Merge pull request #229 from nickfarrow/certpedpop-cleanup

Prepare certpedpop for use

Author: LLFourn

schnorr_fun/Cargo.toml

@@ -18,7 +18,7 @@ secp256kfun = { path = "../secp256kfun", version = "0.11",  default-features = f
 bech32 = { version = "0.11", optional = true, default-features = false, features = ["alloc"] }
 bincode = { workspace =  true, optional = true }
 vrf_fun = { path = "../vrf_fun", version = "0.11", optional = true, default-features = false }
-sha2 = { version = "0.10", optional = true }
+sha2 = { version = "0.10", optional = true, default-features = false }
 
 [dev-dependencies]
 secp256kfun = { path = "../secp256kfun", version = "0.11",  features = ["proptest", "bincode", "alloc"] }
@@ -40,18 +40,18 @@ required-features = ["libsecp_compat"]
 
 [features]
 default = ["std"]
-alloc = ["secp256kfun/alloc" ]
-std = ["alloc", "secp256kfun/std"]
-bincode = [ "dep:bincode", "secp256kfun/bincode"]
-serde = ["secp256kfun/serde"]
+alloc = ["secp256kfun/alloc"]
+std = ["alloc", "secp256kfun/std", "vrf_fun?/std"]
+bincode = [ "dep:bincode", "secp256kfun/bincode", "vrf_fun?/bincode"]
+serde = ["secp256kfun/serde", "vrf_fun?/serde"]
 libsecp_compat = ["libsecp_compat_0_30", "secp256kfun/libsecp_compat"]
 libsecp_compat_0_27 = ["secp256kfun/libsecp_compat_0_27"]
 libsecp_compat_0_28 = ["secp256kfun/libsecp_compat_0_28"]
 libsecp_compat_0_29 = ["secp256kfun/libsecp_compat_0_29"]
 libsecp_compat_0_30 = ["secp256kfun/libsecp_compat_0_30"]
 proptest = ["secp256kfun/proptest"]
 share_backup = ["dep:bech32"]
-vrf_cert_keygen = ["dep:vrf_fun", "dep:sha2", "alloc", "secp256kfun/std", "vrf_fun/std"]
+vrf_cert_keygen = ["dep:vrf_fun", "dep:sha2"]
 
 [package.metadata.docs.rs]
 all-features = true

schnorr_fun/src/frost/chilldkg/certpedpop.rs

@@ -21,7 +21,7 @@ use secp256kfun::{KeyPair, hash::Hash32, nonce::NonceGen, prelude::*, rand_core}
 /// certifying the aggregated keygen input in certpedpop.
 pub trait CertificationScheme {
     /// The signature type produced by this scheme
-    type Signature: Clone + core::fmt::Debug;
+    type Signature: Clone + core::fmt::Debug + PartialEq;
 
     /// The output produced by successful verification
     type Output: Clone + core::fmt::Debug;
@@ -74,10 +74,11 @@ pub mod vrf_cert {
     use vrf_fun::VrfProof;
 
     /// VRF certification scheme using SSWU VRF
+    #[derive(Clone, Debug, PartialEq)]
     pub struct VrfCertifier;
 
     /// The output from VRF verification containing the gamma point
-    #[derive(Clone, Debug)]
+    #[derive(Clone, Debug, PartialEq)]
     pub struct VrfOutput {
         /// The VRF output point (gamma)
         pub gamma: Point,
@@ -118,6 +119,7 @@ pub mod vrf_cert {
 /// A party that generates secret input to the key generation. You need at least one of these
 /// and if at least one of these parties is honest then the final secret key will not be known by an
 /// attacker (unless they obtain `t` shares!).
+#[derive(Clone, Debug, PartialEq)]
 pub struct Contributor {
     inner: encpedpop::Contributor,
 }
@@ -128,7 +130,13 @@ pub type KeygenInput = encpedpop::KeygenInput;
 /// Key generation inputs after being aggregated by the coordinator
 pub type AggKeygenInput = encpedpop::AggKeygenInput;
 /// A certificate containing signatures or proofs from certifying parties
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, PartialEq)]
+#[cfg_attr(feature = "bincode", derive(bincode::Encode, bincode::Decode))]
+#[cfg_attr(
+    feature = "serde",
+    derive(crate::fun::serde::Deserialize, crate::fun::serde::Serialize),
+    serde(crate = "crate::fun::serde")
+)]
 pub struct Certificate<Sig>(BTreeMap<Point, Sig>);
 
