Merge #8: [Test] Complete test for Aggregated Shamir's Secret Sharing Scheme and DKG protocol.

furszy · furszy · commit 676ea45e8034 · 2021-07-22T20:25:05.000-03:00
d074717 [Test] Aggregated SSSS: add failed verification against the aggregated threshold signature when one of the signature shares is corrupted/invalid. (random-zebra) 78bc1c4 Add complete test for Aggregated Shamir's Secret Sharing Scheme. (furszy) 56996d3 Clean duplicate HexStr function. (furszy) 905fc4b Fix PublicKeyRecover and SignatureShare args names. (furszy) Pull request description: Going one step further over the Threshold Signatures tests, validating that the correlation and aggregation BLS properties are working properly on top of the Shamir's Secret Sharing Scheme, verifying the DKG protocol and each participant share/sig validation step described in DIP6 [BLS M-of-N Threshold Scheme and Distributed Key Generation](https://github.com/dashpay/dips/blob/master/dip-0006/bls_m-of-n_threshold_scheme_and_dkg.md) Plus corrected a duplicated `HexStr` function and few invalid function's args names. ACKs for top commit: random-zebra: ACK d074717 Tree-SHA512: 9a0acca2fecc44919292e46beea01e4c459aa15e90a65307a69d498f680907762d42f07ef823d85ef0d3d9971a12f2c9a0780984824b4951374b744b3b389eca
diff --git a/src/privatekey.cpp b/src/privatekey.cpp
@@ -40,7 +40,7 @@ PrivateKey PrivateKey::FromBytes(const Bytes& bytes, bool modOrder)
 }
 
 // Construct a private key from a bytearray.
-PrivateKey PrivateKey::FromByteVector(const std::vector<uint8_t> bytes, bool modOrder)
+PrivateKey PrivateKey::FromByteVector(const std::vector<uint8_t>& bytes, bool modOrder)
 {
     return PrivateKey::FromBytes(Bytes(bytes), modOrder);
 }
diff --git a/src/privatekey.hpp b/src/privatekey.hpp
@@ -37,7 +37,7 @@ class PrivateKey {
     static PrivateKey FromBytes(const Bytes& bytes, bool modOrder = false);
 
     // Construct a private key from a bytearray.
-    static PrivateKey FromByteVector(const std::vector<uint8_t> bytes, bool modOrder = false);
+    static PrivateKey FromByteVector(const std::vector<uint8_t>& bytes, bool modOrder = false);
 
