SecretStore: threshold ECDSA PoC

[svyatonik]

It is a test of crypto-math behind possible implementation of ECDSA-compatible SS session.

The only known limitation is that it requires 2 * t <= N. I.e. it isn't possible to make ECDSA signature when key was generated, for example 4-of-6 session.
Workaround is to temporarily (for the duration of this session) decrease key threshold (see #7562 for PoC). But we need to agree on this (it is a part of #7271 discussion, actually).

So if this PR will be merged before #7271 is reviewed, I'll start adding ECDSA session without automatic threshold decreasing && wait until this solution will be reviewed.

[svyatonik]

Didn't wanted to implement Default for Secret, since it actually produces invalid Secret.

[svyatonik]

The reason behind these changes is that starting with this PR, I need to handle 0 EC scalars.
0 is the invalid key in secp256k1 && library will return an error when trying to work with it.
Long story short: it wasn't a best idea to use Secret for EC arithmetic (the initial assumption was that it will minimize U256 <-> Secret conversions).
And the general solution is either to find&use/create separate EC-arithmetic library.
If you're strong against these changes - please comment && I'll close this PR && will switch to separate type for EC calculations first.

[rphmeier]

not strongly against these changes, but down the road it could be nice to have a separate type for secp256k1 scalars which has std::ops traits implemented for it.

[rphmeier]

nit: can we frame that as a multiplicative inverse instead of 1/x?

[svyatonik]

Sure :) It is just easier to write 1/x instead of multiplicative inverse of x. Did inv(x) sounds good, or it is better to write its 'full name'?

[rphmeier]

inv(x) is fine for me

[rphmeier]

is that tested to wrap around?

[svyatonik]

Thanks for reviewing! Yes - it will wrap around in case of underflow. Please see run_zero_key_generation - 0 is passed here as secret_required => any non-zero value (which is generated by generate_random_scalar) will cause underflow => yes it is tested.

[rphmeier]

Did an initial review of the code and it looks fine. I'll dive into the math tomorrow.
Just wondering if you've seen this paper which I was linked to recently: https://eprint.iacr.org/2016/013.pdf as it's newer than the one linked in the PR and seems to get rid of the n >= 2t+1 requirement.

[svyatonik]

@rphmeier Thanks for the link!!! I'll read this paper on the weekend, but iirc last time I was searching for threshold-optimal ECDSA (this was ~2 months ago), every paper had its own 'issue' - like one was strictly about 2-of-2 scheme, another required 2 * t nodes to recover the key, another was about using different key generation scheme (secret = multiplication of shares, instead of addition [that's what we currently use]), another was about 'combinatorics threshold' (i.e. generate t-of-n shares for each possible combination of nodes). I'll mark PR as gotissues until I'm done with reading.

[svyatonik]

So the key generation scheme in this paper differs from what we currently use (at first glance). Since the most of SS functionality is based on current KG scheme (like Enc/Dec + migration), I'll opt for using proposed (in this PR) signature generation prototype now (I was asked several times for this feature) + detailed review (and possibly including it to the SS [TODO for myself: research if shares migration is possible in this scheme]) of your paper later.

[svyatonik]

Found some issue with serialize_ecdsa_signature

[svyatonik]

Turned out to be issue with nonce_public calculation - fixed it. I've also:

• extracted some parts of tests into separate functions, because I'll need these for ECDSA session implementation;
• added tests for different key sharing schemes;
• added random message hash generation to the test (previously it always was less than EC order).

[debris]

@rphmeier could you review this pr again? I don't feel qualified to review it without diving into math

[rphmeier]

any secret in 0..curve_order is valid though, right?

[svyatonik]

yes. except for 0 itself

[rphmeier]

I think this is better explained as x_coordinate(point) than as "r", which requires diving a bit more into implementations of ecdsa

[svyatonik]

I've added public_x and public_y (and used public_x in this function), but left compute_ecdsa_r - it is easier to think of R and S parts in ECDSA session (next PR). I.e. leave the fact that R is actually a point.x behind 'math-wall'.

[rphmeier]

let nonce_public_x = H256::from_slice(&nonce_public[0..32])

[rphmeier]

haven't dived too deep into the math, but the logic around interpolation of inv(nonce) and the s value seems fine

[rphmeier]

This interpolation doesn't seem to be possible with only t participants (as it's polluted by the shares of the z blinding factor).

[svyatonik]

Sorry - don't get it - whether this is an issue, or a question :) Interpolation is not possible with t+1 participants - yes. iirc, the reason is that two t-degree polynoms are multiplied when inv(nonce) is calculated => it requires 2*t+1 points to interpolate.

[rphmeier]

yes, but if running compute_ecdsa_s is part of a t-of-n scheme then I don't understand how it could ever complete (relevant to my other comment)

[rphmeier]

or have I got it backwards somehow, and it's actually a 2t+1-of-n scheme because we have to interpolate such polynomials?

[svyatonik]

signature_s_shares are the shares of S in (2*t+1)-of-N scheme. So what compute_ecdsa_s does is exactly interpolating 2*t-degree polynomial.

[rphmeier]

if each node's participation (or at least 2t + 1) is required to interpolate the polynomial here, then can it really be considered a t-of-n scheme?

[svyatonik]

Replaced with 2*t+1 (it is actually compute_ecdsa_s who take care of this, but it might be confusing to see n in this test)