Item = (usize, Self::SecretShare)> + Clone,
     ) -> Result<Self::Secret, VssError> {
-        let shares = shares.collect::<Vec<_>>();
         let n = pp.n.get();
         let t = pp.t.get();
         // input validation
         if shares.len() != t {
             return Err(VssError::MismatchedSharesCount(t, shares.len()));
         }
-        for (idx, _) in shares.iter() {
-            if *idx >= n {
-                return Err(VssError::IndexOutOfBound(n - 1, *idx));
+        for (idx, _) in shares.clone() {
+            if idx >= n {
+                return Err(VssError::IndexOutOfBound(n - 1, idx));
             }
         }
 
         // Lagrange interpolate to get back the secret
         let eval_points: Vec<_> = shares
-            .iter()
-            .map(|&(idx, _)| C::ScalarField::from(idx as u64 + 1))
+            .clone()
+            .map(|(idx, _)| C::ScalarField::from(idx as u64 + 1))
             .collect();
-        let evals: Vec<_> = shares.iter().map(|&(_, share)| share).collect();
+        let evals: Vec<_> = shares.map(|(_, share)| share).collect();
         interpolate::<C>(&eval_points, &evals)
             .map_err(|e| VssError::FailedReconstruction(e.to_string()))
     }
@@ -206,15 +206,130 @@ impl<C: CurveGroup> FeldmanCommitment<C> {
     pub fn try_from_bytes<const N: usize>(value: &[u8]) -> Result<Self, SerializationError> {
         crate::try_from_bytes::<Self, N>(value)
     }
-
     pub fn try_from_str<const N: usize>(value: &str) -> Result<Self, SerializationError> {
         crate::try_from_str::<Self, N>(value)
     }
 }
 
+impl<C: CurveGroup> Add<FeldmanCommitment<C>> for FeldmanCommitment<C> {
+    type Output = FeldmanCommitment<C>;
+
+    fn add(self, other: FeldmanCommitment<C>) -> Self::Output {
+        &self + &other
+    }
+}
+
+impl<C: CurveGroup> Add<&FeldmanCommitment<C>> for FeldmanCommitment<C> {
+    type Output = FeldmanCommitment<C>;
+
+    fn add(self, other: &FeldmanCommitment<C>) -> Self::Output {
+        &self + other
+    }
+}
+
+impl<C: CurveGroup> Add<&FeldmanCommitment<C>> for &FeldmanCommitment<C> {
+    type Output = FeldmanCommitment<C>;
+
+    fn add(self, other: &FeldmanCommitment<C>) -> Self::Output {
+        let combined: Vec<C> = self
+            .comm
+            .iter()
+            .zip(other.comm.iter())
+            .map(|(x, y)| *x + y)
+            .collect();
+        C::normalize_batch(&combined).into()
+    }
+}
+
+impl<C: CurveGroup> KeyResharing<Self> for FeldmanVss<C> {
+    fn reshare<R: Rng>(
+        new_pp: &FeldmanVssPublicParam,
+        old_share: &C::ScalarField,
+        rng: &mut R,
+    ) -> (Vec<C::ScalarField>, FeldmanCommitment<C>) {
+        let (poly, comm) = Self::rand_poly_and_commit(new_pp, *old_share, rng);
+        let reshares = Self::compute_shares(new_pp, &poly).collect();
+        (reshares, comm)
+    }
+
+    fn verify_reshare(
+        old_pp: &FeldmanVssPublicParam,
+        new_pp: &FeldmanVssPublicParam,
+        send_node_idx: usize,
+        recv_node_idx: usize,
+        old_commitment: &FeldmanCommitment<C>,
+        row_commitment: &FeldmanCommitment<C>,
+        reshare: &C::ScalarField,
+    ) -> Result<(), VssError> {
+        let old_public_share = Self::derive_public_share(old_pp, send_node_idx, old_commitment)?;
+        let new_public_share = Self::derive_public_share(new_pp, recv_node_idx, row_commitment)?;
+
+        if C::generator().mul(reshare) == new_public_share
+            && row_commitment[0] == old_public_share.into_affine()
+        {
+            Ok(())
+        } else {
+            Err(VssError::FailedVerification)
+        }
+    }
+
+    fn combine(
+        old_pp: &FeldmanVssPublicParam,
+        new_pp: &FeldmanVssPublicParam,
+        recv_node_idx: usize,
+        reshares: impl ExactSizeIterator<Item = (usize, C::ScalarField, FeldmanCommitment<C>)> + Clone,
+    ) -> Result<(C::ScalarField, FeldmanCommitment<C>), VssError> {