 /// A certificate containing signatures or proofs from certifying parties
@@ -138,14 +146,17 @@ impl<Sig> Default for Certificate<Sig> {
     }
 }
 
-impl<Sig> Certificate<Sig> {
+impl<Sig: PartialEq + core::fmt::Debug> Certificate<Sig> {
     /// Create a new empty certificate
     pub fn new() -> Self {
         Self::default()
     }
 
     /// Insert a signature/proof for a public key
     pub fn insert(&mut self, key: Point, sig: Sig) {
+        if let Some(existing) = self.0.get(&key) {
+            assert_eq!(existing, &sig, "certification should not change");
+        }
         self.0.insert(key, sig);
     }
 
@@ -158,6 +169,17 @@ impl<Sig> Certificate<Sig> {
     pub fn iter(&self) -> impl Iterator<Item = (&Point, &Sig)> {
         self.0.iter()
     }
+
+    /// The number of certificates stored
+    pub fn len(&self) -> usize {
+        self.0.len()
+    }
+
+    /// Have any certificates been collected
+    pub fn is_empty(&self) -> bool {
+        // clippy::len_without_is_empty wanted this method
+        self.0.is_empty()
+    }
 }
 
 impl Contributor {
@@ -203,12 +225,14 @@ impl Contributor {
 }
 
 /// A key generation session that has been certified by each certifying party (contributors and share receivers).
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, PartialEq)]
 pub struct CertifiedKeygen<S: CertificationScheme> {
-    input: AggKeygenInput,
-    certificate: Certificate<S::Signature>,
+    /// The aggregated inputs to keygen
+    pub input: AggKeygenInput,
+    /// The collected certificates from each party
+    pub certificate: Certificate<S::Signature>,
     /// The outputs from successful verification, indexed by certifying party's public key
-    outputs: BTreeMap<Point, S::Output>,
+    pub outputs: BTreeMap<Point, S::Output>,
 }
 
 impl<S: CertificationScheme> CertifiedKeygen<S> {
@@ -296,6 +320,7 @@ pub use encpedpop::Coordinator;
 
 /// Stores the state of share recipient who first receives their share and then waits to get
 /// signatures from all the certifying parties on the keygeneration before accepting it.
+#[derive(Debug, Clone, PartialEq)]
 pub struct SecretShareReceiver {
     paired_secret_share: PairedSecretShare<Normal, Zero>,
     agg_input: AggKeygenInput,
@@ -344,7 +369,9 @@ impl SecretShareReceiver {
             .agg_input
             .encryption_keys()
             .map(|(_, encryption_key)| encryption_key)
-            .chain(contributor_keys.iter().cloned());
+            .chain(contributor_keys.iter().cloned())
+            .collect::<BTreeSet<_>>(); // dedupe as some contributers may have also be receivers
+
         for cert_key in cert_keys {
             match certificate.get(&cert_key) {
                 Some(sig) => match cert_scheme.verify_cert(cert_key, &self.agg_input, sig) {
@@ -378,38 +405,47 @@ pub fn simulate_keygen<H: Hash32, NG: NonceGen, S: CertificationScheme>(
     cert_scheme: &S,
     threshold: u32,
     n_receivers: u32,
-    n_generators: u32,
+    n_extra_generators: u32,
     fingerprint: Fingerprint,
     rng: &mut impl rand_core::RngCore,
 ) -> (
     CertifiedKeygen<S>,
     Vec<(PairedSecretShare<Normal>, KeyPair)>,
 ) {
-    let share_receivers = (1..=n_receivers)
-        .map(|i| Scalar::from(i).non_zero().unwrap())
-        .collect::<BTreeSet<_>>();
-
-    let mut receiver_enckeys = share_receivers
-        .iter()
-        .cloned()
-        .map(|party_index| (party_index, KeyPair::new(Scalar::random(rng))))
+    let mut receiver_enckeys = (1..=n_receivers)
+        .map(|i| {
+            let party_index = Scalar::from(i).non_zero().unwrap();
+            (party_index, KeyPair::new(Scalar::random(rng)))
+        })
         .collect::<BTreeMap<_, _>>();
 
     let public_receiver_enckeys = receiver_enckeys
         .iter()
         .map(|(party_index, enckeypair)| (*party_index, enckeypair.public_key()))
         .collect::<BTreeMap<ShareIndex, Point>>();
 
