introduce VSS::aggregate() and ResultIter to avoid copy during from_dkg()

Author: alxiong

timeboost-crypto/src/feldman.rs

@@ -211,7 +211,14 @@ impl<C: CurveGroup> FeldmanCommitment<C> {
     }
 }
 
-// Implementation of Add trait for FeldmanCommitment + &FeldmanCommitment
+impl<C: CurveGroup> Add<FeldmanCommitment<C>> for FeldmanCommitment<C> {
+    type Output = FeldmanCommitment<C>;
+
+    fn add(self, other: FeldmanCommitment<C>) -> Self::Output {
+        &self + &other
+    }
+}
+
 impl<C: CurveGroup> Add<&FeldmanCommitment<C>> for FeldmanCommitment<C> {
     type Output = FeldmanCommitment<C>;
 
@@ -220,7 +227,6 @@ impl<C: CurveGroup> Add<&FeldmanCommitment<C>> for FeldmanCommitment<C> {
     }
 }
 
-// Implementation of Add trait for &FeldmanCommitment + &FeldmanCommitment
 impl<C: CurveGroup> Add<&FeldmanCommitment<C>> for &FeldmanCommitment<C> {
     type Output = FeldmanCommitment<C>;
 

timeboost-crypto/src/traits/dkg.rs

@@ -1,6 +1,7 @@
 //! Traits related to Distributed Key Generation (DKG) and Key Resharing
 
 use ark_std::rand::Rng;
+use std::ops::Add;
 use thiserror::Error;
 
 /// A trait for (t, n)-Verifiable Secret Sharing (VSS) schemes.
@@ -53,6 +54,22 @@ pub trait VerifiableSecretSharing {
         pp: &Self::PublicParam,
         shares: impl ExactSizeIterator<Item = (usize, Self::SecretShare)> + Clone,
     ) -> Result<Self::Secret, VssError>;
+
+    /// Aggregates multiple commitments and secret shares into a single commitment and secret share.
+    ///
+    /// This is commonly used in DKG protocols to combine multiple dealings/contributions.
+    ///
+    /// Returns `Ok((secret_share, commitment))` if aggregation succeeds
+    fn aggregate<I>(dealings: I) -> Result<(Self::SecretShare, Self::Commitment), VssError>
+    where
+        I: Iterator<Item = (Self::SecretShare, Self::Commitment)>,
+        Self::Commitment: Add<Self::Commitment, Output = Self::Commitment>,
+        Self::SecretShare: Add<Self::SecretShare, Output = Self::SecretShare>,
+    {
+        dealings
+            .reduce(|(acc_share, acc_comm), (share, comm)| (acc_share + share, acc_comm + comm))
+            .ok_or(VssError::EmptyAggInput)
+    }
 }
 
 /// Publicly verifiable key resharing scheme for a VSS where existing share holders of a Shamir
@@ -116,6 +133,8 @@ pub enum VssError {
     FailedReconstruction(String),
     #[error("internal err: {0}")]
     InternalError(String),
+    #[error("aggregation input is empty")]
+    EmptyAggInput,
 
     #[error("reshare data is empty")]
     EmptyReshare,

timeboost-sequencer/Cargo.toml

@@ -24,11 +24,11 @@ serde = { workspace = true }
 thiserror = { workspace = true }
 timeboost-crypto = { path = "../timeboost-crypto" }
 timeboost-types = { path = "../timeboost-types" }
+timeboost-utils = { path = "../timeboost-utils" }
 tokio = { workspace = true }
 tracing = { workspace = true }
 
 [dev-dependencies]
 ark-std = { workspace = true }
 bs58 = { workspace = true }
 portpicker = { workspace = true }
-timeboost-utils = { path = "../timeboost-utils" }

