Fix secret key reconstruction when given more than t shares

[survived]

There was a bug that giving more than t key shares to the reconstruct_secret_key would produce incorrect secret key. PR fixes the bug and adds tests covering that.

[github-actions]

Benchmark Result

Benchmarks

RUST_TESTS_SEED=7e82936b5368086a9e8da53535349e51f3f98d1f742f3f0b619e045e0c80c33d
n = 3

Non-threshold DKG
Protocol Performance:
  - Protocol took 707.51µs to complete
In particular:
  - Setup: 9.30µs
    - Setup networking: 9.00µs (96.8%)
    - Unstaged: 300.00ns (3.2%)
  - Round 1: 179.10µs
    - Compute execution id: 300.00ns (0.2%)
    - Sample x_i, rid_i: 78.80µs (44.0%)
    - Sample schnorr commitment: 71.20µs (39.8%)
    - Commit to public data: 28.30µs (15.8%)
    - Unstaged: 500.00ns (0.3%)
  - Round 2: 4.10µs
    - Hash received msgs (reliability check): 3.80µs (92.7%)
    - Unstaged: 300.00ns (7.3%)
  - Round 3: 400.00ns
    - Assert other parties hashed messages (reliability check): 100.00ns (25.0%)
    - Unstaged: 300.00ns (75.0%)
  - Round 4: 66.50µs
    - Validate decommitments: 60.70µs (91.3%)
    - Calculate challege rid: 5.00µs (7.5%)
    - Prove knowledge of `x_i`: 600.00ns (0.9%)
    - Unstaged: 200.00ns (0.3%)
  - Round 5: 448.11µs
    - Validate schnorr proofs: 447.51µs (99.9%)
    - Unstaged: 600.00ns (0.1%)


Threshold DKG
Protocol Performance:
  - Protocol took 2.05ms to complete
In particular:
  - Setup: 3.70µs
    - Setup networking: 3.60µs (97.3%)
    - Unstaged: 100.00ns (2.7%)
  - Round 1: 283.10µs
    - Compute execution id: 200.00ns (0.1%)
    - Sample rid_i, schnorr commitment, polynomial: 251.60µs (88.9%)
    - Commit to public data: 31.00µs (11.0%)
    - Unstaged: 300.00ns (0.1%)
  - Round 2: 4.50µs
    - Hash received msgs (reliability check): 4.30µs (95.6%)
    - Unstaged: 200.00ns (4.4%)
  - Round 3: 400.00ns
    - Assert other parties hashed messages (reliability check): 100.00ns (25.0%)
    - Unstaged: 300.00ns (75.0%)
  - Round 4: 1.29ms
    - Validate decommitments: 64.80µs (5.0%)
    - Validate data size: 500.00ns (0.0%)
    - Validate Feldmann VSS: 530.11µs (41.2%)
    - Compute rid: 300.00ns (0.0%)
    - Compute Ys: 634.11µs (49.3%)
    - Compute sigma: 900.00ns (0.1%)
    - Calculate challenge: 54.20µs (4.2%)
    - Prove knowledge of `sigma_i`: 200.00ns (0.0%)
    - Unstaged: 300.00ns (0.0%)
  - Round 5: 468.21µs
    - Validate schnorr proofs: 464.31µs (99.2%)
    - Derive resulting public key and other data: 2.70µs (0.6%)
    - Unstaged: 1.20µs (0.3%)


