daphne: Remove 16-byte VdafVerifyKey variant

This length was required for Prio3 by VDAF-09. However, we only support
variants of Prio3 in VDAF-09 that use the custom XOF, which has a
32-byte key.

Also, once Mastic support is fully implemented, it will also use a
32-byte key.

Author: cjpatton

crates/daphne/src/taskprov.rs

@@ -63,16 +63,14 @@ pub(crate) fn extract_prk_from_verify_key_init(
     Salt::new(HKDF_SHA256, &TASKPROV_SALT).extract(verify_key_init)
 }
 
-impl VdafConfig {
-    fn expand_into_taskprov_verify_key(&self, prk: &Prk, task_id: &TaskId) -> VdafVerifyKey {
-        let mut verify_key = self.uninitialized_verify_key();
-        let info = [task_id.as_ref()];
-        // This expand(), and the associated fill() below can only fail if the length is wrong,
-        // and it won't be, so we unwrap().
-        let okm = prk.expand(&info, verify_key.clone()).unwrap();
-        okm.fill(verify_key.as_mut()).unwrap();
-        verify_key
-    }
+fn expand_into_taskprov_verify_key(prk: &Prk, task_id: &TaskId) -> VdafVerifyKey {
+    let mut verify_key = VdafVerifyKey([0; 32]);
+    let info = [task_id.as_ref()];
+    // This expand(), and the associated fill() below can only fail if the length is wrong,
+    // and it won't be, so we unwrap().
+    let okm = prk.expand(&info, verify_key.clone()).unwrap();
+    okm.fill(verify_key.as_mut()).unwrap();
+    verify_key
 }
 
 /// Compute the VDAF verify key for `task_id` and the specified VDAF type using the
@@ -86,9 +84,8 @@ fn compute_vdaf_verify_key(
     version: DapVersion,
     verify_key_init: &[u8; 32],
     task_id: &TaskId,
-    vdaf_config: &VdafConfig,
 ) -> VdafVerifyKey {
-    vdaf_config.expand_into_taskprov_verify_key(
+    expand_into_taskprov_verify_key(
         &extract_prk_from_verify_key_init(version, verify_key_init),
         task_id,
     )
@@ -313,12 +310,8 @@ impl DapTaskConfigNeedsOptIn {
             version,
             taskprov_advertisement.vdaf_config.var,
         )?;
-        let vdaf_verify_key = compute_vdaf_verify_key(
-            version,
-            taskprov_config.vdaf_verify_key_init,
-            task_id,
-            &vdaf,
-        );
+        let vdaf_verify_key =
+            compute_vdaf_verify_key(version, taskprov_config.vdaf_verify_key_init, task_id);
         Ok(Self {
             version,
             leader_url: url_from_bytes(task_id, &taskprov_advertisement.leader_url.bytes)?,
@@ -465,7 +458,7 @@ mod test {
         messages::{self, TaskId},
         taskprov::{DapTaskConfigNeedsOptIn, OptInParam},
         test_versions,
-        vdaf::{VdafConfig, VdafVerifyKey},
+        vdaf::VdafVerifyKey,
         DapRequestMeta, DapVersion,
     };
 
@@ -536,20 +529,13 @@ mod test {
             0x0f, 0x32, 0xd7, 0xe1, 0xbc, 0x6c, 0x75, 0x10, 0x05, 0x60, 0x7b, 0x81, 0xda, 0xc3,
             0xa7, 0xda, 0x76, 0x1d,
         ];
-        let vk = compute_vdaf_verify_key(
-            version,
-            &verify_key_init,
-            &task_id,
-            &VdafConfig::Prio2 { dimension: 10 },
-        );
+        let VdafVerifyKey(verify_key) =
+            compute_vdaf_verify_key(version, &verify_key_init, &task_id);
         let expected: [u8; 32] = [
             251, 209, 125, 181, 57, 15, 148, 158, 227, 45, 38, 52, 220, 73, 159, 91, 145, 40, 123,
             204, 49, 124, 7, 97, 221, 4, 232, 53, 194, 171, 19, 51,
         ];
-        match &vk {
-            VdafVerifyKey::L32(bytes) => assert_eq!(*bytes, expected),
-            VdafVerifyKey::L16(..) => unreachable!(),
-        }
+        assert_eq!(verify_key, expected);
     }
 
