Merge pull request #137 from LFDT-Lockness/key-share-preimages

maurges · web-flow · commit 34a5fd0d8906 · 2025-06-02T11:41:32.000+02:00
Trusted-dealer can generate random share preimages
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -25,7 +25,7 @@ udigest = { version = "0.2.1", default-features = false }
 digest = { version = "0.10", default-features = false }
 sha2 = { version = "0.10", default-features = false }
 
-rand = "0.8"
+rand = { version = "0.8", default-features = false }
 rand_core = { version = "0.6", default-features = false }
 rand_hash = { version = "0.1" }
 rand_dev = "0.1"
@@ -35,7 +35,7 @@ futures-util = { version = "0.3", default-features = false }
 
 anyhow = "1"
 thiserror = "1"
-displaydoc = { version = "0.2", default-features = false }
+displaydoc = { version = "0.2.5", default-features = false }
 
 serde = { version = "1", default-features = false }
 serde_with = { version = "2", default-features = false }
diff --git a/cggmp21/CHANGELOG.md b/cggmp21/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## v0.6.1
+* Trusted dealer can generate shares at random or non-standard preimages [#137]
+
 ## v0.6.0
 * Update `hd-wallet` dep to v0.6 [#120]
 
diff --git a/cggmp21/Cargo.toml b/cggmp21/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cggmp21"
-version = "0.6.0"
+version = "0.6.1"
 edition = "2021"
 license = "MIT OR Apache-2.0"
 description = "TSS ECDSA implementation based on CGGMP21 paper"
diff --git a/cggmp21/src/trusted_dealer.rs b/cggmp21/src/trusted_dealer.rs
@@ -147,6 +147,8 @@ impl<E: Curve, L: SecurityLevel> TrustedDealerBuilder<E, L> {
 
     /// Generates [`IncompleteKeyShare`]s
     ///
+    /// For Shamir secret sharing, it's shared at points `1` to `n`
+    ///
     /// Returns error if provided inputs are invalid, or if internal
     /// error has occurred.
     pub fn generate_core_shares(
@@ -161,18 +163,80 @@ impl<E: Curve, L: SecurityLevel> TrustedDealerBuilder<E, L> {
 
     /// Generates [`KeyShare`]s
     ///
+    /// For Shamir secret sharing, it's shared at points `1` to `n`
+    ///
     /// Returns error if provided inputs are invalid, or if internal
     /// error has occurred.
     pub fn generate_shares(
-        mut self,
+        self,
+        rng: &mut (impl RngCore + CryptoRng),
+    ) -> Result<Vec<KeyShare<E, L>>, TrustedDealerError> {
+        self.generate_shares_at_internal(
+            key_share::trusted_dealer::TrustedDealerBuilder::generate_shares,
+            rng,
+        )
+    }
+
+    /// Generates [`KeyShare`]s shared at preimages provided. Each share is
+    /// going to have the given `preimages` as its `I` component.
+    ///
+    /// Preimages are ignored for additive key shares.
+    ///
+    /// Returns error if provided inputs are invalid, or if internal
+    /// error has occurred.
+    pub fn generate_shares_at(
+        self,
+        preimages: Vec<NonZero<generic_ec::Scalar<E>>>,
         rng: &mut (impl RngCore + CryptoRng),
     ) -> Result<Vec<KeyShare<E, L>>, TrustedDealerError> {
+        self.generate_shares_at_internal(
+            |builder, rng| builder.generate_shares_at(preimages, rng),
+            rng,
+        )
+    }
+
+    /// Generates [`KeyShare`]s shared at random points
+    ///
+    /// Returns error if provided inputs are invalid, or if internal
+    /// error has occurred.
+    ///
+    /// For Shamir secret sharing, the points at which the value is shared at
+    /// are chosen at random between `1` and `u16::MAX`. For additive shares,
+    /// this is the same as [`TrustedDealerBuilder::generate_shares`]
+    ///
+    /// Returns error if provided inputs are invalid, or if internal
+    /// error has occurred.
+    pub fn generate_shares_at_random(
+        self,
+        rng: &mut (impl rand_core::RngCore + rand_core::CryptoRng),
+    ) -> Result<Vec<KeyShare<E, L>>, TrustedDealerError> {
+        self.generate_shares_at_internal(
+            key_share::trusted_dealer::TrustedDealerBuilder::generate_shares_at_random,
+            rng,
+        )
+    }
+
+    fn generate_shares_at_internal<R, F>(
+        mut self,
+        inner_generate: F,
+        rng: &mut R,
+    ) -> Result<Vec<KeyShare<E, L>>, TrustedDealerError>
+    where
+        F: FnOnce(
+            CoreBuilder<E>,
+            &mut R,
+        ) -> Result<
+            Vec<IncompleteKeyShare<E>>,
+            key_share::trusted_dealer::TrustedDealerError,
+        >,
+        R: rand_core::RngCore + rand_core::CryptoRng,
+    {
         let n = self.n;
         let enable_multiexp = self.enable_mulitexp;
         let enable_crt = self.enable_crt;
 
