Merge pull request #392 from EspressoSystems/ax/vess

feat: VESS implementation

Author: alxiong

Cargo.toml

@@ -10,11 +10,11 @@ members = [
     "tests",
     "timeboost",
     "timeboost-builder",
-    "timeboost-sequencer",
     "timeboost-crypto",
+    "timeboost-proto",
+    "timeboost-sequencer",
     "timeboost-types",
     "timeboost-utils",
-    "timeboost-proto",
     "yapper",
 ]
 resolver = "2"
@@ -24,11 +24,6 @@ version = "0.1.0"
 edition = "2024"
 rust-version = "1.85.0"
 
-[profile.test]
-codegen-units = 16
-incremental = false
-opt-level = 3
-
 [workspace.dependencies]
 aes-gcm = { version = "0.10.3" }
 alloy-chains = "0.2.0"
@@ -41,12 +36,12 @@ alloy-signer-local = "1.0.5"
 anyhow = "1.0.89"
 arbitrary = "1.4.1"
 arbtest = "0.3.2"
+ark-bls12-381 = "0.5"
 ark-bn254 = "0.5"
 ark-ec = "0.5"
 ark-ff = "0.5"
 ark-poly = "0.5"
 ark-secp256k1 = "0.5"
-ark-bls12-381 = "0.5"
 ark-serialize = { version = "0.5", features = ["derive"] }
 ark-std = { version = "0.5", default-features = false }
 arrayvec = "0.7.6"
@@ -81,21 +76,21 @@ prost = "0.13.5"
 quickcheck = "1.0.3"
 rand = "0.9"
 rayon = "1.10"
-secp256k1 = { version = "0.31.0", features = ["global-context", "hashes", "rand", "serde"] }
 reqwest = { version = "0.12" }
+secp256k1 = { version = "0.31.0", features = ["global-context", "hashes", "rand", "serde"] }
 serde = { version = "1", features = ["derive", "rc"] }
 serde_bytes = "0.11.15"
 serde_json = { version = "1.0" }
 serde_with = "3.12.0"
 sha2 = { version = "0.10", default-features = false }
 sha3 = "0.10.8"
+smallvec = "1.15.1"
 snow = "0.9.6"
 spongefish = { git = "https://github.com/arkworks-rs/spongefish.git", rev = "e9f7031", features = [
     "arkworks-algebra",
 ] }
 thiserror = "2.0"
 tide-disco = "0.9.3"
-smallvec = "1.15.1"
 tokio = { version = "1", default-features = false, features = ["full"] }
 tokio-stream = "0.1.17"
 tokio-util = "0.7.15"
@@ -107,3 +102,8 @@ tracing-subscriber = { version = "0.3.18", features = ["env-filter", "json"] }
 turmoil = "0.6.4"
 vbs = "0.1"
 zeroize = { version = "1.8", features = ["zeroize_derive"] }
+
+[profile.test]
+codegen-units = 16
+incremental = false
+opt-level = 3

tests/Cargo.toml

@@ -28,5 +28,5 @@ timeboost-utils = { path = "../timeboost-utils", features = ["test"] }
 tokio = { workspace = true }
 tokio-stream = { workspace = true }
 tokio-util = { workspace = true }
-turmoil = { workspace = true }
 tracing = { workspace = true }
+turmoil = { workspace = true }

timeboost-builder/Cargo.toml

@@ -7,16 +7,16 @@ rust-version.workspace = true
 
 [dependencies]
 bincode = { workspace = true }
-committable = { workspace = true }
 bon = { workspace = true }
 bytes = { workspace = true }
 cliquenet = { path = "../cliquenet" }
+committable = { workspace = true }
 metrics = { path = "../metrics" }
 multisig = { path = "../multisig" }
 serde = { workspace = true }
+smallvec = { workspace = true }
 thiserror = { workspace = true }
 timeboost-proto = { path = "../timeboost-proto" }
 timeboost-types = { path = "../timeboost-types" }
-smallvec = { workspace = true }
 tokio = { workspace = true }
 tracing = { workspace = true }

timeboost-crypto/Cargo.toml

@@ -9,8 +9,8 @@ rust-version.workspace = true
 aes-gcm = { workspace = true }
 alloy-rlp = { workspace = true }
 anyhow = { workspace = true }
-ark-ec = { workspace = true }
 ark-bls12-381 = { workspace = true }
+ark-ec = { workspace = true }
 ark-ff = { workspace = true }
 ark-poly = { workspace = true }
 ark-serialize = { workspace = true }
@@ -22,6 +22,10 @@ committable = { workspace = true }
 digest = { workspace = true }
 generic-array = { workspace = true }
 multisig = { path = "../multisig" }
+num-integer = "0.1"
+# sadly, ark_std depends on [email protected], while [email protected] depends on [email protected]
+rand_chacha = "0.3.1"
+rayon = { workspace = true }
 serde = { workspace = true }
 serde_with = { workspace = true }
 sha2 = { workspace = true }
@@ -30,8 +34,8 @@ thiserror = { workspace = true }
 zeroize = { workspace = true }
 
