mirror of
https://source.quilibrium.com/quilibrium/ceremonyclient.git
synced 2024-12-26 08:35:17 +00:00
507 lines
16 KiB
Go
507 lines
16 KiB
Go
//
|
|
// Copyright Coinbase, Inc. All Rights Reserved.
|
|
//
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
//
|
|
|
|
package v1
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/sha256"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"math/big"
|
|
"testing"
|
|
|
|
"github.com/btcsuite/btcd/btcec"
|
|
"github.com/stretchr/testify/require"
|
|
"golang.org/x/crypto/sha3"
|
|
|
|
"source.quilibrium.com/quilibrium/monorepo/nekryptology/pkg/core/curves"
|
|
"source.quilibrium.com/quilibrium/monorepo/nekryptology/pkg/core/protocol"
|
|
v0 "source.quilibrium.com/quilibrium/monorepo/nekryptology/pkg/tecdsa/dkls/v0"
|
|
"source.quilibrium.com/quilibrium/monorepo/nekryptology/pkg/tecdsa/dkls/v1/dkg"
|
|
)
|
|
|
|
// For DKG bob starts first. For refresh and sign, Alice starts first.
|
|
func runIteratedProtocol(firstParty protocol.Iterator, secondParty protocol.Iterator) (error, error) {
|
|
var (
|
|
message *protocol.Message
|
|
aErr error
|
|
bErr error
|
|
)
|
|
|
|
for aErr != protocol.ErrProtocolFinished || bErr != protocol.ErrProtocolFinished {
|
|
// Crank each protocol forward one iteration
|
|
message, bErr = firstParty.Next(message)
|
|
if bErr != nil && bErr != protocol.ErrProtocolFinished {
|
|
return nil, bErr
|
|
}
|
|
|
|
message, aErr = secondParty.Next(message)
|
|
if aErr != nil && aErr != protocol.ErrProtocolFinished {
|
|
return aErr, nil
|
|
}
|
|
}
|
|
return aErr, bErr
|
|
}
|
|
|
|
// Running steps in sequence ensures that no hidden read/write dependency exist in the read/write interfaces.
|
|
func TestDkgProto(t *testing.T) {
|
|
curveInstances := []*curves.Curve{
|
|
curves.K256(),
|
|
curves.P256(),
|
|
}
|
|
for _, curve := range curveInstances {
|
|
alice := NewAliceDkg(256, 80, curve, protocol.Version1)
|
|
bob := NewBobDkg(256, 80, curve, protocol.Version1)
|
|
aErr, bErr := runIteratedProtocol(bob, alice)
|
|
|
|
t.Run("both alice/bob complete simultaneously", func(t *testing.T) {
|
|
require.ErrorIs(t, aErr, protocol.ErrProtocolFinished)
|
|
require.ErrorIs(t, bErr, protocol.ErrProtocolFinished)
|
|
})
|
|
|
|
for i := 0; i < 256; i++ {
|
|
if alice.Alice.Output().SeedOtResult.OneTimePadDecryptionKey[i] != bob.Bob.Output().SeedOtResult.OneTimePadEncryptionKeys[i][alice.Alice.Output().SeedOtResult.RandomChoiceBits[i]] {
|
|
t.Errorf("oblivious transfer is incorrect at index i=%v", i)
|
|
}
|
|
}
|
|
|
|
t.Run("Both parties produces identical composite pubkey", func(t *testing.T) {
|
|
require.True(t, alice.Alice.Output().PublicKey.Equal(bob.Bob.Output().PublicKey))
|
|
})
|
|
|
|
var aliceResult *dkg.AliceOutput
|
|
var bobResult *dkg.BobOutput
|
|
t.Run("alice produces valid result", func(t *testing.T) {
|
|
// Get the result
|
|
r, err := alice.Result(protocol.Version1)
|
|
|
|
// Test
|
|
require.NoError(t, err)
|
|
require.NotNil(t, r)
|
|
aliceResult, err = DecodeAliceDkgResult(r)
|
|
require.NoError(t, err)
|
|
})
|
|
t.Run("bob produces valid result", func(t *testing.T) {
|
|
// Get the result
|
|
r, err := bob.Result(protocol.Version1)
|
|
|
|
// Test
|
|
require.NoError(t, err)
|
|