+    // Total number of generators is receivers + extra generators
+    let n_generators = n_receivers + n_extra_generators;
+
+    // Generate keypairs for contributors - receivers will use their existing keypairs
+    let contributor_keys: Vec<_> = (1..=n_receivers)
+        .map(|i| {
+            let party_index = Scalar::from(i).non_zero().unwrap();
+            receiver_enckeys[&party_index]
+        })
+        .chain(core::iter::repeat_n(
+            KeyPair::new(Scalar::random(rng)),
+            n_extra_generators as _,
+        ))
+        .collect();
+
     let (contributors, to_coordinator_messages): (Vec<Contributor>, Vec<KeygenInput>) = (0
         ..n_generators)
         .map(|i| {
             Contributor::gen_keygen_input(schnorr, threshold, &public_receiver_enckeys, i, rng)
         })
         .unzip();
 
-    let contributor_keys = (0..n_generators)
-        .map(|_| KeyPair::new(Scalar::random(rng)))
-        .collect::<Vec<_>>();
     let contributor_public_keys = contributor_keys
         .iter()
         .map(|kp| kp.public_key())
@@ -526,7 +562,7 @@ mod test {
         #[test]
         fn certified_run_simulate_keygen(
             (n_receivers, threshold) in (1u32..=4).prop_flat_map(|n| (Just(n), 1u32..=n)),
-            n_generators in 1u32..5,
+            n_extra_generators in 0u32..=3,
         ) {
             let schnorr = crate::new_with_deterministic_nonces::<sha2::Sha256>();
             let mut rng = TestRng::deterministic_rng(RngAlgorithm::ChaCha);
@@ -536,7 +572,7 @@ mod test {
                 &schnorr,
                 threshold,
                 n_receivers,
-                n_generators,
+                n_extra_generators,
                 Fingerprint::none(),
                 &mut rng
             );
@@ -559,14 +595,14 @@ mod test {
 
         let threshold = 2;
         let n_receivers = 3;
-        let n_generators = 2;
+        let n_extra_generators = 0; // All receivers are also generators
 
         let (certified_keygen, _) = certpedpop::simulate_keygen(
             &schnorr,
             &vrf_certifier,
             threshold,
             n_receivers,
-            n_generators,
+            n_extra_generators,
             Fingerprint::none(),
             &mut rng,
         );
@@ -581,7 +617,7 @@ mod test {
         // Verify we have the expected number of VRF outputs
         assert_eq!(
             certified_keygen.outputs().len(),
-            (n_receivers + n_generators) as usize
+            (n_receivers + n_extra_generators) as usize
         );
     }
 }

vrf_fun/src/vrf.rs

@@ -1,6 +1,5 @@
 //! Generic VRF implementation that can work with different transcript types
 
-use core::marker::PhantomData;
 use secp256kfun::{KeyPair, Scalar, prelude::*};
 use sigma_fun::{
     CompactProof, FiatShamir, ProverTranscript, Transcript,
@@ -11,16 +10,27 @@ use sigma_fun::{
 };
 
 /// VRF proof structure
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, PartialEq)]
 #[cfg_attr(
     feature = "serde",
     derive(serde::Serialize, serde::Deserialize),
-    serde(bound(serialize = "", deserialize = ""))
+    serde(bound(
+        deserialize = "L: ArrayLength<u8>, CompactProof<Scalar<Public, Zero>, L>: serde::Deserialize<'de>",
+        serialize = "L: ArrayLength<u8>, CompactProof<Scalar<Public, Zero>, L>: serde::Serialize",
+    ))
+)]
+#[cfg_attr(
+    feature = "bincode",
+    derive(bincode::Encode, bincode::Decode),
+    bincode(
+        encode_bounds = "L: ArrayLength<u8>, CompactProof<Scalar<Public, Zero>, L>: bincode::Encode",
+        decode_bounds = "L: ArrayLength<u8>, CompactProof<Scalar<Public, Zero>, L>: bincode::Decode<__Context>",
+        borrow_decode_bounds = "L: ArrayLength<u8>, CompactProof<Scalar<Public, Zero>, L>: bincode::BorrowDecode<'__de, __Context>"
+    )
 )]
 pub struct VrfProof<L = U16>
 where
-    L: ArrayLength<u8> + IsLessOrEqual<U32>,
-    <L as IsLessOrEqual<U32>>::Output: NonZero,
+    L: ArrayLength<u8>,
 {
     /// The VRF output point.
     ///
@@ -30,51 +40,16 @@ where
     pub proof: CompactProof<Scalar<Public, Zero>, L>,
 }
 
