Return Option in more places

synedrion/src/cggmp21/entities.rs

@@ -187,10 +187,10 @@ impl<P: SchemeParams, I: Clone + Ord + PartialEq + Debug> KeyShare<P, I> {
     }
 
     /// Return the verifying key to which this set of shares corresponds.
-    pub fn verifying_key(&self) -> VerifyingKey {
+    pub fn verifying_key(&self) -> Option<VerifyingKey> {
         // TODO (#5): need to ensure on creation of the share that the verifying key actually exists
         // (that is, the sum of public keys does not evaluate to the infinity point)
-        self.verifying_key_as_point().to_verifying_key().unwrap()
+        self.verifying_key_as_point().to_verifying_key()
     }
 
     /// Returns the owner of this key share.
@@ -338,7 +338,8 @@ where
                 let hat_s = RandomizerMod::random(rng, &public_keys[&id_j]).retrieve();
                 let hat_r = RandomizerMod::random(rng, pk_i).retrieve();
 
-                let hat_cap_d = &all_cap_k[id_j] * P::signed_from_scalar(x_i.expose_secret())
+                let hat_cap_d = &all_cap_k[id_j]
+                    * P::signed_from_scalar(x_i.expose_secret()).unwrap()
                     + CiphertextMod::new_with_randomizer_signed(
                         &public_keys[&id_j],
                         &-hat_beta,
@@ -390,8 +391,8 @@ where
                 .iter()
                 .filter(|id| id != &&id_i)
                 .map(|id_j| {
-                    P::signed_from_scalar(key_shares[id_j].secret_share.expose_secret())
-                        * P::signed_from_scalar(&k_i)
+                    P::signed_from_scalar(key_shares[id_j].secret_share.expose_secret()).unwrap()
+                        * P::signed_from_scalar(&k_i).unwrap()
                         - hat_betas[&(id_j.clone(), id_i.clone())]
                 })
                 .sum();
@@ -401,8 +402,8 @@ where
                 .filter(|id| id != &&id_i)
                 .map(|id_j| hat_betas[&(id_i.clone(), id_j.clone())])
                 .sum();
-            let product_share_nonreduced = P::signed_from_scalar(x_i.expose_secret())
-                * P::signed_from_scalar(&k_i)
+            let product_share_nonreduced = P::signed_from_scalar(x_i.expose_secret()).unwrap()
+                * P::signed_from_scalar(&k_i).unwrap()
                 + alpha_sum
                 + beta_sum;
 
@@ -447,6 +448,6 @@ mod tests {
             KeyShare::<TestParams, VerifyingKey>::new_centralized(&mut OsRng, &ids, Some(&sk));
         assert!(shares
             .values()
-            .all(|share| &share.verifying_key() == sk.verifying_key()));
+            .all(|share| &share.verifying_key().unwrap() == sk.verifying_key()));
     }
 }

synedrion/src/cggmp21/params.rs

@@ -112,14 +112,21 @@ pub trait SchemeParams: Debug + Clone + Send + PartialEq + Eq + Send + Sync + 's
     }
 
     /// Converts a curve scalar to the associated integer type, wrapped in `Bounded`.
-    fn bounded_from_scalar(value: &Scalar) -> Bounded<<Self::Paillier as PaillierParams>::Uint> {
+    fn bounded_from_scalar(
+        value: &Scalar,
+    ) -> Option<Bounded<<Self::Paillier as PaillierParams>::Uint>> {
         const ORDER_BITS: u32 = ORDER.bits_vartime();
-        Bounded::new(Self::uint_from_scalar(value), ORDER_BITS).unwrap()
+        Bounded::new(Self::uint_from_scalar(value), ORDER_BITS)
     }
 
     /// Converts a curve scalar to the associated integer type, wrapped in `Signed`.
-    fn signed_from_scalar(value: &Scalar) -> Signed<<Self::Paillier as PaillierParams>::Uint> {
-        Self::bounded_from_scalar(value).into_signed().unwrap()
+    /// Returns `None` if:
+    /// - the bound provided by [`ORDER_BITS`] is invalid for the associated integer type from [`PaillierParams`];
+    /// - the scalar value encodes a negative value
+    fn signed_from_scalar(
+        value: &Scalar,
+    ) -> Option<Signed<<Self::Paillier as PaillierParams>::Uint>> {
+        Self::bounded_from_scalar(value).and_then(Bounded::into_signed)
     }
 
