Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TPKE integration, book refinements #62

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,133 changes: 711 additions & 422 deletions Cargo.lock

Large diffs are not rendered by default.

100 changes: 13 additions & 87 deletions Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,97 +1,23 @@
[package]
name = "ferveo"
version = "0.1.0"
edition = "2018"
license = "AGPL-3.0"
repository = "https://gitlab.com/metastatedev/ferveo"
readme = "README.md"
description = "An implementation of a DKG protocol for front-running protection on public blockchains."
keywords = ["DKG"]
categories = ["cryptography"]
authors = ["Heliax AG <[email protected]>"]
[workspace]

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
ark-poly-commit = "0.3"
ark-std = "0.3"
ark-pallas = "0.3"
ark-bls12-381 = "0.3"
ark-ec = "0.3"
ark-ff = "0.3"
ark-serialize = "0.3"
ark-poly = "0.3"
rand = "0.8"
rand_old = { package = "rand", version = "0.7" }
either = "1.6.1"
ff = "0.8"
hex = "0.4.2"
miracl_core = "2.3.0"
num = "0.4"
sha2 = "0.9.1"
ed25519-dalek = { version = "1", features = ["serde", "batch"] }
x25519-dalek = { version = "1.1", features = ["serde"] }
curve25519-dalek = { version = "3.0", features = ["serde"] }
serde = { version = "1.0", features = ["derive"] }
blake2 = "0.9.1"
rand_chacha = "0.3.0"
blake2b_simd = "0.5.11"
zeroize = { version = "1", default-features = false, features = ["zeroize_derive"] }
chacha20poly1305 = "0.8"
serde_bytes = { version = "0.11" }
bincode = "1.3"
anyhow = "1.0"
serde_json = "1.0"
borsh = "0.9"
subtle = "2.4"
itertools = "0.10.1"
measure_time = "0.7"
redjubjub = "0.4.0"
ark-ed-on-bls12-381 = "0.3.0"
group-threshold-cryptography = {path = "./tpke/"}

[dependencies.digest]
version = "0.9.0"
features = ["alloc"]

[dev-dependencies]
criterion = "=0.3.4"
pprof = { version = "0.4", features = ["flamegraph", "criterion"] }

# local override for bls12-381
#[patch.crates-io]
#bls12_381 = { git = 'https://github.com/A-Manning/bls12_381.git', branch = "ash/scalar-traits" }
members = [
"ferveo",
"ferveo-common",
"tpke"
]

[profile.bench]
opt-level = 3
debug = true
lto = true
codegen-units = 1

# Optimizations are needed such that the tests run in a reasonable timeframe
#[profile.test]
#opt-level = 3

[profile.release]
[profile.test]
opt-level = 3
debug = true

#[[bench]]
#name = "benchmarks"
#harness = false
#debug = true

[[example]]
name = "pvdkg"
[profile.release]
debug = true

#[[bench]]
#name = "pairing"
#harness = false
#debug = false

#[[bench]]
#name = "bench_main"
#harness = false

[[bench]]
name = "pvdkg"
path = "benches/benchmarks/pvdkg.rs"
harness = false
lto = true
codegen-units = 1
120 changes: 0 additions & 120 deletions benches/benchmarks/pvdkg.rs

This file was deleted.

19 changes: 10 additions & 9 deletions book/src/dkg.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,21 +14,22 @@ Some Publicly Verifiable DKG schemes, such as Groth21, produce field private key

In addition to the two independent generators \\(G \in \mathbb{G}_1\\) and \\(H \in \mathbb{G}_2\\), a third independent generator \\(\hat{u}_1 \in \mathbb{G}_2\\) is selected.

## Session keys
## Epoch keys

Each validator \\(i\\) generates a **session keypair** for the lifetime of the DKG: a decryption key \\(dk_i \in \mathbb{F}_r\\), and a signing key \\(sk_i\in \mathbb{F}_r \\).

The signing key is used for a signature of knowledge in the DKG and is independent of the Ed25519 identity used for signing messages in the protocol.

The public session keypair consists of an **encryption key** \\(ek_i \in \mathbb{G}_2\\) and a verification key \\(sk_i \in \mathbb{G}_1\\):
Each validator \\(i\\) generates a **epoch keypair**: a private decryption key \\(dk_i \in \mathbb{F}_r\\), and a public encryption key \\(ek_i\in \mathbb{G}_2 \\). The encryption key is derived from the decryption key:

\\[ek_i = [dk_i] H \\]
\\[vk_i = [sk_i] G \\]

Each validator is required to generate an epoch keypair at genesis, or upon joining the validator set. Each validator should generate and announce a new epoch public key once per epoch, but in the event that a validator does not announce a new epoch public key during an epoch, the last announced epoch public key should be used in the DKG. For this reason, each validator should persist their latest epoch private key on disk.

## Publicly Verifiable Secret Sharing

The validators, in decreasing order of number of key shares, each act as a dealer for exactly one PVSS instance until at least 2/3 by weight of key shares have successfully posted a verified correct PVSS instance to the blockchain. In case a dealer's PVSS instance does not verify as correct, that instance is discarded (and penalties may be imposed) and additional validators act as dealers until the 2/3 threshold is reached.
The validators should each generate exactly one PVSS instance as a dealer, and include that instance as a VoteExtension to a specially designated DKG block. The next block proposer is responsible for verifying and aggregating at least 2/3 by weight of PVSS instances, and including the aggregation in the next block.

For performance reasons, the aggregating validator may sort the PVSS instances by decreasing validator weight, and only include sufficient instances to reach the necessary 2/3 total weight. PVSS instances above the 2/3 weight threshold are ignored.

In case a dealer's PVSS instance does not verify as correct, that instance is discarded (and penalties may be imposed).

## Output

Once 2/3 by weight of dealers have posted correct PVSS instances, all of the correct instances are aggregated into a single PVSS instance. The commitment to the constant term of the aggregated PVSS instance, \\(F_0\\), is the public key output \\(Y\\) from the PVDKG, and each validators aggregated private key shares \\(Z_{i,\omega_j} \\) are the private key shares associated with \\(Y\\)
Once 2/3 by weight of correct PVSS instances have been aggregated into a single PVSS instance, the commitment to the constant term of the aggregated PVSS instance, \\(F_0\\), is the public key output \\(Y\\) from the PVDKG, and each validators aggregated private key shares \\(Z_{i,\omega_j} \\) are the private key shares associated with \\(Y\\)
Loading