update to version 3.7

Author: tomt1664

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "multi-party-ecdsa"
-version = "0.2.7"
+version = "0.3.7"
 edition = "2018"
 authors = [
     "Gary <gary@kzencorp.com>",
@@ -18,7 +18,7 @@ keywords = [
 ]
 
 homepage = "https://github.com/KZen-networks/multi-party-ecdsa"
-repository = "https://github.com/commerceblock/multi-party-ecdsa"
+repository = "https://github.com/KZen-networks/multi-party-ecdsa"
 license = "GPL-3.0-or-later"
 categories = ["cryptography"]
 
@@ -29,24 +29,24 @@ crate-type = ["lib"]
 cclst = ["class_group"]
 
 [dependencies]
-paillier = { git = "https://github.com/KZen-networks/rust-paillier", tag = "v0.3.3"}
-zk-paillier = { git = "https://github.com/KZen-networks/zk-paillier", tag = "v0.2.4"}
+paillier = { git = "https://github.com/KZen-networks/rust-paillier", tag = "v0.3.4"}
+zk-paillier = { git = "https://github.com/KZen-networks/zk-paillier", tag = "v0.2.8"}
 subtle = { version = "2" }
 serde = { version = "1.0", features = ["derive"] }
 zeroize = "0.10.1"
 
 [dependencies.curv]
 git = "https://github.com/commerceblock/curv"
 tag = "v0.2.7"
-features =  ["ec_secp256k1"]
+features = ["ec_secp256k1"]
 
 [dependencies.centipede]
 git = "https://github.com/commerceblock/centipede"
 tag = "v0.2.7"
 
 [dependencies.class_group]
-git = "https://github.com/KZen-networks/class-groups"
-tag = "v0.1.5"
+git = "https://github.com/KZen-networks/class"
+tag = "v0.4.4"
 optional = true
 
 [dev-dependencies]
@@ -55,7 +55,7 @@ rust-crypto = "0.2"
 hex = "0.4"
 rocket = { version = "0.4.5", default-features = false }
 rocket_contrib = "0.4.5"
-reqwest = { version = "0.10", default-features = false, features = ["socks", "blocking", "json"] }
+reqwest = { version = "0.10", default-features = false , features = ["socks", "blocking", "json"]}
 uuid = { version = "0.8", features = ["v4"] }
 serde_json = "1.0"
 libsecp256k1 = "0.3.5"
@@ -77,17 +77,30 @@ name = "common"
 crate-type = ["lib"]
 
 [[bench]]
-name = "cclst"
+name = "cclst_keygen"
 path = "benches/two_party_ecdsa/cclst_2019/keygen.rs"
 required-features = ["cclst"]
 harness = false
 
+[[bench]]
+name = "cclst_sign"
+path = "benches/two_party_ecdsa/cclst_2019/sign.rs"
+required-features = ["cclst"]
+harness = false
+
+
 [[bench]]
 name = "gg18"
 path = "benches/multi_party_ecdsa/gg18/keygen.rs"
 harness = false
 
 [[bench]]
-name = "lindel2017"
+name = "lindel2017_keygen"
 path = "benches/two_party_ecdsa/lindell_2017/keygen.rs"
 harness = false
+
+
+[[bench]]
+name = "lindel2017_sign"
+path = "benches/two_party_ecdsa/lindell_2017/sign.rs"
+harness = false

README.md

@@ -11,15 +11,27 @@ Threshold ECDSA includes two protocols:
 -   Signing for using the secret shares to generate a signature.
 
 ECDSA is used extensively for crypto-currencies such as Bitcoin, Ethereum (secp256k1 curve), NEO (NIST P-256 curve) and much more.
-This library can be used to create MultiSig and ThresholdSig crypto wallet.
+This library can be used to create MultiSig and ThresholdSig crypto wallet. For a full background on threshold signatures please read our Binance academy article [Threshold Signatures Explained](https://www.binance.vision/security/threshold-signatures-explained).
 
-## Project Status
+## Library Introduction
+The library was built with four core design principles in mind: 
+1. Multi-protocol support
+2. Built for cryptography engineers
+3. Foolproof
+4. Black box use of cryptographic primitives
 
--   The library supports **2P-ECDSA** based on Lindell's crypto 2017 paper [1]. Project [Gotham-city](https://github.com/KZen-networks/gotham-city) is a proof of concept for a full two-party Bitcoin wallet that uses this library. See benchmarks and white paper there.
+To learn about the core principles as well as on the [audit](https://github.com/KZen-networks/multi-party-ecdsa/tree/master/audits) process and security of the library, please read our [Intro to multiparty ecdsa library](https://zengo.com/introducing-multi-party-ecdsa-library/) blog post.
 