     test_versions! { check_vdaf_key_computation }

crates/daphne/src/vdaf/mastic.rs

@@ -70,17 +70,11 @@ pub(crate) fn mastic_shard(
 pub(crate) fn mastic_prep_init(
     input_size: usize,
     weight_config: MasticWeightConfig,
-    verify_key: &VdafVerifyKey,
+    _verify_key: &VdafVerifyKey,
     agg_param: &DapAggregationParam,
     public_share_bytes: &[u8],
     input_share_bytes: &[u8],
 ) -> Result<(VdafPrepState, VdafPrepShare), VdafError> {
-    let VdafVerifyKey::L16(_verify_key) = verify_key else {
-        return Err(VdafError::Dap(fatal_error!(
-            err = "mastic: unexpected verify key type"
-        )));
-    };
-
     match (weight_config, agg_param) {
         (MasticWeightConfig::Count, DapAggregationParam::Mastic(agg_param)) => {
             // Simulate Mastic, insecurely. The public share encodes the plaintext input; the input

crates/daphne/src/vdaf/mod.rs

@@ -388,38 +388,23 @@ impl std::fmt::Display for Prio3Config {
     any(test, feature = "test-utils"),
     derive(deepsize::DeepSizeOf, PartialEq, Debug)
 )]
-pub enum VdafVerifyKey {
-    /// Prio3 with the standard XOF.
-    L16(#[serde(with = "hex")] [u8; 16]),
-
-    /// Prio2 and Prio3 with `XofHmacSha256Aes128`.
-    L32(#[serde(with = "hex")] [u8; 32]),
-}
+pub struct VdafVerifyKey(#[serde(with = "hex")] pub(crate) [u8; 32]);
 
 impl KeyType for VdafVerifyKey {
     fn len(&self) -> usize {
-        match self {
-            Self::L16(bytes) => bytes.len(),
-            Self::L32(bytes) => bytes.len(),
-        }
+        32
     }
 }
 
 impl AsRef<[u8]> for VdafVerifyKey {
     fn as_ref(&self) -> &[u8] {
-        match self {
-            Self::L16(bytes) => &bytes[..],
-            Self::L32(bytes) => &bytes[..],
-        }
+        &self.0
     }
 }
 
 impl AsMut<[u8]> for VdafVerifyKey {
     fn as_mut(&mut self) -> &mut [u8] {
-        match self {
-            Self::L16(bytes) => &mut bytes[..],
-            Self::L32(bytes) => &mut bytes[..],
-        }
+        &mut self.0
     }
 }
 
@@ -646,39 +631,17 @@ impl Encode for VdafAggregateShare {
 }
 
 impl VdafConfig {
-    pub(crate) fn uninitialized_verify_key(&self) -> VdafVerifyKey {
-        match self {
-            Self::Prio2 { .. } | Self::Prio3(..) => VdafVerifyKey::L32([0; 32]),
-            #[cfg(feature = "experimental")]
-            Self::Mastic { .. } => VdafVerifyKey::L16([0; 16]),
-            Self::Pine(..) => VdafVerifyKey::L32([0; 32]),
-        }
-    }
-
     /// Parse a verification key from raw bytes.
     pub fn get_decoded_verify_key(&self, bytes: &[u8]) -> Result<VdafVerifyKey, CodecError> {
-        match self {
-            Self::Prio2 { .. } | Self::Prio3(..) => Ok(VdafVerifyKey::L32(
-                <[u8; 32]>::try_from(bytes)
-                    .map_err(|e| CodecErrorDraft09::Other(Box::new(e)))
-                    .map_err(upgrade_codec_error)?,
-            )),
-            #[cfg(feature = "experimental")]
-            Self::Mastic { .. } => Ok(VdafVerifyKey::L16(
-                <[u8; 16]>::try_from(bytes).map_err(|e| CodecError::Other(Box::new(e)))?,
-            )),
-            Self::Pine(..) => Ok(VdafVerifyKey::L32(
-                <[u8; 32]>::try_from(bytes)
-                    .map_err(|e| CodecErrorDraft09::Other(Box::new(e)))
-                    .map_err(upgrade_codec_error)?,
-            )),
-        }
+        Ok(VdafVerifyKey(
+            <[u8; 32]>::try_from(bytes).map_err(|_| CodecError::UnexpectedValue)?,
+        ))
     }
 
     /// Generate the Aggregators' shared verification parameters.
     pub fn gen_verify_key(&self) -> VdafVerifyKey {
         let mut rng = thread_rng();
-        let mut verify_key = self.uninitialized_verify_key();
+        let mut verify_key = VdafVerifyKey([0; 32]);
         rng.fill(verify_key.as_mut());
         verify_key
     }

