1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414

//! Key share

use std::ops;
use std::sync::Arc;

use generic_ec::{Curve, NonZero, Point, SecretScalar};
use paillier_zk::paillier_encryption_in_range as π_enc;
use paillier_zk::rug::{Complete, Integer};
use serde::{Deserialize, Serialize};
use thiserror::Error;

use crate::security_level::SecurityLevel;

#[doc(inline)]
pub use cggmp21_keygen::key_share::{
    CoreKeyShare as IncompleteKeyShare, DirtyCoreKeyShare as DirtyIncompleteKeyShare, DirtyKeyInfo,
    HdError, InvalidCoreShare as InvalidIncompleteKeyShare, KeyInfo, Valid, Validate,
    ValidateError, ValidateFromParts, VssSetup,
};

/// Key share
///
#[doc = include_str!("../docs/key_share.md")]
///
#[doc = include_str!("../docs/validated_key_share_note.md")]
#[doc = include_str!("../docs/validated_key_share_disclaimer.md")]
pub type KeyShare<E, L = crate::default_choice::SecurityLevel> = Valid<DirtyKeyShare<E, L>>;

/// Auxiliary information
pub type AuxInfo<L = crate::default_choice::SecurityLevel> = Valid<DirtyAuxInfo<L>>;

/// Dirty aux info
#[derive(Clone, Serialize, Deserialize)]
#[serde(bound = "")]
pub struct DirtyAuxInfo<L: SecurityLevel = crate::default_choice::SecurityLevel> {
    /// Secret prime $p$
    pub p: Integer,
    /// Secret prime $q$
    pub q: Integer,
    /// Public auxiliary data of all parties sharing the key
    ///
    /// `parties[i]` corresponds to public auxiliary data of $\ith$ party
    pub parties: Vec<PartyAux>,
    /// Security level that was used to generate aux info
    #[serde(skip)]
    pub security_level: std::marker::PhantomData<L>,
}

/// Dirty (unvalidated) key share
///
#[doc = include_str!("../docs/key_share.md")]
#[derive(Clone, Serialize, Deserialize)]
#[serde(bound = "")]
pub struct DirtyKeyShare<E: Curve, L: SecurityLevel = crate::default_choice::SecurityLevel> {
    /// Core key share
    pub core: DirtyIncompleteKeyShare<E>,
    /// Auxiliary info
    pub aux: DirtyAuxInfo<L>,
}

/// Party public auxiliary data
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(bound = "")]
pub struct PartyAux {
    /// $N_i = p_i \cdot q_i$
    pub N: Integer,
    /// Ring-Perdesten parameter $s_i$
    pub s: Integer,
    /// Ring-Perdesten parameter $t_i$
    pub t: Integer,
    /// Precomputed table for faster multiexponentiation
    #[serde(default)]
    pub multiexp: Option<Arc<paillier_zk::multiexp::MultiexpTable>>,
    /// Enables faster modular exponentiation when factorization of `N` is known
    ///
    /// Note that it is extreamly sensitive! Leaking `crt` exposes Paillier private key.
    #[serde(default)]
    pub crt: Option<paillier_zk::fast_paillier::utils::CrtExp>,
}

impl<L: SecurityLevel> Validate for DirtyAuxInfo<L> {
    type Error = InvalidKeyShare;

    fn is_valid(&self) -> Result<(), InvalidKeyShare> {
        if self.parties.iter().any(|p| {
            p.s.gcd_ref(&p.N).complete() != *Integer::ONE
                || p.t.gcd_ref(&p.N).complete() != *Integer::ONE
        }) {
            return Err(InvalidKeyShareReason::StGcdN.into());
        }

        if !crate::security_level::validate_secret_paillier_key_size::<L>(&self.p, &self.q) {
            return Err(InvalidKeyShareReason::PaillierSkTooSmall.into());
        }

        if let Some(invalid_aux) = self
            .parties
            .iter()
            .find(|p| !crate::security_level::validate_public_paillier_key_size::<L>(&p.N))
        {
            return Err(InvalidKeyShareReason::PaillierPkTooSmall {
                required: 8 * L::SECURITY_BITS - 1,
                actual: invalid_aux.N.significant_bits(),
            }
            .into());
        }

