Key refresh - version with aux info only

[maurges]

• Add a new protocol for aux info generation only
• Move the non-threshold key refresh to a separate file
  • There is a small meaningful code change there that doesn't affect the logic, I'll point it out as a comment
• Split keyshare into core and aux
• Add test for the whole threshold pipeline

[github-actions]

Crate direct deps

Direct deps

digest v0.10.6
futures v0.3.24
generic-ec v0.0.0 (https://github.com/dfns-labs/generic-ec?branch=d#a65125af)
generic-ec-zkp v0.1.0 (https://github.com/dfns-labs/generic-ec?branch=d#a65125af)
hex v0.4.3
paillier-zk v0.1.0 (https://github.com/dfns-labs/paillier-zk?branch=m#72f8eda3)
rand_chacha v0.3.1
rand_core v0.6.4
round-based v0.2.0 (https://github.com/Zengo-X/round-based-protocol?branch=round-based2#16bb42a4)
serde v1.0.145
serde_json v1.0.89
serde_with v2.0.1
sha2 v0.10.6
thiserror v1.0.37

Compared to base branch

Diff

--- direct-deps-base	2023-04-21 10:34:03.504440164 +0000
+++ direct-deps-pr	2023-04-21 10:34:03.988446529 +0000
@@ -1 +0,0 @@
-cggmp21 v0.0.0 (/home/runner/work/cggmp21/cggmp21/base_branch/cggmp21)