Key refresh protocol
Protocol Performance:
  - Protocol took 3.31s to complete
In particular:
  - Setup: 13.50µs
    - Retrieve auxiliary data: 500.00ns (3.7%)
    - Setup networking: 10.70µs (79.3%)
    - Precompute execution id and shared state: 2.20µs (16.3%)
    - Unstaged: 100.00ns (0.7%)
  - Round 1: 382.93ms
    - Retrieve primes (p and q): 200.00ns (0.0%)
    - Compute paillier decryption key (N): 21.69ms (5.7%)
    - Generate secret x_i and public X_i: 225.40µs (0.1%)
    - Generate auxiliary params r, λ, t, s: 5.49ms (1.4%)
    - Prove Πprm (ψˆ_i): 354.74ms (92.6%)
    - Compute schnorr commitment τ_j: 245.30µs (0.1%)
    - Sample random bytes: 300.00ns (0.0%)
    - Compute hash commitment and sample decommitment: 528.71µs (0.1%)
    - Unstaged: 300.00ns (0.0%)
  - Round 2: 4.60µs
    - Hash received msgs (reliability check): 3.90µs (84.8%)
    - Unstaged: 700.00ns (15.2%)
  - Round 3: 500.00ns
    - Assert other parties hashed messages (reliability check): 400.00ns (80.0%)
    - Unstaged: 100.00ns (20.0%)
  - Round 4: 2.05s
    - Validate round 1 decommitments: 910.81µs (0.0%)
    - Validate data sizes: 500.00ns (0.0%)
    - Validate П_prm (ψ_i): 679.83ms (33.2%)
    - Validate X_i: 21.40µs (0.0%)
    - Compute paillier encryption keys: 25.30µs (0.0%)
    - Add together shared random bytes: 4.50µs (0.0%)
    - Compute П_mod (ψ_i): 1.18s (57.5%)
    - Assemble security params for П_fac (ф_i): 2.18ms (0.1%)
    - Compute schnorr proof ψ_i^j: 12.60µs (0.0%)
    - Prepare auxiliary params and security level for proofs: 400.00ns (0.0%)
    - Paillier encryption of x_i^j: 46.05ms (2.2%)
    - Compute П_fac (ф_i^j): 141.75ms (6.9%)
    - Unstaged: 2.10µs (0.0%)
  - Round 5: 883.05ms
    - Paillier decrypt x_j^i from C_j^i: 37.59ms (4.3%)
    - Validate shares: 163.90µs (0.0%)
    - Validate schnorr proofs п_j and ψ_j^k: 919.21µs (0.1%)
    - Validate ψ_j (П_mod): 706.32ms (80.0%)
    - Validate ф_j (П_fac): 138.03ms (15.6%)
    - Calculate new x_i: 2.00µs (0.0%)
    - Calculate new X_i: 9.00µs (0.0%)
    - Assemble new core share: 600.00ns (0.0%)
    - Assemble auxiliary info: 2.70µs (0.0%)
    - Unstaged: 1.10µs (0.0%)


Signing protocol
Protocol Performance:
  - Protocol took 2.13s to complete
In particular:
  - Setup: 24.17ms
    - Map t-out-of-n protocol to t-out-of-t: 7.30µs (0.0%)
    - Retrieve auxiliary data: 24.16ms (99.9%)
    - Precompute execution id and security params: 2.00µs (0.0%)
    - Setup networking: 5.40µs (0.0%)
    - Unstaged: 200.00ns (0.0%)
  - Round 1: 158.16ms
    - Generate local ephemeral secrets (k_i, y_i, p_i, v_i): 40.40µs (0.0%)
    - Encrypt G_i and K_i: 45.84ms (29.0%)
    - Prove ψ0_j: 112.28ms (71.0%)
    - Unstaged: 2.40µs (0.0%)
  - Round 2: 45.10µs
    - Hash received msgs (reliability check): 44.90µs (99.6%)
    - Unstaged: 200.00ns (0.4%)
  - Round 3: 1.07s
    - Assert other parties hashed messages (reliability check): 1.30µs (0.0%)
    - Verify psi0 proofs: 111.54ms (10.5%)
    - Sample random r, hat_r, s, hat_s, beta, hat_beta: 70.00µs (0.0%)
    - Encrypt D_ji: 73.15ms (6.9%)
    - Encrypt F_ji: 66.65ms (6.3%)
    - Encrypt hat_D_ji: 82.33ms (7.7%)
    - Encrypt hat_F_ji: 76.91ms (7.2%)
    - Prove psi_ji: 279.30ms (26.2%)
    - Prove psiˆ_ji: 268.64ms (25.2%)
    - Prove psi_prime_ji : 106.90ms (10.0%)
    - Unstaged: 4.00µs (0.0%)
  - Round 4: 775.55ms
    - Retrieve auxiliary data: 9.10µs (0.0%)
    - Validate psi: 227.40ms (29.3%)
    - Validate hat_psi: 238.23ms (30.7%)
    - Validate psi_prime: 103.44ms (13.3%)
    - Compute Gamma, Delta_i, delta_i, chi_i: 85.71ms (11.1%)
    - Prove psi_prime_prime: 120.75ms (15.6%)
    - Unstaged: 1.30µs (0.0%)
  - Presig output: 102.94ms
    - Validate psi_prime_prime: 102.76ms (99.8%)
    - Calculate presignature: 187.00µs (0.2%)
    - Unstaged: 1.50µs (0.0%)
  - Partial signing: 13.80µs
  - Signature reconstruction: 304.50µs