-#[cfg(feature = "bincode")]
-impl<L> bincode::Encode for VrfProof<L>
-where
-    L: ArrayLength<u8> + IsLessOrEqual<U32>,
-    <L as IsLessOrEqual<U32>>::Output: NonZero,
-{
-    fn encode<E: bincode::enc::Encoder>(
-        &self,
-        encoder: &mut E,
-    ) -> Result<(), bincode::error::EncodeError> {
-        self.gamma.encode(encoder)?;
-        self.proof.encode(encoder)?;
-        Ok(())
-    }
-}
-
-#[cfg(feature = "bincode")]
-impl<L, Context> bincode::Decode<Context> for VrfProof<L>
-where
-    L: ArrayLength<u8> + IsLessOrEqual<U32>,
-    <L as IsLessOrEqual<U32>>::Output: NonZero,
-{
-    fn decode<D: bincode::de::Decoder<Context = Context>>(
-        decoder: &mut D,
-    ) -> Result<Self, bincode::error::DecodeError> {
-        let gamma = Point::decode(decoder)?;
-        let proof = CompactProof::<Scalar<Public, Zero>, L>::decode(decoder)?;
-        Ok(VrfProof { gamma, proof })
-    }
-}
-
 /// Verified random output that ensures gamma has been verified
+#[derive(Debug, Clone)]
 pub struct VerifiedRandomOutput {
     pub gamma: Point,
 }
 
 /// Generic VRF implementation
-pub struct Vrf<T, ChallengeLength = U16>
-where
-    ChallengeLength: ArrayLength<u8> + IsLessOrEqual<U32>,
-    <ChallengeLength as IsLessOrEqual<U32>>::Output: NonZero,
-{
+pub struct Vrf<T, ChallengeLength = U16> {
     dleq: crate::VrfDleq<ChallengeLength>,
     pub transcript: T,
-    _phantom: PhantomData<ChallengeLength>,
 }
 
 impl<T: Clone, ChallengeLength> Vrf<T, ChallengeLength>
@@ -89,7 +64,6 @@ where
         Self {
             dleq: Eq::new(DLG::default(), DL::default()),
             transcript,
-            _phantom: PhantomData,
         }
     }
 }

vrf_fun/tests/codec.rs

@@ -0,0 +1,31 @@
+use secp256kfun::{KeyPair, prelude::*};
+use vrf_fun::VrfProof;
+
+#[cfg(feature = "bincode")]
+#[test]
+fn test_vrf_proof_bincode_roundtrip() {
+    let keypair = KeyPair::new(Scalar::random(&mut rand::thread_rng()));
+    let proof = vrf_fun::rfc9381::sswu::prove::<sha2::Sha256>(&keypair, b"test message");
+
+    let encoded = bincode::encode_to_vec(&proof, bincode::config::standard()).unwrap();
+    let (decoded, _): (VrfProof, _) =
+        bincode::decode_from_slice(&encoded, bincode::config::standard()).unwrap();
+
+    assert_eq!(proof, decoded);
+}
+
+#[cfg(all(feature = "bincode", feature = "serde"))]
+#[test]
+fn test_vrf_proof_serde_roundtrip() {
+    use bincode::serde::Compat;
+
+    let keypair = KeyPair::new(Scalar::random(&mut rand::thread_rng()));
+    let proof = vrf_fun::rfc9381::sswu::prove::<sha2::Sha256>(&keypair, b"test message");
+
+    let compat_proof = Compat(&proof);
+    let encoded = bincode::encode_to_vec(compat_proof, bincode::config::standard()).unwrap();
+    let (decoded, _): (Compat<VrfProof>, _) =
+        bincode::decode_from_slice(&encoded, bincode::config::standard()).unwrap();
+
+    assert_eq!(proof, decoded.0);
+}