+        // input validation
+        let n = old_pp.n.get();
+        if reshares.len() == 0 {
+            return Err(VssError::EmptyReshare);
+        }
+        for (idx, _, _) in reshares.clone() {
+            if idx >= n {
+                return Err(VssError::IndexOutOfBound(n - 1, idx));
+            }
+        }
+
+        let new_n = new_pp.n.get();
+        let new_t = new_pp.t.get();
+        if recv_node_idx >= new_n {
+            return Err(VssError::IndexOutOfBound(new_n - 1, recv_node_idx));
+        }
+        for (_, _, row_commitment) in reshares.clone() {
+            if row_commitment.len() != new_t {
+                return Err(VssError::InvalidCommitment);
+            }
+        }
+
+        // interpolate reshares to get new secret share
+        let eval_points: Vec<_> = reshares
+            .clone()
+            .map(|(idx, _, _)| C::ScalarField::from(idx as u64 + 1))
+            .collect();
+        let recv_reshares: Vec<_> = reshares.clone().map(|(_, share, _)| share).collect();
+        let new_secret = interpolate::<C>(&eval_points, &recv_reshares)
+            .map_err(|e| VssError::FailedCombine(e.to_string()))?;
+
+        // interpolate in the exponent to get new Feldman commitment
+        let row_commitments: Vec<_> = reshares.map(|(_, _, commitment)| commitment).collect();
+        let new_commitment = (0..new_t)
+            .into_par_iter()
+            .map(|j| {
+                let j_th_coeffs: Vec<C::Affine> =
+                    row_commitments.iter().map(|row| row[j]).collect();
+                interpolate_in_exponent::<C>(&eval_points, &j_th_coeffs)
+                    .map_err(|e| VssError::FailedCombine(e.to_string()))
+            })
+            .collect::<Result<Vec<_>, VssError>>()?;
+        let new_commitment = C::normalize_batch(&new_commitment);
+
+        Ok((new_secret, new_commitment.into()))
+    }
+}
+
 #[cfg(test)]
 mod tests {
-    use ark_bls12_381::G1Projective;
+    use ark_bls12_381::{Fr, G1Projective};
     use ark_std::{UniformRand, rand::seq::SliceRandom, test_rng};
 
     use super::*;
@@ -297,4 +412,160 @@ mod tests {
     fn test_feldman_vss() {
         test_feldman_vss_helper::<G1Projective>();
     }
+
+    // Core key resharing workflow
+    fn run_reshare_scenario(
+        old_t: usize,
+        old_n: usize,
+        new_t: usize,
+        new_n: usize,
+        rng: &mut impl Rng,
+    ) {
+        let old_pp = FeldmanVssPublicParam::new(
+            NonZeroUsize::new(old_t).unwrap(),
+            NonZeroUsize::new(old_n).unwrap(),
+        );
+        let new_pp = FeldmanVssPublicParam::new(
+            NonZeroUsize::new(new_t).unwrap(),
+            NonZeroUsize::new(new_n).unwrap(),
+        );
+
+        let secret = Fr::rand(rng);
+
+        let (old_shares, old_commitment) = FeldmanVss::<G1Projective>::share(&old_pp, rng, secret);
+
+        // Verify original shares
+        for (node_idx, share) in old_shares.iter().enumerate() {
+            assert!(
+                FeldmanVss::<G1Projective>::verify(&old_pp, node_idx, share, &old_commitment)
+                    .is_ok()
+            );
+        }
+
+        let mut reshare_matrix = Vec::new();
+        let mut row_commitments = Vec::new();
+
+        for old_share in old_shares.iter() {
+            let (reshare_row, row_commitment) =
+                FeldmanVss::<G1Projective>::reshare(&new_pp, old_share, rng);
+            reshare_matrix.push(reshare_row);
+            row_commitments.push(row_commitment);
+        }
+
+        // Verify reshares
+        for i in 0..old_n {
+            for j in 0..new_n {
+                assert!(
+                    FeldmanVss::<G1Projective>::verify_reshare(
+                        &old_pp,
+                        &new_pp,
+                        i,
+                        j,
+                        &old_commitment,
+                        &row_commitments[i],
+                        &reshare_matrix[i][j],