        Ok(())
    }
}

impl<L: SecurityLevel> DirtyAuxInfo<L> {
    /// Precomputes multiexponentiation tables
    ///
    /// Enables optimization that makes signing and presigning faster. Precomputation may take a while.
    /// It noticebly increases size of aux data both in RAM and on disk (after serialization).
    ///
    /// Returns error if building a multiexp table failed. In this case, the key share stays unmodified.
    /// On success, multiexp tables are saved into the key share (old tables, if present, are overwritten).
    pub fn precompute_multiexp_tables(&mut self) -> Result<(), InvalidKeyShare> {
        let (x_bits, y_bits) = crate::security_level::max_exponents_size::<L>();
        let tables = self
            .parties
            .iter()
            .map(|aux_i| {
                paillier_zk::multiexp::MultiexpTable::build(
                    &aux_i.s,
                    &aux_i.t,
                    x_bits,
                    y_bits,
                    aux_i.N.clone(),
                )
                .map(Arc::new)
            })
            .collect::<Option<Vec<_>>>()
            .ok_or(InvalidKeyShareReason::BuildMultiexpTable)?;
        self.parties
            .iter_mut()
            .zip(tables)
            .for_each(|(aux_i, table_i)| aux_i.multiexp = Some(table_i));
        Ok(())
    }

    /// Returns size of all multiexp tables (in bytes) stored within key share
    pub fn multiexp_tables_size(&self) -> usize {
        self.parties
            .iter()
            .map(|aux_i| {
                aux_i
                    .multiexp
                    .as_ref()
                    .map(|t| t.size_in_bytes())
                    .unwrap_or(0)
            })
            .sum()
    }

    /// Precomputes CRT parameters
    ///
    /// Refer to [`PartyAux::precompute_crt`] for the docs.
    pub fn precompute_crt(&mut self, i: u16) -> Result<(), InvalidKeyShare> {
        let aux_i = self
            .parties
            .get_mut(usize::from(i))
            .ok_or(InvalidKeyShareReason::CrtINotInRange)?;
        aux_i.precompute_crt(&self.p, &self.q)
    }
}

impl PartyAux {
    /// Precompute multiexponentiation table
    ///
    /// Enables optimization that makes signing and presigning faster. Precomputation may take a while.
    /// It noticebly increases size of aux data both in RAM and on disk (after serialization).
    ///
    /// Returns error if building a multiexp table failed. On success, multiexp tables are saved (old
    /// tables, if present, are overwritten).
    ///
    /// Note that provided security level must match the actual security level being used in the
    /// protocol. Otherwise, optimization won't work, and it actually will make the protocol slower.
    pub fn precompute_multiexp_table<L: SecurityLevel>(&mut self) -> Result<(), InvalidKeyShare> {
        let (x_bits, y_bits) = crate::security_level::max_exponents_size::<L>();
        let multiexp = paillier_zk::multiexp::MultiexpTable::build(
            &self.s,
            &self.t,
            x_bits,
            y_bits,
            self.N.clone(),
        )
        .map(Arc::new)
        .ok_or(InvalidKeyShareReason::BuildMultiexpTable)?;
        self.multiexp = Some(multiexp);
        Ok(())
    }

    /// Precomputes CRT parameters
    ///
    /// Enables optimization of modular exponentiation in Zero-Knowledge proofs validation. Precomputation
    /// should be relatively fast. It increases size of key share in RAM and on disk, but not noticeably.
    ///
    /// Takes primes `p`, `q` as input that correspond to signer Paillier secret key.
    ///
    /// Returns error if provided primes do not correspond to a Paillier secret key of the signer, or if
    /// precomputation failed. On success, updates CRT params stored within the structure (old params, if
    /// present, are overwritten)
    ///
    /// Note: CRT parameters contain secret information. Leaking them exposes secret Paillier key. Keep
    /// [`AuxInfo::parties`](DirtyAuxInfo::parties) secret (as well as rest of the key share).
    pub fn precompute_crt(&mut self, p: &Integer, q: &Integer) -> Result<(), InvalidKeyShare> {
        if (p * q).complete() != self.N {
            return Err(InvalidKeyShareReason::CrtInvalidPq.into());
        }
        let crt = paillier_zk::fast_paillier::utils::CrtExp::build_n(p, q)
            .ok_or(InvalidKeyShareReason::BuildCrt)?;
        self.crt = Some(crt);
        Ok(())
    }
}

