Add a switch to optional turn off Pai key proofs

bnb-chain · Aug 18, 2023 · e8bfbd4 · e8bfbd4
1 parent 1f7785a
commit e8bfbd4
Show file tree

Hide file tree

Showing 11 changed files with 112 additions and 33 deletions.
diff --git a/crypto/ecpoint.go b/crypto/ecpoint.go
@@ -61,7 +61,10 @@ func (p *ECPoint) Add(p1 *ECPoint) (*ECPoint, error) {
 
 func (p *ECPoint) ScalarMult(k *big.Int) *ECPoint {
 	x, y := p.curve.ScalarMult(p.X(), p.Y(), k.Bytes())
-	newP, _ := NewECPoint(p.curve, x, y) // it must be on the curve, no need to check.
+	newP, err := NewECPoint(p.curve, x, y) // it must be on the curve, no need to check.
+	if err != nil {
+		panic(fmt.Errorf("scalar mult to an ecpoint %s", err.Error()))
+	}
 	return newP
 }
 
@@ -103,7 +106,10 @@ func (p *ECPoint) EightInvEight() *ECPoint {
 
 func ScalarBaseMult(curve elliptic.Curve, k *big.Int) *ECPoint {
 	x, y := curve.ScalarBaseMult(k.Bytes())
-	p, _ := NewECPoint(curve, x, y) // it must be on the curve, no need to check.
+	p, err := NewECPoint(curve, x, y) // it must be on the curve, no need to check.
+	if err != nil {
+		panic(fmt.Errorf("scalar mult to an ecpoint %s", err.Error()))
+	}
 	return p
 }
 

diff --git a/crypto/modproof/proof.go b/crypto/modproof/proof.go
@@ -228,12 +228,16 @@ func (pf *ProofMod) Bytes() [ProofModBytesParts][]byte {
 	bzs := [ProofModBytesParts][]byte{}
 	bzs[0] = pf.W.Bytes()
 	for i := range pf.X {
-		bzs[1+i] = pf.X[i].Bytes()
+		if pf.X[i] != nil {
+			bzs[1+i] = pf.X[i].Bytes()
+		}
 	}
 	bzs[Iterations+1] = pf.A.Bytes()
 	bzs[Iterations+2] = pf.B.Bytes()
 	for i := range pf.Z {
-		bzs[Iterations+3+i] = pf.Z[i].Bytes()
+		if pf.Z[i] != nil {
+			bzs[Iterations+3+i] = pf.Z[i].Bytes()
+		}
 	}
 	return bzs
 }
diff --git a/ecdsa/keygen/local_party_test.go b/ecdsa/keygen/local_party_test.go
@@ -193,6 +193,10 @@ func TestE2EConcurrentAndSaveFixtures(t *testing.T) {
 	for i := 0; i < len(pIDs); i++ {
 		var P *LocalParty
 		params := tss.NewParameters(tss.S256(), p2pCtx, pIDs[i], len(pIDs), threshold)
+		// do not use in untrusted setting
+		params.SetNoProofMod()
+		// do not use in untrusted setting
+		params.SetNoProofFac()
 		if i < len(fixtures) {
 			P = NewLocalParty(params, outCh, endCh, fixtures[i].LocalPreParams).(*LocalParty)
 		} else {

diff --git a/ecdsa/keygen/round_2.go b/ecdsa/keygen/round_2.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"github.com/bnb-chain/tss-lib/crypto/facproof"
 	"github.com/bnb-chain/tss-lib/crypto/modproof"
+	"math/big"
 	"sync"
 
 	"github.com/bnb-chain/tss-lib/common"
@@ -113,10 +114,16 @@ func (round *round2) Start() *tss.Error {
 	shares := round.temp.shares
 	for j, Pj := range round.Parties().IDs() {
 
