Add verification step for round2_packages for refreshing shares with …

…DKG (#663)
ZcashFoundation · Nov 7, 2024 · 49c1e9d · 49c1e9d
1 parent b8d9a54
commit 49c1e9d
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 5 deletions.
diff --git a/frost-core/src/keys/refresh.rs b/frost-core/src/keys/refresh.rs
@@ -8,7 +8,7 @@ use alloc::collections::BTreeMap;
 use alloc::vec::Vec;
 
 use crate::{
-    keys::dkg::{compute_proof_of_knowledge, round1, round2},
+    keys::dkg::{compute_proof_of_knowledge, round1, round2, verify_proof_of_knowledge},
     keys::{
         evaluate_polynomial, generate_coefficients, generate_secret_polynomial,
         generate_secret_shares, validate_num_of_signers, CoefficientCommitment, PublicKeyPackage,
@@ -297,11 +297,24 @@ pub fn refresh_dkg_shares<C: Ciphersuite>(
         let ell = *sender_identifier;
         let f_ell_i = round2_package.signing_share;
 
-        let commitment = &round1_packages
+        let commitment = &new_round_1_packages
             .get(&ell)
             .ok_or(Error::PackageNotFound)?
             .commitment;
 
+        // The verification is exactly the same as the regular SecretShare verification;
+        // however the required components are in different places.
+        // Build a temporary SecretShare so what we can call verify().
+        let secret_share = SecretShare {
+            header: Header::default(),
+            identifier: round2_secret_package.identifier,
+            signing_share: f_ell_i,
+            commitment: commitment.clone(),
+        };
+
+        // Verify the share. We don't need the result.
+        let _ = secret_share.verify()?;
+
         // Round 2, Step 3
         //
         // > Each P_i calculates their long-lived private signing share by computing
@@ -335,7 +348,8 @@ pub fn refresh_dkg_shares<C: Ciphersuite>(
     let mut new_verifying_shares = BTreeMap::new();
 
     for (identifier, verifying_share) in zero_shares_public_key_package.verifying_shares {
-        let new_verifying_share = verifying_share.to_element() + old_pub_key_package.verifying_shares[&identifier].to_element();
+        let new_verifying_share = verifying_share.to_element()
+            + old_pub_key_package.verifying_shares[&identifier].to_element();
         new_verifying_shares.insert(identifier, VerifyingShare::new(new_verifying_share));
     }
 

diff --git a/frost-core/src/tests/refresh.rs b/frost-core/src/tests/refresh.rs
@@ -345,7 +345,6 @@ where
             .remove(&participant_identifier)
             .unwrap();
         let round1_packages = &received_round1_packages[&participant_identifier];
-        // check_part2_error(round1_secret_package.clone(), round1_packages.clone()); // TODO
         let (round2_secret_package, round2_packages) =
             refresh_dkg_part2(round1_secret_package, round1_packages).expect("should work");
 
@@ -388,7 +387,6 @@ where
     // for each signature before being aggregated.
     let mut pubkey_packages_by_participant = BTreeMap::new();
 
-    // TODO
     check_part3_different_participants(
         max_signers,
         round2_secret_packages.clone(),

diff --git a/frost-ed25519/tests/integration_tests.rs b/frost-ed25519/tests/integration_tests.rs
@@ -180,6 +180,13 @@ fn check_refresh_shares_with_dealer_fails_with_invalid_identifier() {
     >(max_signers, min_signers, &identifiers, error, rng);
 }
 
+#[test]
+fn check_refresh_shares_with_dkg() {
+    let rng = thread_rng();
+
+    frost_core::tests::refresh::check_refresh_shares_with_dkg::<Ed25519Sha512, _>(rng);
+}
+
 #[test]
 fn check_sign_with_dealer() {
     let rng = thread_rng();

diff --git a/frost-ed448/tests/integration_tests.rs b/frost-ed448/tests/integration_tests.rs
@@ -180,6 +180,32 @@ fn check_refresh_shares_with_dealer_fails_with_invalid_identifier() {
     >(max_signers, min_signers, &identifiers, error, rng);
 }
 
+#[test]
+fn check_refresh_shares_with_dealer_fails_with_invalid_identifier() {
+    let rng = thread_rng();
+    let identifiers = vec![
+        Identifier::try_from(8).unwrap(),
+        Identifier::try_from(3).unwrap(),
+        Identifier::try_from(4).unwrap(),
+        Identifier::try_from(6).unwrap(),
+    ];
+    let min_signers = 2;
+    let max_signers = 4;
+    let error = Error::UnknownIdentifier;
+
+    frost_core::tests::refresh::check_refresh_shares_with_dealer_fails_with_invalid_signers::<
+        Ed448Shake256,
+        _,
+    >(max_signers, min_signers, &identifiers, error, rng);
+}
+
+#[test]
+fn check_refresh_shares_with_dkg() {
+    let rng = thread_rng();
+
+    frost_core::tests::refresh::check_refresh_shares_with_dkg::<Ed448Shake256, _>(rng);
+}
+
 #[test]
 fn check_sign_with_dealer() {
     let rng = thread_rng();

diff --git a/frost-p256/tests/integration_tests.rs b/frost-p256/tests/integration_tests.rs
@@ -180,6 +180,13 @@ fn check_refresh_shares_with_dealer_fails_with_invalid_identifier() {
     >(max_signers, min_signers, &identifiers, error, rng);
 }
 
+#[test]
+fn check_refresh_shares_with_dkg() {
+    let rng = thread_rng();
+
+    frost_core::tests::refresh::check_refresh_shares_with_dkg::<P256Sha256, _>(rng);
+}
+
 #[test]
 fn check_sign_with_dealer() {
     let rng = thread_rng();

diff --git a/frost-secp256k1/tests/integration_tests.rs b/frost-secp256k1/tests/integration_tests.rs
@@ -180,6 +180,13 @@ fn check_refresh_shares_with_dealer_fails_with_invalid_identifier() {
     >(max_signers, min_signers, &identifiers, error, rng);
 }
 
+#[test]
+fn check_refresh_shares_with_dkg() {
+    let rng = thread_rng();
+
+    frost_core::tests::refresh::check_refresh_shares_with_dkg::<Secp256K1Sha256, _>(rng);
+}
+
 #[test]
 fn check_sign_with_dealer() {
     let rng = thread_rng();