require.NotNil(t, r)
|
|
bobResult, err = DecodeBobDkgResult(r)
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
t.Run("alice/bob agree on pubkey", func(t *testing.T) {
|
|
require.Equal(t, aliceResult.PublicKey, bobResult.PublicKey)
|
|
})
|
|
}
|
|
}
|
|
|
|
// DKG > Refresh > Sign
|
|
func TestRefreshProto(t *testing.T) {
|
|
t.Parallel()
|
|
curveInstances := []*curves.Curve{
|
|
curves.K256(),
|
|
curves.P256(),
|
|
}
|
|
for _, curve := range curveInstances {
|
|
boundCurve := curve
|
|
t.Run(fmt.Sprintf("testing refresh for curve %s", boundCurve.Name), func(tt *testing.T) {
|
|
tt.Parallel()
|
|
// DKG
|
|
aliceDkg := NewAliceDkg(256, 80, boundCurve, protocol.Version1)
|
|
bobDkg := NewBobDkg(256, 80, boundCurve, protocol.Version1)
|
|
|
|
aDkgErr, bDkgErr := runIteratedProtocol(bobDkg, aliceDkg)
|
|
require.ErrorIs(tt, aDkgErr, protocol.ErrProtocolFinished)
|
|
require.ErrorIs(tt, bDkgErr, protocol.ErrProtocolFinished)
|
|
|
|
aliceDkgResultMessage, err := aliceDkg.Result(protocol.Version1)
|
|
require.NoError(tt, err)
|
|
bobDkgResultMessage, err := bobDkg.Result(protocol.Version1)
|
|
require.NoError(tt, err)
|
|
|
|
// Refresh
|
|
aliceRefreshResultMessage, bobRefreshResultMessage := refreshV1(t, boundCurve, aliceDkgResultMessage, bobDkgResultMessage)
|
|
|
|
// sign
|
|
signV1(t, boundCurve, aliceRefreshResultMessage, bobRefreshResultMessage)
|
|
})
|
|
}
|
|
}
|
|
|
|
// DKG V0 > DKG V1 > Refresh > Sign
|
|
func TestRefreshFromV0Proto(t *testing.T) {
|
|
t.Parallel()
|
|
curve := curves.K256()
|
|
|
|
// DKG v0
|
|
params, err := v0.NewParams(btcec.S256(), curves.K256Scalar{})
|
|
require.NoError(t, err)
|
|
|
|
alice := v0.NewAliceDkg(params)
|
|
bob := v0.NewBobDkg(params)
|
|
_, _ = runV0IteratedProtocol(alice, bob)
|
|
|
|
aliceBytes, err := v0.EncodeAlice(alice.Alice)
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, aliceBytes)
|
|
bobBytes, err := v0.EncodeBob(bob.Bob)
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, bobBytes)
|
|
|
|
// Convert DKG v0 to v1
|
|
aliceDkgResultMessage, err := ConvertAliceDkgOutputToV1(params, aliceBytes)
|
|
require.NoError(t, err)
|
|
|
|
bobDkgResultMessage, err := ConvertBobDkgOutputToV1(params, bobBytes)
|
|
require.NoError(t, err)
|
|
|
|
// Refresh
|
|
aliceRefreshResultMessage, bobRefreshResultMessage := refreshV1(t, curve, aliceDkgResultMessage, bobDkgResultMessage)
|
|
|
|
// Sign
|
|
signV1(t, curve, aliceRefreshResultMessage, bobRefreshResultMessage)
|
|
}
|
|
|
|
// DKG > Output > NewDklsSign > Sign > Output
|
|
func TestDkgSignProto(t *testing.T) {
|
|
// Setup
|
|
curve := curves.K256()
|
|
|
|
aliceDkg := NewAliceDkg(256, 80, curve, protocol.Version1)
|
|
bobDkg := NewBobDkg(256, 80, curve, protocol.Version1)
|
|
|
|
// DKG
|
|
aErr, bErr := runIteratedProtocol(bobDkg, aliceDkg)
|
|
require.ErrorIs(t, aErr, protocol.ErrProtocolFinished)
|
|
require.ErrorIs(t, bErr, protocol.ErrProtocolFinished)
|
|
|
|
// Output
|
|
aliceDkgResultMessage, err := aliceDkg.Result(protocol.Version1)
|
|
require.NoError(t, err)
|
|
|
|
bobDkgResultMessage, err := bobDkg.Result(protocol.Version1)
|
|
require.NoError(t, err)
|
|
|
|
// New DklsSign
|
|
msg := []byte("As soon as you trust yourself, you will know how to live.")