timeboost-sequencer/src/decrypt.rs

@@ -21,6 +21,7 @@ use timeboost_crypto::{DecryptionScheme, Plaintext};
 use timeboost_types::{
     DecryptionKey, DkgAccumulator, DkgBundle, DkgKeyStore, InclusionList, Subset,
 };
+use timeboost_utils::ResultIter;
 use tokio::spawn;
 use tokio::sync::mpsc::{Receiver, Sender, channel};
 use tokio::task::JoinHandle;
@@ -663,24 +664,23 @@ impl Worker {
                 // TODO: centralize these constant, redeclared in DkgAccumulator.try_add()
                 let aad: &[u8; 3] = b"dkg";
                 let vess = ShoupVess::new_fast_from(committee);
-                let (shares, commitments) = subset
-                    .bundles()
-                    .iter()
-                    .map(|b| {
-                        vess.decrypt_share(&self.dkg_sk, b.vess_ct(), aad)
-                            .map(|s| (s, b.comm().clone()))
-                            .map_err(|e| DecrypterError::Dkg(e.to_string()))
-                    })
-                    .collect::<Result<(Vec<_>, Vec<_>)>>()?;
+                let mut dealings_iter = ResultIter::new(subset.bundles().iter().map(|b| {
+                    vess.decrypt_share(&self.dkg_sk, b.vess_ct(), aad)
+                        .map(|s| (s, b.comm().clone()))
+                }));
 
                 let dec_sk = DecryptionKey::from_dkg(
                     committee.size().into(),
                     self.dkg_sk.node_idx(),
-                    &commitments,
-                    &shares,
+                    &mut dealings_iter,
                 )
                 .map_err(|e| DecrypterError::Dkg(e.to_string()))?;
 
+                // in case of early-return of ResultIter
+                dealings_iter
+                    .result()
+                    .map_err(|e| DecrypterError::Dkg(e.to_string()))?;
+
                 self.enc_key.set(dec_sk.pubkey().clone());
                 self.dkg_state = DkgState::Completed(dec_sk);
                 info!(committee_id = %committee.id(), node = %self.label, "DKG finished (node successfully recovered)");
@@ -771,24 +771,23 @@ impl Worker {
                 // TODO:(alex) centralize these constant, redeclared in DkgAccumulator.try_add()
                 let aad: &[u8; 3] = b"dkg";
                 let vess = ShoupVess::new_fast_from(committee);
-                let (shares, commitments) = subset
-                    .bundles()
-                    .iter()
-                    .map(|b| {
-                        vess.decrypt_share(&self.dkg_sk, b.vess_ct(), aad)
-                            .map(|s| (s, b.comm().clone()))
-                            .map_err(|e| DecrypterError::Dkg(e.to_string()))
-                    })
-                    .collect::<Result<(Vec<_>, Vec<_>)>>()?;
+                let mut dealings_iter = ResultIter::new(subset.bundles().iter().map(|b| {
+                    vess.decrypt_share(&self.dkg_sk, b.vess_ct(), aad)
+                        .map(|s| (s, b.comm().clone()))
+                }));
 
                 let dec_sk = DecryptionKey::from_dkg(
                     committee.size().into(),
                     self.dkg_sk.node_idx(),
-                    &commitments,
-                    &shares,
+                    &mut dealings_iter,
                 )
                 .map_err(|e| DecrypterError::Dkg(e.to_string()))?;
 
+                // in case of early-return of ResultIter
+                dealings_iter
+                    .result()
+                    .map_err(|e| DecrypterError::Dkg(e.to_string()))?;
+
                 self.enc_key.set(dec_sk.pubkey().clone());
                 self.dkg_state = DkgState::Completed(dec_sk);
                 info!(committee_id = %committee.id(), node = %self.label, "DKG finished");
@@ -1419,8 +1418,12 @@ mod tests {
             .iter()
             .enumerate()
             .map(|(node_idx, shares)| {
-                super::DecryptionKey::from_dkg(COMMITTEE_SIZE, node_idx, &commitments, shares)
-                    .expect("threshold key derivation should succeed")
+                super::DecryptionKey::from_dkg(
+                    COMMITTEE_SIZE,
+                    node_idx,
+                    shares.iter().cloned().zip(commitments.iter().cloned()),
+                )
+                .expect("threshold key derivation should succeed")
             })
             .collect();
         tracing::info!(