impl<E: Curve, L: SecurityLevel> Validate for DirtyKeyShare<E, L> {
    type Error = InvalidKeyShare;

    fn is_valid(&self) -> Result<(), InvalidKeyShare> {
        self.core.is_valid()?;
        self.aux.is_valid()?;
        Self::validate_consistency(&self.core, &self.aux)
    }
}

impl<E: Curve, L: SecurityLevel> ValidateFromParts<(IncompleteKeyShare<E>, AuxInfo<L>)>
    for DirtyKeyShare<E, L>
{
    fn validate_parts(
        (core, aux): &(IncompleteKeyShare<E>, AuxInfo<L>),
    ) -> Result<(), Self::Error> {
        Self::validate_consistency(core, aux)
    }

    fn from_parts((core, aux): (IncompleteKeyShare<E>, AuxInfo<L>)) -> Self {
        Self {
            core: core.into_inner(),
            aux: aux.into_inner(),
        }
    }
}

impl<E: Curve, L: SecurityLevel> DirtyKeyShare<E, L> {
    /// Perform consistency check between core and aux
    fn validate_consistency(
        core: &DirtyIncompleteKeyShare<E>,
        aux: &DirtyAuxInfo<L>,
    ) -> Result<(), InvalidKeyShare> {
        if core.public_shares.len() != aux.parties.len() {
            return Err(InvalidKeyShareReason::AuxLen.into());
        }

        let N_i = &aux.parties[usize::from(core.i)].N;
        if *N_i != (&aux.p * &aux.q).complete() {
            return Err(InvalidKeyShareReason::PrimesMul.into());
        }

        Ok(())
    }
}

impl<E: Curve> DirtyKeyShare<E> {
    /// Precomputes CRT parameters
    ///
    /// Enables optimization of modular exponentiation in Zero-Knowledge proofs validation. Precomputation
    /// should be relatively fast. It increases size of key share in RAM and on disk, but not noticeably.
    ///
    /// Returns error if precomputation failed. In this case, the key share stays unmodified. On success,
    /// CRT parameters are saved into the key share (old params, if present, are overwritten)
    ///
    /// Note: CRT parameters contain secret information. Leaking them exposes secret Paillier key. Keep
    /// [`AuxInfo::parties`](DirtyAuxInfo::parties) secret (as well as rest of the key share).
    pub fn precompute_crt(&mut self) -> Result<(), InvalidKeyShare> {
        let i = self.core.i;
        self.aux.precompute_crt(i)
    }
}

impl<E: Curve, L: SecurityLevel> AsRef<DirtyIncompleteKeyShare<E>> for DirtyKeyShare<E, L> {
    fn as_ref(&self) -> &DirtyIncompleteKeyShare<E> {
        &self.core
    }
}
impl<E: Curve, L: SecurityLevel> AsRef<DirtyAuxInfo<L>> for DirtyKeyShare<E, L> {
    fn as_ref(&self) -> &DirtyAuxInfo<L> {
        &self.aux
    }
}

impl<E: Curve, L: SecurityLevel> ops::Deref for DirtyKeyShare<E, L> {
    type Target = DirtyIncompleteKeyShare<E>;

    fn deref(&self) -> &Self::Target {
        &self.core
    }
}

/// Any (validated) key share
///
/// Implemented for both [KeyShare] and [IncompleteKeyShare]. Used in methods
/// that accept both types of key shares, like [reconstruct_secret_key].
pub trait AnyKeyShare<E: Curve>: AsRef<IncompleteKeyShare<E>> {
    /// Returns amount of key co-holders
    fn n(&self) -> u16 {
        #[allow(clippy::expect_used)]
        self.as_ref()
            .public_shares
            .len()
            .try_into()
            .expect("valid key share is guaranteed to have amount of signers fitting into u16")
    }