     // Aggregate many private keys into one (sum of keys mod order)
     static PrivateKey Aggregate(std::vector<PrivateKey> const &privateKeys);
diff --git a/src/test.cpp b/src/test.cpp
@@ -1245,6 +1245,227 @@ TEST_CASE("Threshold Signatures") {
         REQUIRE(recPk == pks[0]);
         REQUIRE(recSig == sig);
     }
+
+
+    typedef std::vector<uint8_t> RawData;
+
+    struct RecvShare {
+        PrivateKey skShare;
+        G1Element pkShare;
+        std::vector<G1Element> verifVec;
+    };
+
+    class Participant {
+    public:
+        // Unique identifier
+        RawData id;
+        // Free coefficient of S(x)
+        PrivateKey sk;
+        // Free coefficient of P(x)
+        G1Element pk;
+        // Free coefficient of SIG(x)
+        G2Element sig;
+        // Coefficients vectors
+        std::vector<PrivateKey> sks;
+        std::vector<G1Element> pks;
+        // Internal shares (contributions)
+        std::map<RawData, PrivateKey> sksShares;
+        std::map<RawData, G1Element> pksShares;
+
+        // Map of received shares from each participant id.
+        std::map<RawData, RecvShare> recvShares;
+
+        // The sk generated from the aggregation of all of the received sks shares (contributions).
+        PrivateKey skShare;
+
+        // Map of received aggrSig from each participant id.
+        std::map<RawData, G2Element> recvAggrSigs;
+
+        bool recvShareAndVerificationVector(RawData fromId, const PrivateKey& share, const std::vector<G1Element>& verifVec) {
+            G1Element evalPubShare = bls::Threshold::PublicKeyShare(verifVec, Bytes(id));
+            REQUIRE(share.GetG1Element() == evalPubShare);
+            recvShares.emplace(std::move(fromId), RecvShare{share, evalPubShare, verifVec});
+            return true;
+        }
+        void recvAggrSigsFrom(RawData& fromId, const G2Element& sigShare) {
+            recvAggrSigs.emplace(fromId, sigShare);
+        }
+    };
+
+    auto randPrivKey = [&]() {
+      RawData buf = getRandomSeed();
+      return PrivateKey::FromByteVector(buf, true);
+    };
+
+    auto randValue = [&](int mod, std::vector<int>& blockValues) {
+      uint8_t val = 0;
+      do { val = getRandomSeed()[0] % mod; } while (std::find(blockValues.begin(), blockValues.end(), val) != blockValues.end());
+      return val;
+    };
+
+    SECTION("Aggregated SSSS") {
+        size_t m = 3;
+        size_t n = 5;
+
+        // First create the participants and their secrets
+        std::vector<Participant> participants;
+        for (int i=0; i < n ; i++) {
+            Participant participant;
+            participant.id = getRandomSeed();
+            participant.sk = randPrivKey();
+            participant.pk = participant.sk.GetG1Element();
+
+            // Create the vectors' coefficients
+            participant.sks.emplace_back(participant.sk);
+            participant.pks.emplace_back(participant.pk);
+            for (int j = 0; j < (m-1); j++) {
+                auto sk = randPrivKey();
+                participant.sks.emplace_back(sk);
+                participant.pks.emplace_back(sk.GetG1Element());
+            }
+            participants.emplace_back(participant);
+        }
+
+        // Second, create shares for every other participant
+        for (Participant& participant : participants) {
+            for (int j=0; j < n; j++) {
+                RawData id = participants[j].id;
+                participant.sksShares.emplace(id, bls::Threshold::PrivateKeyShare(participant.sks, Bytes(id)));
+                participant.pksShares.emplace(id, bls::Threshold::PublicKeyShare(participant.pks, Bytes(id)));
+                REQUIRE(participant.sksShares[id].GetG1Element() == participant.pksShares[id]);
+            }
+        }
+
+        // Third, send shares and verification vectors
+        for (Participant& participant : participants) {
+            for (int j=0; j < n; j++) {
+                auto& recipient = participants[j];
+                RawData destId = recipient.id;
+                // S(x) evaluated in participant1.id.
+                PrivateKey skShare = participant.sksShares.at(destId);
+                // Participant P(x) coefficients.
+                std::vector<G1Element> verificationVector = participant.pks;
+                // Now let's verify skShare with the verification vector.
+                // evaluating the verification vector with the participant id.
+                recipient.recvShareAndVerificationVector(participant.id, skShare, verificationVector);
+            }
+        }
+
+        // Fourth, now that everyone has everyone's shares and verification vectors, let's aggregate all of them to create each aggregated sk
+        // This is done aggregating every received sk share + the participant S(id) own share.
+        // Then verify it against the evaluated Pa(id)
+        for (Participant& participant : participants) {
+            std::vector<PrivateKey> skSharedPrivKeys;
+            std::vector<G1Element> pkShares;
+            for (const auto& sharesById : participant.recvShares) {
+                skSharedPrivKeys.emplace_back(sharesById.second.skShare);
+                pkShares.emplace_back(sharesById.second.pkShare);
+            }
+            PrivateKey aggregatedSharedKey = PrivateKey::Aggregate(skSharedPrivKeys);
+            // Now let's verify that the public key of Sa(participant2_id) is equal to Pa(participant2_id)
+            // For that.. let's aggregate all of the verification vectors evaluated at participant2_id.
+            G1Element aggregatedPk;
+            for (const auto& pkShare : pkShares) {
+                aggregatedPk = !aggregatedPk.IsValid() ? pkShare : aggregatedPk + pkShare;