 [dev-dependencies]
-ark-secp256k1 = { workspace = true }
 ark-bn254 = { workspace = true }
+ark-secp256k1 = { workspace = true }
 criterion = { workspace = true }
 
 [[bench]]

timeboost-crypto/src/feldman.rs

@@ -2,6 +2,7 @@
 
 use ark_ec::CurveGroup;
 use ark_poly::{DenseUVPolynomial, Polynomial, univariate::DensePolynomial};
+use ark_serialize::serialize_to_vec;
 use ark_std::marker::PhantomData;
 use ark_std::rand::Rng;
 use std::{iter::successors, num::NonZeroU32};
@@ -29,6 +30,44 @@ impl FeldmanVssPublicParam {
     }
 }
 
+impl<C: CurveGroup> FeldmanVss<C> {
+    /// sample a random polynomial for VSS `secret`, returns the poly and its feldman commitment
+    pub(crate) fn rand_poly_and_commit<R: Rng>(
+        pp: &FeldmanVssPublicParam,
+        secret: C::ScalarField,
+        rng: &mut R,
+    ) -> (DensePolynomial<C::ScalarField>, Vec<C::Affine>) {
+        // sample random polynomial of degree t-1 (s.t. any t evaluations can interpolate this poly)
+        // f(X) = Sum a_i * X^i
+        let mut poly = DensePolynomial::<C::ScalarField>::rand(pp.t.get() as usize - 1, rng);
+        // f(0) = a_0 set to the secret, this index access will never panic since t>0
+        poly.coeffs[0] = secret;
+
+        // prepare commitment, u = (g^a_0, g^a_1, ..., g^a_t-1)
+        let commitment = C::generator().batch_mul(&poly.coeffs);
+
+        (poly, commitment)
+    }
+
+    /// given a secret-embedded polynomial, compute the Shamir secret shares
+    /// node i \in {0,.. ,n-1} get f(i+1)
+    pub(crate) fn compute_shares(
+        pp: &FeldmanVssPublicParam,
+        poly: &DensePolynomial<C::ScalarField>,
+    ) -> impl Iterator<Item = C::ScalarField> {
+        (0..pp.n.get()).map(|node_idx| poly.evaluate(&(node_idx + 1).into()))
+    }
+
+    /// same as [`Self::compute_shares()`], but output an iterator of bytes
+    pub(crate) fn compute_serialized_shares(
+        pp: &FeldmanVssPublicParam,
+        poly: &DensePolynomial<C::ScalarField>,
+    ) -> impl Iterator<Item = Vec<u8>> {
+        Self::compute_shares(pp, poly)
+            .map(|s| serialize_to_vec![s].expect("ark_serialize valid shares never panic"))
+    }
+}
+
 impl<C: CurveGroup> VerifiableSecretSharing for FeldmanVss<C> {
     type PublicParam = FeldmanVssPublicParam;
     type Secret = C::ScalarField;
@@ -40,29 +79,17 @@ impl<C: CurveGroup> VerifiableSecretSharing for FeldmanVss<C> {
         rng: &mut R,
         secret: Self::Secret,
     ) -> (Vec<Self::SecretShare>, Self::Commitment) {
-        // sample random polynomial of degree t-1 (s.t. any t evaluations can interpolate this poly)
-        // f(X) = Sum a_i * X^i
-        let mut poly = DensePolynomial::<Self::Secret>::rand(pp.t.get() as usize - 1, rng);
-        // f(0) = a_0 set to the secret, this index access will never panic since t>0
-        poly.coeffs[0] = secret;
-
-        // prepare shares, node i \in {0,.. ,n-1} get f(i+1)
-        let shares: Vec<Self::SecretShare> = (0..pp.n.get())
-            .map(|node_idx| poly.evaluate(&(node_idx + 1).into()))
-            .collect();
-
-        // prepare commitment, u = (g^a_0, g^a_1, ..., g^a_t-1)
-        let commitment = C::generator().batch_mul(&poly.coeffs);
-
-        (shares, commitment)
+        let (poly, comm) = Self::rand_poly_and_commit(pp, secret, rng);
+        let shares = Self::compute_shares(pp, &poly).collect();
+        (shares, comm)
     }
 
     fn verify(
         pp: &Self::PublicParam,
         node_idx: usize,
         share: &Self::SecretShare,
         commitment: &Self::Commitment,
-    ) -> Result<bool, VssError> {
+    ) -> Result<(), VssError> {
         let n = pp.n.get() as usize;
         let t = pp.t.get() as usize;
 
@@ -86,7 +113,11 @@ impl<C: CurveGroup> VerifiableSecretSharing for FeldmanVss<C> {
             VssError::InternalError("commitments and powers mismatched length".to_string())
         })?;
 