    /// Returns threshold
    ///
    /// Threshold is an amount of signers required to cooperate in order to sign a message
    /// and/or generate presignature
    fn min_signers(&self) -> u16 {
        self.as_ref()
            .vss_setup
            .as_ref()
            .map(|s| s.min_signers)
            .unwrap_or_else(|| self.n())
    }

    /// Returns public key shared by signers
    fn shared_public_key(&self) -> NonZero<Point<E>> {
        self.as_ref().shared_public_key
    }
}

impl<E: Curve, T: AsRef<IncompleteKeyShare<E>>> AnyKeyShare<E> for T {}

/// Reconstructs a secret key from set of at least [`min_signers`](KeyShare::min_signers) key shares
///
/// Requires at least [`min_signers`](KeyShare::min_signers) distinct key shares from the same generation
/// (key refresh produces key shares of the next generation). Accepts both [`KeyShare`] and [`IncompleteKeyShare`].
/// Returns error if input is invalid.
///
/// Note that, normally, secret key is not supposed to be reconstructed, and key
/// shares should never be at one place. This basically defeats purpose of MPC and
/// creates single point of failure/trust.
#[cfg(feature = "spof")]
pub fn reconstruct_secret_key<E: Curve>(
    key_shares: &[impl AnyKeyShare<E>],
) -> Result<SecretScalar<E>, ReconstructError> {
    key_share::reconstruct_secret_key(key_shares)
}

impl From<&PartyAux> for π_enc::Aux {
    fn from(aux: &PartyAux) -> Self {
        Self {
            s: aux.s.clone(),
            t: aux.t.clone(),
            rsa_modulo: aux.N.clone(),
            multiexp: aux.multiexp.clone(),
            crt: aux.crt.clone(),
        }
    }
}

/// Error indicating that key share is not valid
#[derive(Debug, Error)]
#[error(transparent)]
pub struct InvalidKeyShare(#[from] InvalidKeyShareReason);

#[derive(Debug, Error)]
enum InvalidKeyShareReason {
    #[error(transparent)]
    InvalidCoreShare(InvalidIncompleteKeyShare),
    #[error("size of parties auxiliary data list doesn't match `n`: n != parties.len()")]
    AuxLen,
    #[error("N_i != p q")]
    PrimesMul,
    #[error("gcd(s_j, N_j) != 1 or gcd(t_j, N_j) != 1")]
    StGcdN,
    #[error("paillier secret key doesn't match security level (primes are too small)")]
    PaillierSkTooSmall,
    #[error("paillier public key of one of the signers doesn't match security level: required bit length = {required}, actual = {actual}")]
    PaillierPkTooSmall { required: u32, actual: u32 },
    #[error("couldn't build a multiexp table")]
    BuildMultiexpTable,
    #[error("provided index `i` does not correspond to an index of the signer at key generation")]
    CrtINotInRange,
    #[error("provided primes `p`, `q` do not correspond to signer Paillier public key")]
    CrtInvalidPq,
    #[error("couldn't build CRT parameters")]
    BuildCrt,
}

/// Error indicating that [key reconstruction](reconstruct_secret_key) failed
#[cfg(feature = "spof")]
pub use key_share::ReconstructError;

impl From<InvalidIncompleteKeyShare> for InvalidKeyShare {
    fn from(err: InvalidIncompleteKeyShare) -> Self {
        Self(InvalidKeyShareReason::InvalidCoreShare(err))
    }
}

impl<T> From<ValidateError<T, InvalidIncompleteKeyShare>> for InvalidKeyShare {
    fn from(err: ValidateError<T, InvalidIncompleteKeyShare>) -> Self {
        err.into_error().into()
    }
}

impl<T> From<ValidateError<T, InvalidKeyShare>> for InvalidKeyShare {
    fn from(err: cggmp21_keygen::key_share::ValidateError<T, InvalidKeyShare>) -> Self {
        err.into_error()
    }
}