-		facProof, err := facproof.NewProof(round.EC(), round.save.PaillierSK.N, round.save.NTildej[j],
-			round.save.H1j[j], round.save.H2j[j], round.save.PaillierSK.P, round.save.PaillierSK.Q)
-		if err != nil {
-			return round.WrapError(err, round.PartyID())
+		facProof := &facproof.ProofFac{P: zero, Q: zero, A: zero, B: zero, T: zero, Sigma: zero,
+			Z1: zero, Z2: zero, W1: zero, W2: zero, V: zero}
+		if !round.Params().NoProofFac() {
+			var err error
+			facProof, err = facproof.NewProof(round.EC(), round.save.PaillierSK.N, round.save.NTildej[j],
+				round.save.H1j[j], round.save.H2j[j], round.save.PaillierSK.P, round.save.PaillierSK.Q)
+			if err != nil {
+				return round.WrapError(err, round.PartyID())
+			}
+
 		}
 		r2msg1 := NewKGRound2Message1(Pj, round.PartyID(), shares[j], facProof)
 		// do not send to this Pj, but store for round 3
@@ -128,10 +135,14 @@ func (round *round2) Start() *tss.Error {
 	}
 
 	// 7. BROADCAST de-commitments of Shamir poly*G
-	modProof, err := modproof.NewProof(round.save.PaillierSK.N,
-		round.save.PaillierSK.P, round.save.PaillierSK.Q)
-	if err != nil {
-		return round.WrapError(err, round.PartyID())
+	modProof := &modproof.ProofMod{W: zero, X: *new([80]*big.Int), A: zero, B: zero, Z: *new([80]*big.Int)}
+	if !round.Parameters.NoProofMod() {
+		var err error
+		modProof, err = modproof.NewProof(round.save.PaillierSK.N,
+			round.save.PaillierSK.P, round.save.PaillierSK.Q)
+		if err != nil {
+			return round.WrapError(err, round.PartyID())
+		}
 	}
 	r2msg2 := NewKGRound2Message2(round.PartyID(), round.temp.deCommitPolyG, modProof)
 	round.temp.kgRound2Message2s[i] = r2msg2

diff --git a/ecdsa/keygen/round_3.go b/ecdsa/keygen/round_3.go
@@ -83,11 +83,15 @@ func (round *round3) Start() *tss.Error {
 				return
 			}
 			modProof, err := r2msg2.UnmarshalModProof()
-			if err != nil {
+			if err != nil && round.Parameters.NoProofMod() {
 				// For old parties, the modProof could be not exist
 				// Not return error for compatibility reason
 				common.Logger.Warningf("modProof not exist:%s", Ps[j])
 			} else {
+				if err != nil {
+					ch <- vssOut{errors.New("modProof verify failed"), nil}
+					return
+				}
 				if ok = modProof.Verify(round.save.PaillierPKs[j].N); !ok {
 					ch <- vssOut{errors.New("modProof verify failed"), nil}
 					return
@@ -104,11 +108,15 @@ func (round *round3) Start() *tss.Error {
 				return
 			}
 			facProof, err := r2msg1.UnmarshalFacProof()
-			if err != nil {
+			if err != nil && round.NoProofFac() {
 				// For old parties, the facProof could be not exist
 				// Not return error for compatibility reason
-				common.Logger.Fatalf("facProof not exist:%s", Ps[j])
+				common.Logger.Warningf("facProof not exist:%s", Ps[j])
 			} else {
+				if err != nil {
+					ch <- vssOut{errors.New("facProof verify failed"), nil}
+					return
+				}
 				if ok = facProof.Verify(round.EC(), round.save.PaillierPKs[j].N, round.save.NTildei,
 					round.save.H1i, round.save.H2i); !ok {
 					ch <- vssOut{errors.New("facProof verify failed"), nil}