     /// Converts an integer to the associated curve scalar type.

synedrion/src/cggmp21/protocols/interactive_signing.rs

@@ -346,7 +346,7 @@ mod tests {
         for signature in signatures.values() {
             let (sig, rec_id) = signature.to_backend();
 
-            let vkey = key_shares[&Id(0)].verifying_key();
+            let vkey = key_shares[&Id(0)].verifying_key().unwrap();
 
             // Check that the signature can be verified
             vkey.verify_prehash(&message.to_bytes(), &sig).unwrap();

synedrion/src/cggmp21/protocols/presigning.rs

@@ -180,7 +180,7 @@
         let aux = (&self.context.ssid_hash, &destination);
         let psi0 = EncProof::new(
             rng,
-            &P::signed_from_scalar(&self.context.k),
+            &P::signed_from_scalar(&self.context.k).unwrap(),
             &self.context.rho,
             self.context.aux_info.secret_aux.paillier_sk.public_key(),
             &self.cap_k,
@@ -357,7 +357,8 @@
 
         let cap_f =
             CiphertextMod::new_with_randomizer_signed(pk, beta.expose_secret(), &r.retrieve());
-        let cap_d = &self.all_cap_k[destination] * P::signed_from_scalar(&self.context.gamma)
+        let cap_d = &self.all_cap_k[destination]
+            * P::signed_from_scalar(&self.context.gamma).unwrap()
             + CiphertextMod::new_with_randomizer_signed(
                 target_pk,
                 &-beta.expose_secret(),
@@ -370,7 +371,7 @@
             &hat_r.retrieve(),
         );
         let hat_cap_d = &self.all_cap_k[destination]
-            * P::signed_from_scalar(self.context.key_share.secret_share.expose_secret())
+            * P::signed_from_scalar(self.context.key_share.secret_share.expose_secret()).unwrap()
             + CiphertextMod::new_with_randomizer_signed(
                 target_pk,
                 &-hat_beta.expose_secret(),
@@ -382,7 +383,7 @@
 
         let psi = AffGProof::new(
             rng,
-            &P::signed_from_scalar(&self.context.gamma),
+            &P::signed_from_scalar(&self.context.gamma).unwrap(),
             &beta,
             s.clone(),
             r.clone(),
@@ -398,7 +399,7 @@
 
         let hat_psi = AffGProof::new(
             rng,
-            &P::signed_from_scalar(self.context.key_share.secret_share.expose_secret()),
+            &P::signed_from_scalar(self.context.key_share.secret_share.expose_secret()).unwrap(),
             &hat_beta,
             hat_s.clone(),
             hat_r.clone(),
@@ -414,7 +415,7 @@
 
         let hat_psi_prime = LogStarProof::new(
             rng,
-            &P::signed_from_scalar(&self.context.gamma),
+            &P::signed_from_scalar(&self.context.gamma).unwrap(),
             &self.context.nu,
             pk,
             &self.all_cap_g[self.my_id()],
@@ -556,8 +557,8 @@
 
         let alpha_sum: Signed<_> = payloads.values().map(|p| p.alpha).sum();
         let beta_sum: Signed<_> = artifacts.values().map(|p| p.beta.expose_secret()).sum();
-        let delta = P::signed_from_scalar(&self.context.gamma)
-            * P::signed_from_scalar(&self.context.k)
+        let delta = P::signed_from_scalar(&self.context.gamma).unwrap()
+            * P::signed_from_scalar(&self.context.k).unwrap()
             + alpha_sum
             + beta_sum;
 
@@ -567,7 +568,8 @@
             .map(|artifact| artifact.hat_beta.expose_secret())
             .sum();
         let chi = P::signed_from_scalar(self.context.key_share.secret_share.expose_secret())
-            * P::signed_from_scalar(&self.context.k)
+            .unwrap()
+            * P::signed_from_scalar(&self.context.k).unwrap()
             + hat_alpha_sum
             + hat_beta_sum;
 