All deps

cargo tree

cggmp21 v0.0.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/cggmp21)
├── digest v0.10.6
│   ├── block-buffer v0.10.3
│   │   └── generic-array v0.14.6
│   │       ├── serde v1.0.145
│   │       │   └── serde_derive v1.0.145 (proc-macro)
│   │       │       ├── proc-macro2 v1.0.46
│   │       │       │   └── unicode-ident v1.0.4
│   │       │       ├── quote v1.0.21
│   │       │       │   └── proc-macro2 v1.0.46 (*)
│   │       │       └── syn v1.0.101
│   │       │           ├── proc-macro2 v1.0.46 (*)
│   │       │           ├── quote v1.0.21 (*)
│   │       │           └── unicode-ident v1.0.4
│   │       └── typenum v1.15.0
│   └── crypto-common v0.1.6
│       ├── generic-array v0.14.6 (*)
│       └── typenum v1.15.0
├── futures v0.3.24
│   ├── futures-channel v0.3.24
│   │   ├── futures-core v0.3.24
│   │   └── futures-sink v0.3.24
│   ├── futures-core v0.3.24
│   ├── futures-executor v0.3.24
│   │   ├── futures-core v0.3.24
│   │   ├── futures-task v0.3.24
│   │   └── futures-util v0.3.24
│   │       ├── futures-channel v0.3.24 (*)
│   │       ├── futures-core v0.3.24
│   │       ├── futures-io v0.3.24
│   │       ├── futures-macro v0.3.24 (proc-macro)
│   │       │   ├── proc-macro2 v1.0.46 (*)
│   │       │   ├── quote v1.0.21 (*)
│   │       │   └── syn v1.0.101 (*)
│   │       ├── futures-sink v0.3.24
│   │       ├── futures-task v0.3.24
│   │       ├── memchr v2.5.0
│   │       ├── pin-project-lite v0.2.9
│   │       ├── pin-utils v0.1.0
│   │       └── slab v0.4.7
│   ├── futures-io v0.3.24
│   ├── futures-sink v0.3.24
│   ├── futures-task v0.3.24
│   └── futures-util v0.3.24 (*)
├── generic-ec v0.0.0 (https://github.com/dfns-labs/generic-ec?branch=d#a65125af)
│   ├── generic-ec-core v0.1.0 (https://github.com/dfns-labs/generic-ec?branch=d#a65125af)
│   │   ├── generic-array v0.14.6 (*)
│   │   ├── rand_core v0.6.4
│   │   │   └── getrandom v0.2.8
│   │   │       ├── cfg-if v1.0.0
│   │   │       └── libc v0.2.134
│   │   ├── serde v1.0.145 (*)
│   │   ├── subtle v2.4.1
│   │   └── zeroize v1.5.7
│   │       └── zeroize_derive v1.3.2 (proc-macro)
│   │           ├── proc-macro2 v1.0.46 (*)
│   │           ├── quote v1.0.21 (*)
│   │           ├── syn v1.0.101 (*)
│   │           └── synstructure v0.12.6
│   │               ├── proc-macro2 v1.0.46 (*)
│   │               ├── quote v1.0.21 (*)
│   │               ├── syn v1.0.101 (*)
│   │               └── unicode-xid v0.2.4
│   ├── hex v0.4.3
│   │   └── serde v1.0.145 (*)
│   ├── phantom-type v0.4.2
│   │   └── educe v0.4.19 (proc-macro)
│   │       ├── enum-ordinalize v3.1.11 (proc-macro)
│   │       │   ├── num-bigint v0.4.3
│   │       │   │   ├── num-integer v0.1.45
│   │       │   │   │   └── num-traits v0.2.15
│   │       │   │   └── num-traits v0.2.15
│   │       │   ├── num-traits v0.2.15
│   │       │   ├── proc-macro2 v1.0.46 (*)
│   │       │   ├── quote v1.0.21 (*)
│   │       │   └── syn v1.0.101 (*)
│   │       ├── proc-macro2 v1.0.46 (*)
│   │       ├── quote v1.0.21 (*)
│   │       └── syn v1.0.101 (*)
│   ├── rand_core v0.6.4 (*)
│   ├── serde v1.0.145 (*)
│   ├── serde_with v2.0.1
│   │   ├── serde v1.0.145 (*)
│   │   └── serde_with_macros v2.0.1 (proc-macro)
│   │       ├── darling v0.14.1
│   │       │   ├── darling_core v0.14.1
│   │       │   │   ├── fnv v1.0.7
│   │       │   │   ├── ident_case v1.0.1
│   │       │   │   ├── proc-macro2 v1.0.46 (*)
│   │       │   │   ├── quote v1.0.21 (*)
│   │       │   │   ├── strsim v0.10.0
│   │       │   │   └── syn v1.0.101 (*)
│   │       │   └── darling_macro v0.14.1 (proc-macro)
│   │       │       ├── darling_core v0.14.1 (*)
│   │       │       ├── quote v1.0.21 (*)
│   │       │       └── syn v1.0.101 (*)
│   │       ├── proc-macro2 v1.0.46 (*)