+                    )
+                    .is_ok()
+                );
+            }
+        }
+
+        let mut new_shares = Vec::new();
+        let mut new_commitments = Vec::new();
+
+        for j in 0..new_n {
+            let recv_reshares: Vec<Fr> = (0..old_t)
+                .collect::<Vec<_>>()
+                .iter()
+                .map(|&i| reshare_matrix[i][j])
+                .collect();
+            let selected_row_commitments: Vec<FeldmanCommitment<_>> =
+                (0..old_t).map(|i| row_commitments[i].clone()).collect();
+
+            let reshares_iter =
+                (0..old_t).map(|i| (i, recv_reshares[i], selected_row_commitments[i].clone()));
+            let (new_secret_share, new_commitment) =
+                FeldmanVss::<G1Projective>::combine(&old_pp, &new_pp, j, reshares_iter).unwrap();
+
+            new_shares.push(new_secret_share);
+            new_commitments.push(new_commitment);
+
+            assert!(
+                FeldmanVss::<G1Projective>::verify(
+                    &new_pp,
+                    j,
+                    &new_secret_share,
+                    &new_commitments[j]
+                )
+                .is_ok()
+            );
+        }
+
+        // Reconstruct secret
+        let reconstructed_secret = FeldmanVss::<G1Projective>::reconstruct(
+            &new_pp,
+            (0..new_t).map(|i| (i, new_shares[i])),
+        )
+        .unwrap();
+
+        assert_eq!(reconstructed_secret, secret);
+    }
+
+    // Test success-path for identical (t,n) → (t',n') case
+    #[test]
+    fn test_key_resharing_identical_params() {
+        let rng = &mut test_rng();
+
+        // Run 7 random trials (between 5-10)
+        for _ in 0..7 {
+            // Generate random (t,n) parameters
+            let n = rng.gen_range(5..12);
+            let t = rng.gen_range(2..n);
+            run_reshare_scenario(t, n, t, n, rng);
+        }
+    }
+
+    // Test success-path for different (t,n) → (t',n') cases
+    #[test]
+    fn test_key_resharing_different_threshold_committee_sizes() {
+        let rng = &mut test_rng();
+
+        // Run multiple random trials with different parameter combinations
+        for _ in 0..10 {
+            // Randomly choose (t,n) parameters for the original committee
+            let old_n = rng.gen_range(5..15);
+            let old_t = rng.gen_range(2..old_n);
+
+            // Randomly choose (t',n') parameters for the new committee with variations
+            // Sometimes larger, sometimes smaller than original
+            let new_n = match rng.gen_range(0..3) {
+                0 => rng.gen_range(5..old_n),  // Smaller committee
+                1 => rng.gen_range(old_n..20), // Larger committee
+                _ => rng.gen_range(5..20),     // Random size
+            };
+            let new_t = rng.gen_range(2..new_n);
+
+            run_reshare_scenario(old_t, old_n, new_t, new_n, rng);
+        }
+    }
+
+    // Test specific edge cases for minimal thresholds and committee size limits
+    #[test]
+    fn test_edge_case_minimal_thresholds() {
+        let rng = &mut test_rng();
+
+        // Edge case scenarios: (t, n) → (t', n')
+        let test_cases = vec![
+            ((1, 3), (1, 5)), // (t=1, n=3) → (t'=1, n'=5): minimal threshold expanding committee
+            ((2, 2), (2, 2)), // (t=2, n=2) → (t'=2, n'=2): minimal committee size (t=n)
+            ((1, 2), (1, 3)), // (t=1, n=2) → (t'=1, n'=3): minimal viable committee expanding
+            ((1, 4), (1, 2)), // (t=1, n=4) → (t'=1, n'=2): shrinking to minimal viable size
+            ((2, 3), (1, 4)), // (t=2, n=3) → (t'=1, n'=4): threshold reduction with expansion
+            ((1, 5), (2, 3)), // (t=1, n=5) → (t'=2, n'=3): threshold increase with shrinking
+        ];
+
+        for ((old_t, old_n), (new_t, new_n)) in test_cases {
+            run_reshare_scenario(old_t, old_n, new_t, new_n, rng);
+        }
+    }
 }