diff --git a/ecdsa/resharing/local_party_test.go b/ecdsa/resharing/local_party_test.go
@@ -79,6 +79,10 @@ func TestE2EConcurrent(t *testing.T) {
 	// init the new parties
 	for j, pID := range newPIDs {
 		params := tss.NewReSharingParameters(tss.S256(), oldP2PCtx, newP2PCtx, pID, testParticipants, threshold, newPCount, newThreshold)
+		// do not use in untrusted setting
+		params.SetNoProofMod()
+		// do not use in untrusted setting
+		params.SetNoProofFac()
 		save := keygen.NewLocalPartySaveData(newPCount)
 		if j < len(fixtures) && len(newPIDs) <= len(fixtures) {
 			save.LocalPreParams = fixtures[j].LocalPreParams

diff --git a/ecdsa/resharing/messages.go b/ecdsa/resharing/messages.go
@@ -117,7 +117,8 @@ func NewDGRound2Message1(
 
 func (m *DGRound2Message1) ValidateBasic() bool {
 	return m != nil &&
-		common.NonEmptyMultiBytes(m.ModProof, modproof.ProofModBytesParts) &&
+		// use with NoProofFac()
+		// common.NonEmptyMultiBytes(m.ModProof, modproof.ProofModBytesParts) &&
 		common.NonEmptyBytes(m.PaillierN) &&
 		common.NonEmptyBytes(m.NTilde) &&
 		common.NonEmptyBytes(m.H1) &&
@@ -275,8 +276,9 @@ func NewDGRound4Message1(
 }
 
 func (m *DGRound4Message1) ValidateBasic() bool {
-	return m != nil &&
-		common.NonEmptyMultiBytes(m.GetFacProof(), facproof.ProofFacBytesParts)
+	return m != nil
+	// use with NoProofFac()
+	// && common.NonEmptyMultiBytes(m.GetFacProof(), facproof.ProofFacBytesParts)
 }
 
 func (m *DGRound4Message1) UnmarshalFacProof() (*facproof.ProofFac, error) {

diff --git a/ecdsa/resharing/round_2_new_step_1.go b/ecdsa/resharing/round_2_new_step_1.go
@@ -9,12 +9,17 @@ package resharing
 import (
 	"errors"
 	"github.com/bnb-chain/tss-lib/crypto/modproof"
+	"math/big"
 
 	"github.com/bnb-chain/tss-lib/crypto/dlnproof"
 	"github.com/bnb-chain/tss-lib/ecdsa/keygen"
 	"github.com/bnb-chain/tss-lib/tss"
 )
 
+var (
+	zero = big.NewInt(0)
+)
+
 func (round *round2) Start() *tss.Error {
 	if round.started {
 		return round.WrapError(errors.New("round already started"))
@@ -71,9 +76,13 @@ func (round *round2) Start() *tss.Error {
 	dlnProof1 := dlnproof.NewDLNProof(h1i, h2i, alpha, p, q, NTildei)
 	dlnProof2 := dlnproof.NewDLNProof(h2i, h1i, beta, p, q, NTildei)
 
-	modProof, err := modproof.NewProof(preParams.PaillierSK.N, preParams.PaillierSK.P, preParams.PaillierSK.Q)
-	if err != nil {
-		return round.WrapError(err, Pi)
+	modProof := &modproof.ProofMod{W: zero, X: *new([80]*big.Int), A: zero, B: zero, Z: *new([80]*big.Int)}
+	if !round.Parameters.NoProofMod() {
+		var err error
+		modProof, err = modproof.NewProof(preParams.PaillierSK.N, preParams.PaillierSK.P, preParams.PaillierSK.Q)
+		if err != nil {
+			return round.WrapError(err, Pi)
+		}
 	}
 	r2msg2, err := NewDGRound2Message1(
 		round.NewParties().IDs().Exclude(round.PartyID()), round.PartyID(),

