Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Thor chain #206

Closed
wants to merge 69 commits into from
Closed

Thor chain #206

wants to merge 69 commits into from

Conversation

ghost
Copy link

@ghost ghost commented Sep 3, 2022

Thor chain

0xmountaintop and others added 30 commits November 3, 2020 15:29
error handlings in other places are of different style. This PR aims to make the error handling style more consistent
rename N2&modN2 in RangeProofAlice.Verify to same style in RangeProofAlice.Prove
* create security policy

* security: remove a para

* security: update the text
style(mta::RangeProofAlice): rename for more consistent var name
style: refactor crypto lib to consistent verification style
S in eddsa signature is not encoded correctly
* fix R and S may not be 32 bytes

* refactor according to review comments
* move curve into tss.Parameters

* regen proto with full package name

* pass curve through parameter

* add curve name in ecpoint json serialization
…/protobuf-name-clash

� Conflicts:
�	common/signature.pb.go
�	ecdsa/keygen/ecdsa-keygen.pb.go
�	ecdsa/keygen/local_party_test.go
�	ecdsa/resharing/ecdsa-resharing.pb.go
�	ecdsa/signing/ecdsa-signing.pb.go
�	eddsa/keygen/eddsa-keygen.pb.go
�	eddsa/resharing/eddsa-resharing.pb.go
�	eddsa/signing/eddsa-signing.pb.go
�	go.mod
�	protob/ecdsa-keygen.proto
�	protob/ecdsa-resharing.proto
�	protob/ecdsa-signing.proto
�	protob/eddsa-keygen.proto
�	protob/eddsa-resharing.proto
�	protob/eddsa-signing.proto
�	tss/message.pb.go
Updated protobuf dependency and fixed type clash
yycen and others added 29 commits November 12, 2021 17:35
We need to ensure that:
- all indexes are non-zero,
- all indexes are non-zero modulo the curve order,
- all indexes are unique modulo the curve order.

The first two are guarded in `CheckIndexes` function by:

```
vMod := new(big.Int).Mod(v, ec.Params().N)
if vMod.Cmp(zero) == 0 {
return nil, errors.New("party index should not be 0")
}
```

The last one is guarded by:
```
vModStr := vMod.String()
if _, ok := visited[vModStr]; ok {
return nil, fmt.Errorf("duplicate indexes %s", vModStr)
}
visited[vModStr] = struct{}{}
```

`CheckIndexes` was additionally normalizing identifiers mod elliptic curve order.
This was not really needed and could cause problems during signing.
Do not normalize IDs of Shamir's Secret Sharing
* Panic when save data and sortedIDs not match

* Check Ks when computing Lagrange coefs
Add checks in dlnproof [TOB-BIN-8]
Generating DKG pre-parameters is a computationally expensive operation.
As `GeneratePreParams` documentation explains, it is recommended to do it out of
band. Keep ECDSA (TBTC) client has a pre-parameters pool from which the DKG
process pulls pre-parameters to do not have the entire group wait with kicking
off DKG until pre-parameters are generated. This approach was sufficient for
TBTC v1 when signing groups were 3-of-3. For TBTC v2, we need much larger
signing groups (51-of-100) and for clients having multiple seats in the signing
group, generating multiple pre-parameters in a row eliminates other processes
run by the client from the access to the CPU.

To fix this problem, we plan to run pre-parameters generator only when no other
processes are currently executed by the client. That is, when the client would
normally be idle, it will keep generating pre-parameters and when the client
starts a protocol execution (e.g. DKG), pre-parameters generation should be
stopped.

GeneratePreParams allows specifying a timeout which is really helpful but is not
enough in this case. We want to stop the generator immediately when some
protocol is about to start.

To achieve it, the code has been refactored to accept a context as a parameter
of all long-running generator functions. The context can be canceled or can be
constructed in such a way that it times out after a certain time. To achieve
backward compatibility, GeneratePreParams signature does not change and a new
function accepting the context GeneratePreParamsWithContext has been introduced.
10ms delta was too aggresive - it was fine for local dev environment on
Apple M1 but CI builds based on GitHub Actions kept failing. Increased
to 1s.
Allow to stop pre-parameters generator with a context
update README.md to match the new version
* Add check in mta_proof

* go fmt on range_proof.go

This reverts commit 4871684.
* Cherrypick child key derivation (#140)

* Cherrypick child_key_derivation from SwingbyProtocol
https://github.com/SwingbyProtocol/tss-lib/pull/6/files#diff-e663957d1112b8c89bb7a782fe1cebe0d5e4d84a17861ae5af5cc0b59d1dbf56

* Add serialization to child key derivation
add test case from github.com/btcsuite/hdkeychain

* Making ec as parameter in key_derivation_util

* Add version string to extendedkey, to comply with BIP32

* specify curve in NewExtendedKey

* pass curve in DeriveChildKey

* amend the HD cherry pick not to break the existing API of NewLocalParty

* FillBytes not available in go 1.13

Fix test using FillBytes

Co-authored-by: ycen <[email protected]>
Co-authored-by: FitzLu <[email protected]>
…203)

* Benchmark tests for DLN proof verification

The DLN proof verification is one of the most expensive parts of the key
generation protocol. This benchmark allows to check how expensive the
Validate call is.