-        Ok(C::generator().mul(share) == eval_in_exp)
+        if C::generator().mul(share) == eval_in_exp {
+            Ok(())
+        } else {
+            Err(VssError::FailedVerification)
+        }
     }
 
     fn reconstruct(
@@ -140,29 +171,27 @@ mod tests {
             let (shares, commitment) = FeldmanVss::<C>::share(&pp, rng, secret);
             for (node_idx, s) in shares.iter().enumerate() {
                 // happy path
-                assert!(FeldmanVss::<C>::verify(&pp, node_idx, s, &commitment).unwrap());
+                assert!(FeldmanVss::<C>::verify(&pp, node_idx, s, &commitment).is_ok());
 
                 // sad path
                 // wrong node_idx should fail
-                assert!(
-                    !FeldmanVss::<C>::verify(&pp, node_idx + 1, s, &commitment).unwrap_or(false)
-                );
+                assert!(FeldmanVss::<C>::verify(&pp, node_idx + 1, s, &commitment).is_err());
 
                 // wrong secret share should fail
                 assert!(
-                    !FeldmanVss::<C>::verify(
+                    FeldmanVss::<C>::verify(
                         &pp,
                         node_idx,
                         &C::ScalarField::rand(rng),
                         &commitment,
                     )
-                    .unwrap()
+                    .is_err()
                 );
 
                 // wrong commitment should fail
                 let mut bad_comm = commitment.clone();
                 bad_comm[1] = C::Affine::default();
-                assert!(!FeldmanVss::<C>::verify(&pp, node_idx, s, &bad_comm).unwrap());
+                assert!(FeldmanVss::<C>::verify(&pp, node_idx, s, &bad_comm).is_err());
 
                 // incomplete/dropped commitment should fail
                 bad_comm.pop();

timeboost-crypto/src/mre.rs

@@ -121,13 +121,18 @@ impl<C: CurveGroup> LabeledDecryptionKey<C> {
     }
 }
 
+use crate::try_from_bytes;
+
 /// Ciphertext for multiple recipients in MRE scheme
+#[serde_as]
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(bound = "H: Digest")]
 pub struct MultiRecvCiphertext<C: CurveGroup, H: Digest = sha2::Sha256> {
     // the shared ephemeral public key (v:=g^beta in the paper)
-    epk: C::Affine,
+    #[serde_as(as = "crate::SerdeAs")]
+    pub(crate) epk: C::Affine,
     // individual ciphertexts (e_i in the paper)
-    cts: Vec<Output<H>>,
+    pub(crate) cts: Vec<Output<H>>,
 }
 
 impl<C: CurveGroup, H: Digest> MultiRecvCiphertext<C, H> {
@@ -138,6 +143,15 @@ impl<C: CurveGroup, H: Digest> MultiRecvCiphertext<C, H> {
             ct: ct.clone(),
         })
     }
+
+    pub fn to_bytes(&self) -> Vec<u8> {
+        bincode::serde::encode_to_vec(self, bincode::config::standard())
+            .expect("serializing mre ciphertext")
+    }
+
+    pub fn try_from_bytes<const N: usize>(value: &[u8]) -> Result<Self, SerializationError> {
+        try_from_bytes::<Self, N>(value)
+    }
 }
 
 /// (Part of) [`MultiRecvCiphertext`] for a specific recipient.

timeboost-crypto/src/traits/dkg.rs

@@ -26,6 +26,7 @@ pub trait VerifiableSecretSharing {
     fn share<R: Rng>(
         pp: &Self::PublicParam,
         rng: &mut R,
+        // TODO(alex): consider accept Zeroizing<Self::Secret> instead
         secret: Self::Secret,
     ) -> (Vec<Self::SecretShare>, Self::Commitment);
 
@@ -35,13 +36,13 @@ pub trait VerifiableSecretSharing {
     /// - `share`: the secret share to verify
     /// - `commitment`: the global commitment (if any)
     ///
-    /// Returns Ok(true) if valid, Ok(false) if invalid, or an appropriate `VssError` otherwise.
+    /// Returns Ok(()) if valid, or an appropriate `VssError` otherwise.
     fn verify(
         pp: &Self::PublicParam,
         node_idx: usize,
         share: &Self::SecretShare,
         commitment: &Self::Commitment,
-    ) -> Result<bool, VssError>;
+    ) -> Result<(), VssError>;
 
     /// Reconstructs the original secret from a set of (index, share) pairs.
     ///
@@ -65,6 +66,8 @@ pub enum VssError {
     InvalidShare(usize, String),
     #[error("invalid VSS commitment")]
     InvalidCommitment,
+    #[error("failed verification: share does not match commitment")]
+    FailedVerification,
     #[error("failed to reconstruct: {0}")]
     FailedReconstruction(String),
     #[error("internal err: {0}")]