diff --git a/ecdsa/resharing/round_4_new_step_2.go b/ecdsa/resharing/round_4_new_step_2.go
@@ -78,7 +78,9 @@ func (round *round4) Start() *tss.Error {
 			defer wg.Done()
 			modProof, err := r2msg1.UnmarshalModProof()
 			if err != nil {
-				paiProofCulprits[j] = msg.GetFrom()
+				if !round.Parameters.NoProofMod() {
+					paiProofCulprits[j] = msg.GetFrom()
+				}
 				common.Logger.Warningf("modProof verify failed for party %s", msg.GetFrom(), err)
 				return
 			}
@@ -213,10 +215,14 @@ func (round *round4) Start() *tss.Error {
 		if j == i {
 			continue
 		}
-		facProof, err := facproof.NewProof(round.EC(), round.save.PaillierSK.N, round.save.NTildej[j],
-			round.save.H1j[j], round.save.H2j[j], round.save.PaillierSK.P, round.save.PaillierSK.Q)
-		if err != nil {
-			return round.WrapError(err, Pi)
+		facProof := &facproof.ProofFac{P: zero, Q: zero, A: zero, B: zero, T: zero, Sigma: zero,
+			Z1: zero, Z2: zero, W1: zero, W2: zero, V: zero}
+		if !round.Parameters.NoProofFac() {
+			facProof, err = facproof.NewProof(round.EC(), round.save.PaillierSK.N, round.save.NTildej[j],
+				round.save.H1j[j], round.save.H2j[j], round.save.PaillierSK.P, round.save.PaillierSK.Q)
+			if err != nil {
+				return round.WrapError(err, Pi)
+			}
 		}
 		r4msg1 := NewDGRound4Message1(Pj, Pi, facProof)
 		round.out <- r4msg1

diff --git a/ecdsa/resharing/round_5_new_step_3.go b/ecdsa/resharing/round_5_new_step_3.go
@@ -47,14 +47,18 @@ func (round *round5) Start() *tss.Error {
 			}
 			r4msg1 := msg.Content().(*DGRound4Message1)
 			proof, err := r4msg1.UnmarshalFacProof()
-			if err != nil {
+			if err != nil && round.Parameters.NoProofFac() {
 				common.Logger.Warningf("facProof verify failed for party %s", msg.GetFrom(), err)
-				return round.WrapError(err, round.NewParties().IDs()[j])
-			}
-			if ok := proof.Verify(round.EC(), round.save.PaillierPKs[j].N, round.save.NTildei,
-				round.save.H1i, round.save.H2i); !ok {
-				common.Logger.Warningf("facProof verify failed for party %s", msg.GetFrom(), err)
-				return round.WrapError(err, round.NewParties().IDs()[j])
+			} else {
+				if err != nil {
+					common.Logger.Warningf("facProof verify failed for party %s", msg.GetFrom(), err)
+					return round.WrapError(err, round.NewParties().IDs()[j])
+				}
+				if ok := proof.Verify(round.EC(), round.save.PaillierPKs[j].N, round.save.NTildei,
+					round.save.H1i, round.save.H2i); !ok {
+					common.Logger.Warningf("facProof verify failed for party %s", msg.GetFrom(), err)
+					return round.WrapError(err, round.NewParties().IDs()[j])
+				}
 			}
 
 		}

diff --git a/tss/params.go b/tss/params.go
@@ -21,6 +21,11 @@ type (
 		threshold           int
 		concurrency         int
 		safePrimeGenTimeout time.Duration
+		// proof session info
+		nonce int
+		// for keygen
+		noProofMod bool
+		noProofFac bool
 	}
 
 	ReSharingParameters struct {
@@ -85,6 +90,22 @@ func (params *Parameters) SetSafePrimeGenTimeout(timeout time.Duration) {
 	params.safePrimeGenTimeout = timeout
 }
 
+func (params *Parameters) NoProofMod() bool {
+	return params.noProofMod
+}
+
+func (params *Parameters) NoProofFac() bool {
+	return params.noProofFac
+}
+
+func (params *Parameters) SetNoProofMod() {
+	params.noProofMod = true
+}
+
+func (params *Parameters) SetNoProofFac() {
+	params.noProofFac = true
+}
+
 // ----- //
 
 // Exported, used in `tss` client