@@ -652,7 +654,7 @@
 
         let psi_pprime = LogStarProof::new(
             rng,
-            &P::signed_from_scalar(&self.context.k),
+            &P::signed_from_scalar(&self.context.k).unwrap(),
             &self.context.rho,
             pk,
             &self.all_cap_k[self.my_id()],
@@ -784,7 +786,7 @@
 
                 let p_aff_g = AffGProof::<P>::new(
                     rng,
-                    &P::signed_from_scalar(&self.context.gamma),
+                    &P::signed_from_scalar(&self.context.gamma).unwrap(),
                     beta,
                     s.to_mod(target_pk),
                     r.to_mod(pk),
@@ -816,12 +818,13 @@
         // Mul proof
 
         let rho = RandomizerMod::random(rng, pk);
-        let cap_h = (&self.all_cap_g[self.my_id()] * P::bounded_from_scalar(&self.context.k))
-            .mul_randomizer(&rho.retrieve());
+        let cap_h = (&self.all_cap_g[self.my_id()]
+            * P::bounded_from_scalar(&self.context.k).unwrap())
+        .mul_randomizer(&rho.retrieve());
 
         let p_mul = MulProof::<P>::new(
             rng,
-            &P::signed_from_scalar(&self.context.k),
+            &P::signed_from_scalar(&self.context.k).unwrap(),
             &self.context.rho,
             &rho,
             pk,

synedrion/src/cggmp21/protocols/signing.rs

@@ -186,7 +186,8 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FinalizableToResult<I>
 
                 let p_aff_g = AffGProof::<P>::new(
                     rng,
-                    &P::signed_from_scalar(self.inputs.key_share.secret_share.expose_secret()),
+                    &P::signed_from_scalar(self.inputs.key_share.secret_share.expose_secret())
+                        .unwrap(),
                     &values.hat_beta,
                     values.hat_s.to_mod(target_pk),
                     values.hat_r.to_mod(pk),
@@ -221,8 +222,9 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FinalizableToResult<I>
         let cap_x = self.inputs.key_share.public_shares[&my_id];
 
         let rho = RandomizerMod::random(rng, pk);
-        let hat_cap_h = (&self.inputs.presigning.cap_k * P::bounded_from_scalar(x.expose_secret()))
-            .mul_randomizer(&rho.retrieve());
+        let hat_cap_h = (&self.inputs.presigning.cap_k
+            * P::bounded_from_scalar(x.expose_secret()).unwrap())
+        .mul_randomizer(&rho.retrieve());
 
         let aux = (&self.ssid_hash, &my_id);
 
@@ -231,7 +233,7 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FinalizableToResult<I>
         for id_l in self.other_ids() {
             let p_mul = MulStarProof::<P>::new(
                 rng,
-                &P::signed_from_scalar(x.expose_secret()),
+                &P::signed_from_scalar(x.expose_secret()).unwrap(),
                 &rho,
                 pk,
                 &self.inputs.presigning.cap_k,
@@ -263,8 +265,8 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FinalizableToResult<I>
 
         let r = self.inputs.presigning.nonce;
 
-        let ciphertext = ciphertext * P::bounded_from_scalar(&r)
-            + &self.inputs.presigning.cap_k * P::bounded_from_scalar(&self.inputs.message);
+        let ciphertext = ciphertext * P::bounded_from_scalar(&r).unwrap()
+            + &self.inputs.presigning.cap_k * P::bounded_from_scalar(&self.inputs.message).unwrap();
 
         let rho = ciphertext.derive_randomizer(sk);
         // This is the same as `s_part` but if all the calculations were performed
@@ -274,8 +276,10 @@ impl<P: SchemeParams, I: Debug + Clone + Ord + Serialize> FinalizableToResult<I>
                 .presigning
                 .ephemeral_scalar_share
                 .expose_secret(),
-        ) * P::signed_from_scalar(&self.inputs.message)
-            + self.inputs.presigning.product_share_nonreduced * P::signed_from_scalar(&r);
+        )
+        .unwrap()
+            * P::signed_from_scalar(&self.inputs.message).unwrap()
+            + self.inputs.presigning.product_share_nonreduced * P::signed_from_scalar(&r).unwrap();
 
         let mut dec_proofs = Vec::new();
         for id_l in self.other_ids() {
@@ -399,7 +403,7 @@ mod tests {
         message: &Scalar,
     ) {
         let (sig, rec_id) = signature.to_backend();
-        let vkey = key_shares[&Id(0)].verifying_key();
+        let vkey = key_shares[&Id(0)].verifying_key().unwrap();
 