--   The library supports Gennaro and Goldfeder CCS 2018 protocol [2] for **{t,n}-threshold ECDSA**.
+## Use It
 
--   The library supports **2P-ECDSA** based on Castagnos et. al. crypto 2019 paper [3]. To Enable build with `--features=cclst`.
+
+The library implements three different protocols for threshold ECDSA. The protocols presents differnt tradeoffs in terms of parameters, security assumptions and efficiency. 
+
+|  Protocol                                               | High Level code                                                             |
+| -------------------------------------------- | -------------------------------------------- |
+|  Lindell 17 [1]  |  [Gotham-city](https://github.com/KZen-networks/gotham-city) (accepted to [CIW19](https://ifca.ai/fc19/ciw/program.html)) is a two party bitcoin wallet, including benchmarks. [KMS](https://github.com/KZen-networks/kms-secp256k1) is a Rust wrapper library that implements a general purpose two party key management system. [thresh-sig-js](https://github.com/KZen-networks/thresh-sig-js) is a Javascript SDK | 
+| Gennaro, Goldfeder 19 [2] ([video](https://www.youtube.com/watch?v=PdfDZIwuZm0)) | [tss-ecdsa-cli](https://github.com/cryptochill/tss-ecdsa-cli) is a wrapper CLI for full threshold access structure, including network and threshold HD keys ([BIP32](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki)). See [Demo](https://github.com/KZen-networks/multi-party-ecdsa#run-demo) in this library to get better low level understanding| 
+|Castagnos et. al. 19 [3]| WIP, Currently enabled as a feature in this library. To Enable build with `--features=cclst`.|
 
 ## Run Demo
 
@@ -43,7 +55,13 @@ Run `./gg18_sign_client`. The application should be in the same folder as the `k
 
 ### Full demo
 
-Run `./run.sh` (located in `/demo` folder) in the same folder as the excutables (usually `/target/release/examples`. Move `params` file to the same folder). It will spawn a shared state machine, clients in the number of parties and signing requests for the `threshold + 1` first parties.
+Run `./run.sh` (located in `/demo` folder) in the main folder. Move `params` file to the same folder as the excutables (usually `/target/release/examples`). The script will spawn a shared state machine, clients in the number of parties and signing requests for the `threshold + 1` first parties.
+
+`sm_manager` rocket server runs in _production_ mode by default. You may modify the `./run.sh` to config it to run in different environments. For example, to run rocket server in _development_:
+
+```
+ROCKET_ENV=development ./target/release/examples/sm_manager
+```
 
 |          !["Multiparty ECDSA Demo"][demo]          |
 | :------------------------------------------------: |

Rocket.toml

@@ -1,5 +1,5 @@
 [development]
-address = "127.0.0.1"
+address = "0.0.0.0"
 port = 8001
 workers = 12
 keep_alive = 5
@@ -8,7 +8,7 @@ hi = "Hello!" # this is an unused extra; maybe application specific?
 is_extra = true # this is an unused extra; maybe application specific?
 
 [staging]
-address = "127.0.0.1"
+address = "0.0.0.0"
 port = 8001
 workers = 8
 keep_alive = 5
@@ -17,7 +17,7 @@ log = "normal"
 secret_key = "8Xui8SN4mI+7egV/9dlfYYLGQJeEx4+DwmSQLwDVXJg="
 
 [production]
-address = "127.0.0.1"
+address = "0.0.0.0"
 port = 8001
 workers = 12
 keep_alive = 5

benches/two_party_ecdsa/cclst_2019/keygen.rs

@@ -10,41 +10,43 @@ mod bench {
     pub fn bench_full_keygen_party_one_two(c: &mut Criterion) {
         c.bench_function("keygen", move |b| {
             b.iter(|| {
+
                 let (party_one_first_message, comm_witness, ec_key_pair_party1) =
-                    party_one::KeyGenFirstMsg::create_commitments_with_fixed_secret_share(
-                        ECScalar::from(&BigInt::sample(253)),
-                    );
-                let (party_two_first_message, _ec_key_pair_party2) =
-                    party_two::KeyGenFirstMsg::create_with_fixed_secret_share(ECScalar::from(
-                        &BigInt::from(10),
+                    party_one::KeyGenFirstMsg::create_commitments_with_fixed_secret_share(ECScalar::from(
+                        &BigInt::sample(253),
                     ));
+                let (party_two_first_message, _ec_key_pair_party2) =
+                    party_two::KeyGenFirstMsg::create_with_fixed_secret_share(ECScalar::from(&BigInt::from(
+                        10,
+                    )));
                 let party_one_second_message = party_one::KeyGenSecondMsg::verify_and_decommit(
                     comm_witness,
                     &party_two_first_message.d_log_proof,
                 )
-                .expect("failed to verify and decommit");
+                    .expect("failed to verify and decommit");
 