* Control the concurrency level when verifying DLN proofs

Control the concurrency level when verifying DLN proofs

Verification of discrete logarithm proofs is the most expensive part of
threshold ECDSA key generation for large groups. In round 2 of key generation,
the local party needs to verify proofs received from all other parties. The cost
of a call to `dlnProof.Verify` measured on Darwin/arm64 Apple M1 max is
341758528 ns/op - see `BenchmarkDLNProofVerification`. There are two proofs that
need to be verified during the key generation so assuming there are two cores
available exclusively for this work, the verification of 100 messages takes
about 35 seconds. For a group size of 1000, the verification takes about 350
seconds. The verification is performed in separate goroutines with no control
over the number of goroutines created. When executing the protocol locally,
during the development, for a group size of 100, 100*99*2 = 19 800 goroutines
for DLN proof verification are created more or less at the same time. Even such
a powerful CPU as Apple M1 Max struggles with computing the proofs - it takes
more than 16 minutes on all available cores and all other processes are starved.

To optimize the code to allow it to be executed for larger groups, the number of
goroutines created at the same time for DLN proof verification is throttled so
that all other processes are not perpetually denied necessary CPU time to
perform their work. This is achieved by introducing the `DlnProofVerifier` that
limits the concurrency level, by default to the number of CPUs (cores) available.

* Added benchmarks for DlnProofVerifier functions

The benchmarks are promising and shows the the validator does not add any
significant overhead over the DLN verification itself:

BenchmarkDlnProof_Verify-10                3	 342581417 ns/op	1766010 B/op	3790 allocs/op
BenchmarkDlnVerifier_VerifyProof1-10       3	 342741028 ns/op	1859093 B/op	4320 allocs/op
BenchmarkDlnVerifier_VerifyProof2-10       3	 341878361 ns/op	1851984 B/op	4311 allocs/op

* Allow configuring key generation concurrency in params

The concurrency defaults to `GOMAXPROCS` and can be updated with a call to
`SetConcurrency`. The concurrency level is applied to the pre-params generator
and DLN proof validator. Since there are two optional values now when
constructing parameters, instead of passing safe prime gen timeout as the last
value of `NewParameters`, all expected parameters should be configured with
`Set*` functions.

* Use DLN verifier for resharing protocol

DLN proof verification is the most computationally expensive operation of the
protocol when working in large groups. DLN verifier allows to throttle the
number of goroutines verifying the proofs at the same time so that other
processes do not get starved. DLN verifier is already applied to key generation
protocol. Here, it is getting applied to resharing as well.

* Always expect concurrency level to be passed to NewDlnProofVerifier

The concurrency level is now available in all rounds constructing the
verifier and the optional concurrency feature is never used.

* Ensure that the concurrency level is non-zero

`tss.NewParameters` is not validating provided values and I did not want to make
a breaking change there. Instead, I added a comment to `SetConcurrency` and
added a panic in the DLN proof verifier ensuring the protocol fails with a clear
message instead of hanging. This is aligned with how
`keygen.GeneratePreParamsWithContext` deals with an invalid value for
`optionalConcurrency` param.

* Log on DEBUG level concurrency level for DLN verification
* ECDSA protocol security updates

* Update proofs.go

* Limit y in Mta in range and prove

* Add checks in proofFac

* Add checks in MtA

* Remove unnecessary assignments

* Update unbiased reject sample

* Make compatible for old parties with no facProof

* Revert "Make compatible for old parties with no facProof"

This reverts commit 4c9fa88.

* Revised compatible for old parties with no facProof

* Update facProof condition test

* Allow empty proofFac, roll back rejectSample for compatibility

---------

Co-authored-by: Wan Ziyi <[email protected]>
* Add modProof in ECDSA-keygen

* Reduce test param to reduce github workflow load

* Add test fixtures

* Fix EDDSA keygen example

* Restore test fixtures

* Compress modproof

* use warning instead of fatal in logger to prevent panic

* Add more checks in range proof

* Regenerate preparams for older version

* Reset test params and regenerate fixtures

* Update ecdsa-resharing with Paillier key proofs

* Add a switch to optional turn off Pai key proofs

* Update README for caution of preparams updated

* add: ecdsa proof session byte

---------

Co-authored-by: ycen <[email protected]>
Co-authored-by: ZhAnGeek <[email protected]>
* Update dependencies

* fix: compatibility of end channel output shift to pointer (#271)

Co-authored-by: ZhAnGeek <[email protected]>

* upgrade dependencies version

* Clean code

---------

Co-authored-by: ZhAnGeek <[email protected]>
Co-authored-by: ZhAnGeek <[email protected]>
Co-authored-by: asdfsx <[email protected]>
style: refactor to more consistent error handlings style
@ZhAnGeek ZhAnGeek closed this Jan 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.