         // Check that the signature can be verified
         vkey.verify_prehash(&message.to_bytes(), &sig).unwrap();

synedrion/src/curve/arithmetic.rs

@@ -63,6 +63,7 @@ impl Scalar {
         Point::GENERATOR * self
     }
 
+    /// Invert the [`Scalar`]. Returns [`None`] if the scalar is zero.
     pub fn invert(&self) -> CtOption<Self> {
         self.0.invert().map(Self)
     }
@@ -183,6 +184,8 @@ impl Point {
         Self(key.as_affine().into())
     }
 
+    /// Convert a [`Point`] to a [`VerifyingKey`] wrapped in an [`Option`]. Returns [`None`] if the
+    /// `Point` is the point at infinity.
     pub fn to_verifying_key(self) -> Option<VerifyingKey> {
         VerifyingKey::from_affine(self.0.to_affine()).ok()
     }

synedrion/src/uint/bounded.rs

@@ -87,6 +87,11 @@ where
         self.bound as usize
     }
 
+    /// Creates a new [`Bounded`] wrapper around `T`, restricted to `bound`.
+    ///
+    /// Returns `None` if the bound is invalid, i.e.:
+    /// - The bound is bigger than a `T` can represent.
+    /// - The value of `T` is too big to be bounded by the provided bound.
     pub fn new(value: T, bound: u32) -> Option<Self> {
         if bound > T::BITS || value.bits() > bound {
             return None;

synedrion/src/www02/entities.rs

@@ -322,7 +322,7 @@ mod tests {
             nt_share0.secret_share.expose_secret() + nt_share1.secret_share.expose_secret(),
             Scalar::from(sk.as_nonzero_scalar())
         );
-        assert_eq!(&nt_share0.verifying_key(), sk.verifying_key());
-        assert_eq!(&nt_share1.verifying_key(), sk.verifying_key());
+        assert_eq!(&nt_share0.verifying_key().unwrap(), sk.verifying_key());
+        assert_eq!(&nt_share1.verifying_key().unwrap(), sk.verifying_key());
     }
 }

synedrion/src/www02/key_resharing.rs

@@ -122,7 +122,7 @@ impl<P: SchemeParams, I: Clone + Ord + Debug> FirstRound<I> for Round1<P, I> {
         let message_destinations = if inputs.old_holder.is_some() {
             // It is possible that a party is both an old holder and a new holder.
             // This will be processed separately.
-            let mut new_holders_except_me = inputs.new_holders.clone();
+            let mut new_holders_except_me = inputs.new_holders;
             new_holders_except_me.remove(&my_id);
             new_holders_except_me
         } else {
@@ -238,7 +238,7 @@ impl<P: SchemeParams, I: Clone + Ord + Debug> Round<I> for Round1<P, I> {
         direct_msg: Self::DirectMessage,
     ) -> Result<Self::Payload, <Self::Result as ProtocolResult>::ProvableError> {
         if let Some(new_holder) = self.new_holder.as_ref() {
-            if new_holder.inputs.old_holders.iter().any(|id| id == from) {
+            if new_holder.inputs.old_holders.contains(from) {
                 let public_subshare_from_poly = broadcast_msg
                     .public_polynomial
                     .evaluate(&self.new_share_ids[self.my_id()]);

synedrion/tests/sessions.rs

@@ -263,7 +263,7 @@ async fn interactive_signing() {
 
     for signature in signatures {
         let (sig, rec_id) = signature.to_backend();
-        let vkey = key_shares[&verifiers[0]].verifying_key();
+        let vkey = key_shares[&verifiers[0]].verifying_key().unwrap();
 
         // Check that the signature can be verified
         vkey.verify_prehash(message, &sig).unwrap();