timeboost-types/src/decryption.rs

@@ -1,10 +1,9 @@
-use std::collections::{BTreeMap, btree_map};
-
 use anyhow::anyhow;
 use ark_ec::AffineRepr;
 use multisig::{Committee, CommitteeId, KeyId};
 use rayon::prelude::*;
 use serde::{Deserialize, Serialize};
+use std::collections::{BTreeMap, btree_map};
 use timeboost_crypto::{
     DecryptionScheme,
     prelude::{DkgEncKey, Vess, Vss},
@@ -43,38 +42,34 @@ impl DecryptionKey {
     /// # Parameters
     /// - `committee_size`: size of the threshold committee
     /// - `node_idx`: in 0..committee_size, currently same as KeyId
-    /// - `commitments`: the Feldman Commitments: multiple output of `ShoupVess::encrypted_shares()`
-    /// - `key_shares`: multiple decrypted secret shares from `ShoupVess::decrypt_share()`
-    pub fn from_dkg(
+    /// - `dealings`: ResultIter containing decrypted shares and commitments
+    pub fn from_dkg<I>(
         committee_size: usize,
         node_idx: usize,
-        commitments: &[<Vss as VerifiableSecretSharing>::Commitment],
-        key_shares: &[<Vss as VerifiableSecretSharing>::SecretShare],
-    ) -> anyhow::Result<Self> {
-        anyhow::ensure!(
-            commitments.len() == key_shares.len(),
-            "mismatched input length"
-        );
-
-        // aggregate selected dealings/contributions
-        let agg_comm = commitments
-            .par_iter()
-            .cloned()
-            .reduce_with(|a, b| a + &b)
-            .ok_or_else(|| anyhow!("no commitments provided"))?;
-        let agg_key_share = key_shares.iter().sum();
+        mut dealings: I,
+    ) -> anyhow::Result<Self>
+    where
+        I: Iterator<
+            Item = (
+                <Vss as VerifiableSecretSharing>::SecretShare,
+                <Vss as VerifiableSecretSharing>::Commitment,
+            ),
+        >,
+    {
+        // aggregate selected dealings
+        let (agg_key_share, agg_comm) = Vss::aggregate(&mut dealings)?;
 
         // derive key material
-        Self::from_single_dkg(committee_size, node_idx, &agg_comm, agg_key_share)
+        Self::from_single_dkg(committee_size, node_idx, agg_key_share, &agg_comm)
     }
 
     /// inner routine to construct from a single (aggregated or interpolated) DKG output,
     /// shared in both DKG and resharing logic.
     fn from_single_dkg(
         committee_size: usize,
         node_idx: usize,
-        commitment: &<Vss as VerifiableSecretSharing>::Commitment,
         key_share: <Vss as VerifiableSecretSharing>::SecretShare,
+        commitment: &<Vss as VerifiableSecretSharing>::Commitment,
     ) -> anyhow::Result<Self> {
         // note: all .into() are made available via derive_more::From on those structs
         let pk: PublicKey = commitment

timeboost-utils/src/lib.rs

@@ -61,3 +61,67 @@ pub fn select_peer_hosts(
         Box::new(keyset.iter().take(keyset.len())) as Box<dyn Iterator<Item = _>>
     }
 }
+
+/// Wrapper iterator that bridges type conversion
+/// from Iterator<Item = Result<T, E>> to Iterator<Item = T>
+/// while early-returning an Err(E) if any item is an Err, without collecting or allocating memory.
+///
+/// # Usage
+/// ```no_run
+/// fn use_result_iter<I, T, E>(iter: I) -> Result<(), E>
+/// where
+///     I: Iterator<Item = Result<T, E>>,
+/// {
+///     let mut result_iter = ResultIter::new(iter);
+///     for _ in &mut result_iter {
+///         // use item
+///     }
+///     result_iter.result()
+/// }
+/// ```
+pub struct ResultIter<I, T, E>
+where
+    I: Iterator<Item = Result<T, E>>,
+{
+    iter: I,
+    error: Option<E>,
+}
+
+impl<I, T, E> ResultIter<I, T, E>
+where
+    I: Iterator<Item = Result<T, E>>,
+{
+    /// construct a new ResultIter
+    pub fn new(iter: I) -> Self {
+        Self { iter, error: None }
+    }
+
+    /// Get the early-return result
+    pub fn result(self) -> Result<(), E> {
+        match self.error {
+            Some(e) => Err(e),
+            None => Ok(()),
+        }
+    }
+}
+
+impl<I, T, E> Iterator for ResultIter<I, T, E>
+where
+    I: Iterator<Item = Result<T, E>>,
+{
+    type Item = T;
+
+    fn next(&mut self) -> Option<Self::Item> {
+        if self.error.is_some() {
+            return None;
+        }
+        match self.iter.next() {
+            Some(Ok(v)) => Some(v),
+            Some(Err(e)) => {
+                self.error = Some(e);
+                None
+            }
+            None => None,
+        }
+    }
+}