         let primes = self.pregenerated_primes.take();
-        let core_key_shares = self.inner.generate_shares(rng).map_err(Reason::CoreError)?;
+        let core_key_shares = inner_generate(self.inner, rng).map_err(Reason::CoreError)?;
         let aux_data = if let Some(primes) = primes {
             generate_aux_data_with_primes(rng, primes, enable_multiexp, enable_crt)?
         } else {
diff --git a/key-share/CHANGELOG.md b/key-share/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## v0.6.1
+* Trusted dealer can generate shares at random or non-standard preimages [#137]
+
 ## v0.6.0
 * Update `hd-wallet` dep to v0.6 [#120]
 
diff --git a/key-share/Cargo.toml b/key-share/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "key-share"
-version = "0.6.0"
+version = "0.6.1"
 edition = "2021"
 license = "MIT OR Apache-2.0"
 description = "Key share of any Threshold Signature Scheme (TSS)"
diff --git a/key-share/src/trusted_dealer.rs b/key-share/src/trusted_dealer.rs
@@ -97,18 +97,66 @@ impl<E: Curve> TrustedDealerBuilder<E> {
     ///
     /// Returns error if provided inputs are invalid, or if internal
     /// error has occurred.
+    ///
+    /// For Shamir secret sharing, it's shared at points `1` to `n`
+    ///
+    /// Returns error if provided inputs are invalid, or if internal
+    /// error has occurred.
     pub fn generate_shares(
         self,
         rng: &mut (impl rand_core::RngCore + rand_core::CryptoRng),
     ) -> Result<Vec<CoreKeyShare<E>>, TrustedDealerError> {
-        let shared_secret_key = self
-            .shared_secret_key
-            .unwrap_or_else(|| NonZero::<SecretScalar<_>>::random(rng));
-        let shared_public_key = Point::generator() * &shared_secret_key;
         let key_shares_indexes = (1..=self.n)
             .map(|i| generic_ec::NonZero::from_scalar(Scalar::from(i)))
             .collect::<Option<Vec<_>>>()
             .ok_or(Reason::DeriveKeyShareIndex)?;
+        self.generate_shares_at(key_shares_indexes, rng)
+    }
+
+    /// Generates [`CoreKeyShare`]s shared at random points
+    ///
+    /// Returns error if provided inputs are invalid, or if internal
+    /// error has occurred.
+    ///
+    /// For Shamir secret sharing, the points at which the value is shared at
+    /// are chosen at random between `1` and `u16::MAX`. For additive shares,
+    /// this is the same as [`TrustedDealerBuilder::generate_shares`]
+    ///
+    /// Returns error if provided inputs are invalid, or if internal
+    /// error has occurred.
+    pub fn generate_shares_at_random(
+        self,
+        rng: &mut (impl rand_core::RngCore + rand_core::CryptoRng),
+    ) -> Result<Vec<CoreKeyShare<E>>, TrustedDealerError> {
+        // The chance of scalars repeating is negligible for usual fields in EC.
+        // But in any case the dupliactes are checked during the validation of
+        // CoreKeyShare
+        let points = (0..self.n)
+            .map(|_| generic_ec::NonZero::<Scalar<E>>::random(rng))
+            .collect();
+        self.generate_shares_at(points, rng)
+    }
+
+    /// Generates [`CoreKeyShare`]s shared at preimages provided. Each share is
+    /// going to have the given `preimages` as its `I` component.
+    ///
+    /// Preimages are ignored for additive key shares.
+    ///
+    /// Returns error if provided inputs are invalid, or if internal
+    /// error has occurred.
+    pub fn generate_shares_at(
+        self,
+        preimages: Vec<NonZero<Scalar<E>>>,
+        rng: &mut (impl rand_core::RngCore + rand_core::CryptoRng),
+    ) -> Result<Vec<CoreKeyShare<E>>, TrustedDealerError> {
+        if preimages.len() != usize::from(self.n) {
+            return Err(Reason::InvalidPreimages.into());
+        }
+
+        let shared_secret_key = self
+            .shared_secret_key
+            .unwrap_or_else(|| NonZero::<SecretScalar<_>>::random(rng));
+        let shared_public_key = Point::generator() * &shared_secret_key;
         let secret_shares = if let Some(t) = self.t {
             let f = generic_ec_zkp::polynomial::Polynomial::sample_with_const_term(
                 rng,
@@ -120,7 +168,7 @@ impl<E: Curve> TrustedDealerBuilder<E> {
                 Point::generator() * f.value::<_, Scalar<_>>(&Scalar::zero())
             );
 