-                let _party_two_second_message =
-                    party_two::KeyGenSecondMsg::verify_commitments_and_dlog_proof(
-                        &party_one_first_message,
-                        &party_one_second_message,
-                    )
+                let _party_two_second_message = party_two::KeyGenSecondMsg::verify_commitments_and_dlog_proof(
+                    &party_one_first_message,
+                    &party_one_second_message,
+                )
                     .expect("failed to verify commitments and DLog proof");
 
                 // init HSMCL keypair:
-                let hsmcl_key_pair = party_one::HSMCLKeyPair::generate_keypair_and_encrypted_share(
-                    &ec_key_pair_party1,
-                );
+                let seed :BigInt = str::parse(
+                    "314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848"
+                ).unwrap();
+                let hsmcl_key_pair =
+                    party_one::HSMCLKeyPair::generate_keypair_and_encrypted_share(&ec_key_pair_party1, seed.clone());
 
                 let party_one_private =
                     party_one::Party1Private::set_private_key(&ec_key_pair_party1, &hsmcl_key_pair);
 
-                let cldl_proof = party_one::HSMCLKeyPair::generate_zkcldl_proof(
-                    &hsmcl_key_pair,
-                    &party_one_private,
-                );
+                let cldl_proof =
+                    party_one::HSMCLKeyPair::generate_zkcldl_proof(&hsmcl_key_pair, &party_one_private, seed.clone());
                 let _party_two_hsmcl_pub =
                     party_two::HSMCLPublic::verify_zkcldl_proof(cldl_proof).expect("proof error");
+
+
             })
         });
     }

benches/two_party_ecdsa/cclst_2019/sign.rs

@@ -6,42 +6,48 @@ mod bench {
     use multi_party_ecdsa::protocols::two_party_ecdsa::cclst_2019::party_two::HSMCLPublic;
     use multi_party_ecdsa::protocols::two_party_ecdsa::cclst_2019::*;
 
-    pub fn bench_full_keygen_party_one_two(c: &mut Criterion) {
-        c.bench_function("keygen", move |b| {
+    pub fn bench_full_sign_party_one_two(c: &mut Criterion) {
+        c.bench_function("sign", move |b| {
             b.iter(|| {
+                // assume party1 and party2 engaged with KeyGen in the past resulting in
+                // party1 owning private share and HSMCL key-pair
+                // party2 owning private share and HSMCL encryption of party1 share
                 let (_party_one_private_share_gen, _comm_witness, ec_key_pair_party1) =
                     party_one::KeyGenFirstMsg::create_commitments();
-                let (party_two_private_share_gen, ec_key_pair_party2) =
-                    party_two::KeyGenFirstMsg::create();
+                let (party_two_private_share_gen, ec_key_pair_party2) = party_two::KeyGenFirstMsg::create();
+
+                let seed: BigInt = str::parse(
+                    "314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848"
+                ).unwrap();
 
                 let party_one_hsmcl_key_pair =
-                    party_one::HSMCLKeyPair::generate_keypair_and_encrypted_share(
-                        &ec_key_pair_party1,
-                    );
+                    party_one::HSMCLKeyPair::generate_keypair_and_encrypted_share(&ec_key_pair_party1, seed);
+
+                let party1_private =
+                    party_one::Party1Private::set_private_key(&ec_key_pair_party1, &party_one_hsmcl_key_pair);
 
-                let party_two_hsmcl_public = HSMCLPublic {
-                    ek: party_one_hsmcl_key_pair.keypair.pk.clone(),
-                    encrypted_secret_share: party_one_hsmcl_key_pair.encrypted_share.clone(),
-                };
+                let party_two_hsmcl_public = HSMCLPublic::set(
+                    &party_one_hsmcl_key_pair.keypair.pk,
+                    &party_one_hsmcl_key_pair.encrypted_share,
+                );
                 // creating the ephemeral private shares:
 
                 let (eph_party_two_first_message, eph_comm_witness, eph_ec_key_pair_party2) =
                     party_two::EphKeyGenFirstMsg::create_commitments();
                 let (eph_party_one_first_message, eph_ec_key_pair_party1) =
                     party_one::EphKeyGenFirstMsg::create();
-                let eph_party_two_second_message =
-                    party_two::EphKeyGenSecondMsg::verify_and_decommit(
-                        eph_comm_witness,
-                        &eph_party_one_first_message,
-                    )
+                let eph_party_two_second_message = party_two::EphKeyGenSecondMsg::verify_and_decommit(
+                    eph_comm_witness,
+                    &eph_party_one_first_message,
+                )
                     .expect("party1 DLog proof failed");
 
                 let _eph_party_one_second_message =
                     party_one::EphKeyGenSecondMsg::verify_commitments_and_dlog_proof(
                         &eph_party_two_first_message,
                         &eph_party_two_second_message,
                     )
-                    .expect("failed to verify commitments and DLog proof");
+                        .expect("failed to verify commitments and DLog proof");
                 let party2_private = party_two::Party2Private::set_private_key(&ec_key_pair_party2);
                 let message = BigInt::from(1234);
 