crates/daphne/src/vdaf/pine.rs

@@ -81,14 +81,14 @@ impl PineConfig {
 
     pub(crate) fn prep_init(
         &self,
-        verify_key: &VdafVerifyKey,
+        VdafVerifyKey(verify_key): &VdafVerifyKey,
         agg_id: usize,
         nonce: &[u8; 16],
         public_share_data: &[u8],
         input_share_data: &[u8],
     ) -> Result<(VdafPrepState, VdafPrepShare), VdafError> {
-        match (self, verify_key) {
-            (PineConfig::Field32HmacSha256Aes128 { param }, VdafVerifyKey::L32(verify_key)) => {
+        match self {
+            PineConfig::Field32HmacSha256Aes128 { param } => {
                 let vdaf = pine32_hmac_sha256_aes128(param)?;
                 let (state, share) = prep_init(
                     vdaf,
@@ -103,7 +103,7 @@ impl PineConfig {
                     VdafPrepShare::Pine32HmacSha256Aes128(share),
                 ))
             }
-            (PineConfig::Field64HmacSha256Aes128 { param }, VdafVerifyKey::L32(verify_key)) => {
+            PineConfig::Field64HmacSha256Aes128 { param } => {
                 let vdaf = pine64_hmac_sha256_aes128(param)?;
                 let (state, share) = prep_init(
                     vdaf,
@@ -118,9 +118,6 @@ impl PineConfig {
                     VdafPrepShare::Pine64HmacSha256Aes128(share),
                 ))
             }
-            _ => Err(VdafError::Dap(fatal_error!(
-                err = "unhandled config and verify key combination",
-            ))),
         }
     }
 

crates/daphne/src/vdaf/prio2.rs

@@ -55,18 +55,12 @@ pub(crate) fn prio2_shard(
 /// Consume an input share and return the corresponding prep state and share.
 pub(crate) fn prio2_prep_init(
     dimension: usize,
-    verify_key: &VdafVerifyKey,
+    VdafVerifyKey(verify_key): &VdafVerifyKey,
     agg_id: usize,
     nonce: &[u8; 16],
     public_share_data: &[u8],
     input_share_data: &[u8],
 ) -> Result<(VdafPrepState, VdafPrepShare), VdafError> {
-    let VdafVerifyKey::L32(verify_key) = verify_key else {
-        return Err(VdafError::Dap(fatal_error!(
-            err = "unhandled verify key type"
-        )));
-    };
-
     let vdaf = Prio2::new(dimension).map_err(|e| {
         VdafError::Dap(fatal_error!(err = ?e, "failed to create prio2 from {dimension}"))
     })?;

crates/daphne/src/vdaf/prio3.rs

@@ -111,15 +111,15 @@ impl Prio3Config {
     pub(crate) fn prep_init(
         &self,
         version: DapVersion,
-        verify_key: &VdafVerifyKey,
+        VdafVerifyKey(verify_key): &VdafVerifyKey,
         task_id: TaskId,
         agg_id: usize,
         nonce: &[u8; 16],
         public_share_data: &[u8],
         input_share_data: &[u8],
     ) -> Result<(VdafPrepState, VdafPrepShare), VdafError> {
-        return match (version, self, verify_key) {
-            (DapVersion::Latest, Prio3Config::Count, VdafVerifyKey::L32(verify_key)) => {
+        return match (version, self) {
+            (DapVersion::Latest, Prio3Config::Count) => {
                 let vdaf = Prio3::new_count(2).map_err(|e| {
                     VdafError::Dap(fatal_error!(err = ?e, "initializing {self:?} failed"))
                 })?;
@@ -137,11 +137,7 @@ impl Prio3Config {
                     VdafPrepShare::Prio3Field64(share),
                 ))
             }
-            (
-                DapVersion::Latest,
-                Prio3Config::Sum { max_measurement },
-                VdafVerifyKey::L32(verify_key),
-            ) => {
+            (DapVersion::Latest, Prio3Config::Sum { max_measurement }) => {
                 let vdaf = Prio3::new_sum(2, *max_measurement).map_err(|e| {
                     VdafError::Dap(fatal_error!(err = ?e, "initializing {self:?} failed"))
                 })?;
@@ -165,7 +161,6 @@ impl Prio3Config {
                     length,
                     chunk_length,
                 },
-                VdafVerifyKey::L32(verify_key),
             ) => {
                 let vdaf = Prio3::new_histogram(2, *length, *chunk_length).map_err(|e| {
                     VdafError::Dap(fatal_error!(err = ?e, "initializing {self:?} failed"))
@@ -191,7 +186,6 @@ impl Prio3Config {
                     length,
                     chunk_length,
                 },
-                VdafVerifyKey::L32(verify_key),
             ) => {
                 let vdaf = Prio3::new_sum_vec(2, *bits, *length, *chunk_length).map_err(|e| {
                     VdafError::Dap(fatal_error!(err = ?e, "initializing {self:?} failed"))
@@ -218,7 +212,6 @@ impl Prio3Config {
                     chunk_length,
                     num_proofs,
                 },
-                VdafVerifyKey::L32(verify_key),
             ) => {
                 let vdaf = draft09::new_prio3_sum_vec_field64_multiproof_hmac_sha256_aes128(
                     *bits,