│   │       ├── quote v1.0.21 (*)
│   │       └── syn v1.0.101 (*)
│   ├── subtle v2.4.1
│   └── zeroize v1.5.7 (*)
├── generic-ec-zkp v0.1.0 (https://github.com/dfns-labs/generic-ec?branch=d#a65125af)
│   ├── digest v0.10.6 (*)
│   ├── generic-array v0.14.6 (*)
│   ├── generic-ec v0.0.0 (https://github.com/dfns-labs/generic-ec?branch=d#a65125af) (*)
│   ├── rand_core v0.6.4 (*)
│   ├── serde v1.0.145 (*)
│   └── subtle v2.4.1
├── hex v0.4.3 (*)
├── paillier-zk v0.1.0 (https://github.com/dfns-labs/paillier-zk?branch=m#72f8eda3)
│   ├── generic-ec v0.0.0 (https://github.com/dfns-labs/generic-ec?branch=d#a65125af) (*)
│   ├── generic-ec-core v0.1.0 (https://github.com/dfns-labs/generic-ec?branch=d#a65125af) (*)
│   ├── libpaillier v0.5.0
│   │   ├── digest v0.10.6 (*)
│   │   ├── serde v1.0.145 (*)
│   │   ├── serde_bare v0.5.0
│   │   │   └── serde v1.0.145 (*)
│   │   ├── unknown_order v0.6.0
│   │   │   ├── digest v0.9.0
│   │   │   │   └── generic-array v0.14.6 (*)
│   │   │   ├── hex v0.4.3 (*)
│   │   │   ├── num-traits v0.2.15
│   │   │   ├── rand v0.8.5
│   │   │   │   ├── libc v0.2.134
│   │   │   │   ├── rand_chacha v0.3.1
│   │   │   │   │   ├── ppv-lite86 v0.2.17
│   │   │   │   │   └── rand_core v0.6.4 (*)
│   │   │   │   └── rand_core v0.6.4 (*)
│   │   │   ├── rug v1.18.0
│   │   │   │   ├── az v1.2.1
│   │   │   │   ├── gmp-mpfr-sys v1.4.12
│   │   │   │   │   └── libc v0.2.134
│   │   │   │   ├── libc v0.2.134
│   │   │   │   ├── num-integer v0.1.45 (*)
│   │   │   │   └── num-traits v0.2.15
│   │   │   ├── serde v1.0.145 (*)
│   │   │   ├── subtle v2.4.1
│   │   │   └── zeroize v1.5.7 (*)
│   │   └── zeroize v1.5.7 (*)
│   ├── rand_chacha v0.3.1 (*)
│   ├── rand_core v0.6.4 (*)
│   ├── serde v1.0.145 (*)
│   ├── sha2 v0.10.6
│   │   ├── cfg-if v1.0.0
│   │   ├── cpufeatures v0.2.5
│   │   └── digest v0.10.6 (*)
│   ├── subtle v2.4.1
│   ├── thiserror v1.0.37
│   │   └── thiserror-impl v1.0.37 (proc-macro)
│   │       ├── proc-macro2 v1.0.46 (*)
│   │       ├── quote v1.0.21 (*)
│   │       └── syn v1.0.101 (*)
│   └── zeroize v1.5.7 (*)
├── rand_chacha v0.3.1 (*)
├── rand_core v0.6.4 (*)
├── round-based v0.2.0 (https://github.com/Zengo-X/round-based-protocol?branch=round-based2#16bb42a4)
│   ├── async-stream v0.3.3
│   │   ├── async-stream-impl v0.3.3 (proc-macro)
│   │   │   ├── proc-macro2 v1.0.46 (*)
│   │   │   ├── quote v1.0.21 (*)
│   │   │   └── syn v1.0.101 (*)
│   │   └── futures-core v0.3.24
│   ├── bincode v1.3.3
│   │   └── serde v1.0.145 (*)
│   ├── futures v0.3.24 (*)
│   ├── never v0.1.0
│   ├── phantom-type v0.3.1
│   │   └── educe v0.4.19 (proc-macro) (*)
│   ├── round-based-derive v0.1.0 (proc-macro) (https://github.com/Zengo-X/round-based-protocol?branch=round-based2#16bb42a4)
│   │   ├── proc-macro2 v1.0.46 (*)
│   │   ├── quote v1.0.21 (*)
│   │   └── syn v1.0.101 (*)
│   ├── serde v1.0.145 (*)
│   ├── thiserror v1.0.37 (*)
│   ├── tokio v1.21.2
│   │   └── pin-project-lite v0.2.9
│   ├── tokio-stream v0.1.10
│   │   ├── futures-core v0.3.24
│   │   ├── pin-project-lite v0.2.9
│   │   ├── tokio v1.21.2 (*)
│   │   └── tokio-util v0.7.4
│   │       ├── bytes v1.2.1
│   │       ├── futures-core v0.3.24
│   │       ├── futures-sink v0.3.24
│   │       ├── pin-project-lite v0.2.9
│   │       └── tokio v1.21.2 (*)
│   └── tracing v0.1.36
│       ├── cfg-if v1.0.0
│       ├── pin-project-lite v0.2.9
│       ├── tracing-attributes v0.1.22 (proc-macro)
│       │   ├── proc-macro2 v1.0.46 (*)
│       │   ├── quote v1.0.21 (*)
│       │   └── syn v1.0.101 (*)
│       └── tracing-core v0.1.29
│           └── once_cell v1.17.0
├── serde v1.0.145 (*)
├── serde_json v1.0.89
│   ├── itoa v1.0.4
│   ├── ryu v1.0.11
│   └── serde v1.0.145 (*)
├── serde_with v2.0.1 (*)
├── sha2 v0.10.6 (*)
└── thiserror v1.0.37 (*)