@@ -53,31 +59,24 @@ mod bench {
                     &message,
                 );
 
-                let party1_private = party_one::Party1Private::set_private_key(
-                    &ec_key_pair_party1,
-                    &party_one_hsmcl_key_pair,
-                );
-
                 let signature = party_one::Signature::compute(
                     &party1_private,
                     partial_sig.c3,
                     &eph_ec_key_pair_party1,
                     &eph_party_two_second_message.comm_witness.public_share,
                 );
 
-                let pubkey = party_one::compute_pubkey(
-                    &party1_private,
-                    &party_two_private_share_gen.public_share,
-                );
+                let pubkey =
+                    party_one::compute_pubkey(&party1_private, &party_two_private_share_gen.public_share);
                 party_one::verify(&signature, &pubkey, &message).expect("Invalid signature")
             })
         });
     }
 
     criterion_group! {
-    name = keygen;
+    name = sign;
     config = Criterion::default().sample_size(10);
-    targets =self::bench_full_keygen_party_one_two}
+    targets =self::bench_full_sign_party_one_two}
 }
 
-criterion_main!(bench::keygen);
+criterion_main!(bench::sign);

benches/two_party_ecdsa/lindell_2017/keygen.rs

@@ -47,50 +47,39 @@ mod bench {
                     encrypted_secret_share: paillier_key_pair.encrypted_share.clone(),
                 };
 
+                // zk proof of correct paillier key
                 let correct_key_proof =
                     party_one::PaillierKeyPair::generate_ni_proof_correct_key(&paillier_key_pair);
                 party_two::PaillierPublic::verify_ni_proof_correct_key(
                     correct_key_proof,
                     &party_two_paillier.ek,
                 )
-                .expect("bad paillier key");
-                // zk proof of correct paillier key
+                    .expect("bad paillier key");
 
-                // zk range proof
-                let range_proof = party_one::PaillierKeyPair::generate_range_proof(
-                    &paillier_key_pair,
-                    &party_one_private,
-                );
-                party_two::PaillierPublic::verify_range_proof(&party_two_paillier, &range_proof)
-                    .expect("range proof error");
+                //zk_pdl
 
-                // pdl proof minus range proof
-                let (party_two_pdl_first_message, pdl_chal_party2) = party_two_paillier
-                    .pdl_challenge(&party_one_second_message.comm_witness.public_share);
+                let (party_two_pdl_first_message,mut party_two_pdl_state, party_two_pdl_statement) =
+                    party_two_paillier.pdl_first_message(&party_one_second_message.comm_witness.public_share);
 
-                let (party_one_pdl_first_message, pdl_decommit_party1, alpha) =
-                    party_one::PaillierKeyPair::pdl_first_stage(
-                        &party_one_private,
-                        &party_two_pdl_first_message,
-                    );
+                let (party_one_pdl_first_message, party_one_pdl_state, _party_one_pdl_statment, party_one_pdl_witness) =
+                    party_one::PaillierKeyPair::pdl_first_message(&party_one_private, &party_two_pdl_first_message, &paillier_key_pair );
 
                 let party_two_pdl_second_message =
-                    party_two::PaillierPublic::pdl_decommit_c_tag_tag(&pdl_chal_party2);
-                let party_one_pdl_second_message = party_one::PaillierKeyPair::pdl_second_stage(
-                    &party_two_pdl_first_message,
-                    &party_two_pdl_second_message,
-                    party_one_private,
-                    pdl_decommit_party1,
-                    alpha,
-                )
-                .expect("pdl error party2");
+                    party_two::PaillierPublic::pdl_second_message(&party_one_pdl_first_message, &party_two_pdl_statement , &mut party_two_pdl_state).expect("range proof error");
+
+                let party_one_pdl_second_message =
+                    party_one::PaillierKeyPair::pdl_second_message(&party_two_pdl_first_message,
+                                                                   &party_two_pdl_second_message,
+                                                                   &party_one_pdl_witness,
+                                                                   &party_one_pdl_state).expect("pdl error from party2 pdl");
+
 
-                party_two::PaillierPublic::verify_pdl(
-                    &pdl_chal_party2,
+                party_two::PaillierPublic::pdl_finalize(
                     &party_one_pdl_first_message,
                     &party_one_pdl_second_message,
-                )
-                .expect("pdl error party1")
+                    &party_two_pdl_state)
+                    .expect("pdl_error");
+
             })
         });
     }