+            }
+            REQUIRE(aggregatedSharedKey.GetG1Element() == aggregatedPk);
+            participant.skShare = aggregatedSharedKey;
+        }
+
+        // Fifth, now that everyone has its own aggrKey, let's sign a common message with it and check if can everyone can recover the SIGa() free coefficient.
+        // Then verify that the recovered G2Element validates with the recovered G1Element (lagrange interpolation results for SIGa() and Pa() respectively)
+
+        // Let's aggregate all the verification vectors to obtain Pa():
+        std::vector<G1Element> finalVerifVector(participants[0].pks);
+        for (int j = 1; j < participants.size(); j++) {
+            for (int i = 0; i < finalVerifVector.size(); i++) {
+                finalVerifVector[i] += participants[j].pks.at(i);
+            }
+        }
+
+        // Data to be signed.
+        std::vector<uint8_t> msgHash = getRandomSeed();
+        for (auto& participant : participants) {
+            // Load SiG(0) value for each participant
+            participant.sig = bls::Threshold::Sign(participant.sk, Bytes(msgHash));
+            REQUIRE(bls::Threshold::Verify(participant.pk, Bytes(msgHash), {participant.sig}));
+            // Craft the participant.skShare sig
+            G2Element aggrSig = bls::Threshold::Sign(participant.skShare, Bytes(msgHash));
+            // Send it to every other participant which will receive the
+            // aggrSig and validate that corresponds to Pa() --> checking Pa(id) == participant.aggrPk
+            G1Element aggrPk = bls::Threshold::PublicKeyShare(finalVerifVector, Bytes(participant.id));
+            REQUIRE(aggrPk == participant.skShare.GetG1Element());
+            REQUIRE(bls::Threshold::Verify(aggrPk, Bytes(msgHash), {aggrSig}));
+            for (auto& recipient : participants) {
+                recipient.recvAggrSigsFrom(participant.id, aggrSig);
+            }
+        }
+
+        // Let's aggregate all the SIG(0) values to obtain SIGa(0)
+        // This will be checked for equality against the recovered threshold signature
+        G2Element finalSIG = participants[0].sig;
+        for (int j = 1; j < participants.size(); j++) {
+            finalSIG += participants[j].sig;
+        }
+
+        // Now that everyone has everyone's sigs, let's take a participant at random and remove some sigs, then try to recover and validate SIGa(0)
+        for (int i=0; i < 10; i++) {
+            std::vector<int> blockedParticipants;
+            Participant p = participants[randValue((int)participants.size(), blockedParticipants)];
+            // Block two participants at random
+            blockedParticipants.emplace_back(randValue((int)participants.size(), blockedParticipants));
+            blockedParticipants.emplace_back(randValue((int)participants.size(), blockedParticipants));
+            std::vector<RawData> blockedIds;
+            for (const auto& pos : blockedParticipants) {
+                blockedIds.emplace_back(participants[pos].id);
+            }
+
+            // Gather sigs and ids.
+            std::vector<G2Element> aggrSigs;
+            std::vector<Bytes> ids;
+            for (const auto& recvSigShare : p.recvAggrSigs) {
+                if (std::find(blockedIds.begin(), blockedIds.end(), recvSigShare.first) != blockedIds.end()) continue;
+                ids.emplace_back(recvSigShare.first);
+                aggrSigs.emplace_back(recvSigShare.second);
+            }
+
+            REQUIRE(aggrSigs.size() == m);
+
+            G2Element freeCoefficientSigs = bls::Threshold::SignatureRecover(aggrSigs, ids);
+            REQUIRE(freeCoefficientSigs == finalSIG);
+            // This will validate against Pa(0)!
+            G1Element freeCoefficientPks = finalVerifVector[0];
+            REQUIRE(bls::Threshold::Verify(freeCoefficientPks, Bytes(msgHash), freeCoefficientSigs));
+
+            // And.. as a final check, let's craft Sa(0)
+            std::vector<PrivateKey> aggrKeys;
+            std::vector<Bytes> ids3;
+            for (const auto& participant : participants) {
+                if (std::find(blockedIds.begin(), blockedIds.end(), participant.id) != blockedIds.end()) continue;
+                aggrKeys.emplace_back(participant.skShare);
+                ids3.emplace_back(participant.id);
+            }
+            // Now recover the free coefficient of Sa()
+            PrivateKey finalKey = bls::Threshold::PrivateKeyRecover(aggrKeys, ids3);
+            REQUIRE(finalKey.GetG1Element() == freeCoefficientPks);
+            REQUIRE(bls::Threshold::Sign(finalKey, Bytes(msgHash)) == freeCoefficientSigs);
+
+            // Now let's add one valid sig share and check that can recover the free coefficient correctly.
+            Participant extraParticipant = participants[blockedParticipants.back()];
+            auto extraRecvAggrSigs = p.recvAggrSigs[extraParticipant.id];
+            ids.emplace_back(extraParticipant.id);
+            aggrSigs.emplace_back(extraRecvAggrSigs);
+            G2Element freeCoefficientSigs2 = bls::Threshold::SignatureRecover(aggrSigs, ids);
+            REQUIRE(freeCoefficientSigs2.IsValid());
+            REQUIRE(bls::Threshold::Verify(freeCoefficientPks, Bytes(msgHash), freeCoefficientSigs2));
+
+            // Now let's modify one sig share, aggregate again, and check that verification fails
+            aggrSigs[0] += G2Element::Generator();
+            G2Element freeCoefficientSigs3 = bls::Threshold::SignatureRecover(aggrSigs, ids);
+            REQUIRE(freeCoefficientSigs3.IsValid());
+            REQUIRE(!bls::Threshold::Verify(freeCoefficientPks, Bytes(msgHash), freeCoefficientSigs3));
+        }
+    }
 }
 