Compared to base branch

Diff

No changes

[github-actions]

Benchmark Result

Benchmarks

RUST_TESTS_SEED=cadeb614cb62d166627d5bff4b318ebd625c311ac4b1b848d302e5024d54e8ee
n = 3
Key refresh protocol
Protocol Performance:
  - Protocol took 3.26s to complete
In particular:
  - Setup: 27.40µs
    - Retrieve auxiliary data: 900.00ns (3.3%)
    - Setup networking: 19.60µs (71.5%)
    - Precompute execution id and shared state: 6.70µs (24.5%)
    - Unstaged: 200.00ns (0.7%)
  - Round 1: 388.35ms
    - Retrieve primes (p and q): 200.00ns (0.0%)
    - Compute paillier decryption key (N): 22.93ms (5.9%)
    - Generate secret x_i and public X_i: 701.70µs (0.2%)
    - Generate auxiliary params r, λ, t, s: 5.76ms (1.5%)
    - Prove Πprm (ψˆ_i): 357.88ms (92.2%)
    - Compute schnorr commitment τ_j: 620.30µs (0.2%)
    - Sample random bytes: 300.00ns (0.0%)
    - Compute hash commitment and sample decommitment: 454.20µs (0.1%)
    - Unstaged: 300.00ns (0.0%)
  - Round 2: 500.00ns
  - Round 3: 1.97s
    - Validate round 1 decommitments: 1.17ms (0.1%)
    - Validate data sizes: 700.00ns (0.0%)
    - Validate П_prm (ψ_i): 664.24ms (33.8%)
    - Validate X_i: 41.50µs (0.0%)
    - Compute paillier encryption keys: 14.30µs (0.0%)
    - Add together shared random bytes: 500.00ns (0.0%)
    - Compute П_mod (ψ_i): 1.11s (56.4%)
    - Assemble security params for П_fac (ф_i): 1.80ms (0.1%)
    - Compute schnorr proof ψ_i^j: 30.30µs (0.0%)
    - Prepare auxiliary params and security level for proofs: 600.00ns (0.0%)
    - Paillier encryption of x_i^j: 44.53ms (2.3%)
    - Compute П_fac (ф_i^j): 145.53ms (7.4%)
    - Unstaged: 2.00µs (0.0%)
  - Round 4: 907.90ms
    - Paillier decrypt x_j^i from C_j^i: 37.75ms (4.2%)
    - Validate shares: 421.30µs (0.0%)
    - Validate schnorr proofs п_j and ψ_j^k: 3.49ms (0.4%)
    - Validate ψ_j (П_mod): 720.33ms (79.3%)
    - Validate ф_j (П_fac): 145.88ms (16.1%)
    - Calculate new x_i: 2.50µs (0.0%)
    - Calculate new X_i: 27.00µs (0.0%)
    - Assemble new core share: 900.00ns (0.0%)
    - Assemble auxiliary info: 3.60µs (0.0%)
    - Unstaged: 300.00ns (0.0%)

Signing protocol
Protocol Performance:
  - Protocol took 2.15s to complete
In particular:
  - Setup: 24.37ms
    - Map t-out-of-n protocol to t-out-of-t: 8.80µs (0.0%)
    - Retrieve auxiliary data: 24.35ms (99.9%)
    - Precompute execution id and security params: 7.20µs (0.0%)
    - Setup networking: 6.20µs (0.0%)
    - Unstaged: 200.00ns (0.0%)
  - Round 1: 168.14ms
    - Generate local ephemeral secrets (k_i, y_i, p_i, v_i): 42.70µs (0.0%)
    - Encrypt G_i and K_i: 44.86ms (26.7%)
    - Prove ψ0_j: 123.23ms (73.3%)
    - Unstaged: 2.10µs (0.0%)
  - Round 2: 56.20µs
    - Hash received msgs (reliability check): 55.90µs (99.5%)
    - Unstaged: 300.00ns (0.5%)
  - Round 3: 1.03s
    - Assert other parties hashed messages (reliability check): 1.10µs (0.0%)
    - Verify psi0 proofs: 110.81ms (10.8%)
    - Sample random r, hat_r, s, hat_s, beta, hat_beta: 103.80µs (0.0%)
    - Encrypt D_ji: 64.73ms (6.3%)
    - Encrypt F_ji: 59.11ms (5.8%)
    - Encrypt hat_D_ji: 65.01ms (6.3%)
    - Encrypt hat_F_ji: 59.52ms (5.8%)
    - Prove psi_ji: 259.86ms (25.3%)
    - Prove psiˆ_ji: 284.46ms (27.7%)
    - Prove psi_prime_ji : 124.32ms (12.1%)
    - Unstaged: 3.60µs (0.0%)
  - Round 4: 816.47ms
    - Retrieve auxiliary data: 11.00µs (0.0%)
    - Validate psi: 245.25ms (30.0%)
    - Validate hat_psi: 258.76ms (31.7%)
    - Validate psi_prime: 111.80ms (13.7%)
    - Compute Gamma, Delta_i, delta_i, chi_i: 82.18ms (10.1%)
    - Prove psi_prime_prime: 118.47ms (14.5%)
    - Unstaged: 900.00ns (0.0%)
  - Presig output: 110.16ms
    - Validate psi_prime_prime: 109.67ms (99.6%)
    - Calculate presignature: 485.40µs (0.4%)
    - Unstaged: 1.80µs (0.0%)
  - Partial signing: 14.90µs
  - Signature reconstruction: 770.40µs

[maurges]

Added the section to writeup as well, 5.3 at this point

[survived]

Found that we have a bunch of useless #[serde_as] attributes. The only place where it's needed is DirtyIncompleteKeyShare