-            key_shares_indexes
+            preimages
                 .iter()
                 .map(|I_i| f.value(I_i))
                 .map(|mut x_i| SecretScalar::new(&mut x_i))
@@ -150,7 +198,7 @@ impl<E: Curve> TrustedDealerBuilder<E> {
 
         let vss_setup = self.t.map(|t| VssSetup {
             min_signers: t,
-            I: key_shares_indexes,
+            I: preimages,
         });
 
         #[cfg(feature = "hd-wallet")]
@@ -198,6 +246,8 @@ enum Reason {
     DeriveKeyShareIndex,
     #[displaydoc("randomly generated share is zero - probability of that is negligible")]
     ZeroShare,
+    #[displaydoc("invalid share preimages given")]
+    InvalidPreimages,
 }
 
 impl From<Reason> for TrustedDealerError {
diff --git a/tests/tests/it/trusted_dealer.rs b/tests/tests/it/trusted_dealer.rs
@@ -28,47 +28,53 @@ fn trusted_dealer_generates_correct_shares<E: Curve>() {
     let mut rng = DevRng::new();
     let thresholds = [None, Some(2), Some(3), Some(5), Some(7), Some(10)];
 
+    let methods = [
+        trusted_dealer::TrustedDealerBuilder::generate_shares,
+        trusted_dealer::TrustedDealerBuilder::generate_shares_at_random,
+    ];
+
     for n in [2, 3, 7, 10] {
         for &t in thresholds
             .iter()
             .filter(|t| t.map(|t| t <= n).unwrap_or(true))
         {
-            println!("t={t:?} n={n}");
-            let sk = NonZero::<SecretScalar<_>>::random(&mut rng);
-            let shares = trusted_dealer::builder::<E, DummyLevel>(n)
-                .set_threshold(t)
-                .set_shared_secret_key(sk.clone())
-                .generate_shares(&mut rng)
-                .unwrap();
+            for generate in methods {
+                println!("t={t:?} n={n}");
+                let sk = NonZero::<SecretScalar<_>>::random(&mut rng);
+                let builder = trusted_dealer::builder::<E, DummyLevel>(n)
+                    .set_threshold(t)
+                    .set_shared_secret_key(sk.clone());
+                let shares = generate(builder, &mut rng).unwrap();
 
-            // Choose `t` random key shares and reconstruct a secret key
-            let t = t.unwrap_or(n);
-            let t_shares = shares
-                .choose_multiple(&mut rng, t.into())
-                .cloned()
-                .collect::<Vec<_>>();
+                // Choose `t` random key shares and reconstruct a secret key
+                let t = t.unwrap_or(n);
+                let t_shares = shares
+                    .choose_multiple(&mut rng, t.into())
+                    .cloned()
+                    .collect::<Vec<_>>();
 
-            let sk_reconstructed = reconstruct_secret_key(&t_shares).unwrap();
-            assert_eq!(
-                {
-                    let sk: &Scalar<E> = sk.as_ref();
-                    sk
-                },
-                sk_reconstructed.as_ref()
-            );
-            assert_eq!(
-                Point::generator() * &sk_reconstructed,
-                shares[0].core.shared_public_key
-            );
+                let sk_reconstructed = reconstruct_secret_key(&t_shares).unwrap();
+                assert_eq!(
+                    {
+                        let sk: &Scalar<E> = sk.as_ref();
+                        sk
+                    },
+                    sk_reconstructed.as_ref()
+                );
+                assert_eq!(
+                    Point::generator() * &sk_reconstructed,
+                    shares[0].core.shared_public_key
+                );
 
-            // Check that `reconstruct_secret_key` works well with more than `t` shares
-            let k = rng.gen_range((n.min(t + 1))..=n);
-            let k_shares = shares
-                .choose_multiple(&mut rng, k.into())
-                .cloned()
-                .collect::<Vec<_>>();
-            let sk_reconstructed2 = reconstruct_secret_key(&k_shares).unwrap();
-            assert_eq!(sk_reconstructed.as_ref(), sk_reconstructed2.as_ref());
+                // Check that `reconstruct_secret_key` works well with more than `t` shares
+                let k = rng.gen_range((n.min(t + 1))..=n);
+                let k_shares = shares
+                    .choose_multiple(&mut rng, k.into())
+                    .cloned()
+                    .collect::<Vec<_>>();
+                let sk_reconstructed2 = reconstruct_secret_key(&k_shares).unwrap();
+                assert_eq!(sk_reconstructed.as_ref(), sk_reconstructed2.as_ref());
+            }
         }
     }
 }
diff --git a/wasm/no_std/Cargo.lock b/wasm/no_std/Cargo.lock