 int main(int argc, char* argv[])
diff --git a/src/threshold.cpp b/src/threshold.cpp
@@ -277,8 +277,8 @@ namespace bls {
         return Poly::Evaluate(pks, id);
     }
 
-    G1Element Threshold::PublicKeyRecover(const std::vector<G1Element>& sks, const std::vector<Bytes>& ids) {
-        return Poly::LagrangeInterpolate(sks, ids);
+    G1Element Threshold::PublicKeyRecover(const std::vector<G1Element>& pks, const std::vector<Bytes>& ids) {
+        return Poly::LagrangeInterpolate(pks, ids);
     }
 
     G2Element Threshold::SignatureShare(const std::vector<G2Element>& sigs, const Bytes& id) {
diff --git a/src/threshold.hpp b/src/threshold.hpp
@@ -16,9 +16,9 @@ namespace bls {
         PrivateKey PrivateKeyRecover(const std::vector<PrivateKey>& sks, const std::vector<Bytes>& ids);
 
         G1Element PublicKeyShare(const std::vector<G1Element>& pks, const Bytes& id);
-        G1Element PublicKeyRecover(const std::vector<G1Element>& sks, const std::vector<Bytes>& ids);
+        G1Element PublicKeyRecover(const std::vector<G1Element>& pks, const std::vector<Bytes>& ids);
 
-        G2Element SignatureShare(const std::vector<G2Element>& sks, const Bytes& id);
+        G2Element SignatureShare(const std::vector<G2Element>& sigs, const Bytes& id);
         G2Element SignatureRecover(const std::vector<G2Element>& sigs, const std::vector<Bytes>& ids);
 
         G2Element Sign(const PrivateKey& privateKey, const Bytes& vecMessage);
diff --git a/src/util.hpp b/src/util.hpp
@@ -53,7 +53,7 @@ class Util {
  public:
     static void Hash256(uint8_t* output, const uint8_t* message,
                         size_t messageLen) {
-        md_map_sh256(output, message, messageLen);
+        md_map_sh256(output, message, (int) messageLen);
     }
 
     static std::string HexStr(const uint8_t* data, size_t len) {
@@ -65,11 +65,7 @@ class Util {
     }
 
     static std::string HexStr(const std::vector<uint8_t> &data) {
-        std::stringstream s;
-        s << std::hex;
-        for (size_t i=0; i < data.size(); ++i)
-            s << std::setw(2) << std::setfill('0') << static_cast<int>(data[i]);
-        return s.str();
+        return HexStr(data.data(), data.size());
     }
 
     /*
@@ -104,7 +100,7 @@ class Util {
     /*
      * Converts a hex string into a vector of bytes.
      */
-    static std::vector<uint8_t> HexToBytes(const std::string hex) {
+    static std::vector<uint8_t> HexToBytes(const std::string& hex) {
         if (hex.size() % 2 != 0) {
             throw std::invalid_argument("Invalid input string, length must be multple of 2");
         }

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ PrivateKey PrivateKey::FromBytes(const Bytes& bytes, bool modOrder)`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`// Construct a private key from a bytearray.`
`43`		`-PrivateKey PrivateKey::FromByteVector(const std::vector<uint8_t> bytes, bool modOrder)`
	`43`	`+PrivateKey PrivateKey::FromByteVector(const std::vector<uint8_t>& bytes, bool modOrder)`
`44`	`44`	`{`
`45`	`45`	`return PrivateKey::FromBytes(Bytes(bytes), modOrder);`
`46`	`46`	`}`
Original file line number	Diff line number	Diff line change
`@@ -277,8 +277,8 @@ namespace bls {`
`277`	`277`	`return Poly::Evaluate(pks, id);`
`278`	`278`	`}`
`279`	`279`
`280`		`- G1Element Threshold::PublicKeyRecover(const std::vector<G1Element>& sks, const std::vector<Bytes>& ids) {`
`281`		`- return Poly::LagrangeInterpolate(sks, ids);`
	`280`	`+ G1Element Threshold::PublicKeyRecover(const std::vector<G1Element>& pks, const std::vector<Bytes>& ids) {`
	`281`	`+ return Poly::LagrangeInterpolate(pks, ids);`
`282`	`282`	`}`
`283`	`283`
`284`	`284`	`G2Element Threshold::SignatureShare(const std::vector<G2Element>& sigs, const Bytes& id) {`