|
|
aliceSign, err := NewAliceSign(256, 80, curve, sha3.New256(), msg, aliceDkgResultMessage, protocol.Version1)
|
|
require.NoError(t, err)
|
|
bobSign, err := NewBobSign(256, 80, curve, sha3.New256(), msg, bobDkgResultMessage, protocol.Version1)
|
|
require.NoError(t, err)
|
|
|
|
// Sign
|
|
t.Run("sign", func(t *testing.T) {
|
|
aErr, bErr = runIteratedProtocol(aliceSign, bobSign)
|
|
require.ErrorIs(t, aErr, protocol.ErrProtocolFinished)
|
|
require.ErrorIs(t, bErr, protocol.ErrProtocolFinished)
|
|
})
|
|
// Don't continue to verifying results if sign didn't run to completion.
|
|
require.ErrorIs(t, aErr, protocol.ErrProtocolFinished)
|
|
require.ErrorIs(t, bErr, protocol.ErrProtocolFinished)
|
|
|
|
// Output
|
|
var result *curves.EcdsaSignature
|
|
t.Run("bob produces result of correct type", func(t *testing.T) {
|
|
resultMessage, err := bobSign.Result(protocol.Version1)
|
|
require.NoError(t, err)
|
|
result, err = DecodeSignature(resultMessage)
|
|
require.NoError(t, err)
|
|
})
|
|
require.NotNil(t, result)
|
|
|
|
t.Run("valid signature", func(t *testing.T) {
|
|
hash := sha3.New256()
|
|
_, err = hash.Write(msg)
|
|
require.NoError(t, err)
|
|
digest := hash.Sum(nil)
|
|
unCompressedAffinePublicKey := aliceDkg.Output().PublicKey.ToAffineUncompressed()
|
|
require.Equal(t, 65, len(unCompressedAffinePublicKey))
|
|
x := new(big.Int).SetBytes(unCompressedAffinePublicKey[1:33])
|
|
y := new(big.Int).SetBytes(unCompressedAffinePublicKey[33:])
|
|
ecCurve, err := curve.ToEllipticCurve()
|
|
require.NoError(t, err)
|
|
publicKey := &curves.EcPoint{
|
|
Curve: ecCurve,
|
|
X: x,
|
|
Y: y,
|
|
}
|
|
require.True(t,
|
|
curves.VerifyEcdsa(publicKey,
|
|
digest[:],
|
|
result,
|
|
),
|
|
"signature failed verification",
|
|
)
|
|
})
|
|
}
|
|
|
|
// Decode > NewDklsSign > Sign > Output
|
|
// NOTE: this cold-start test ensures backwards compatibility with durable,
|
|
// encoding DKG state that may exist within production systems like test
|
|
// Breaking changes must consider downstream production impacts.
|
|
func TestSignColdStart(t *testing.T) {
|
|
// Decode alice/bob state from file
|
|
aliceDkg, err := ioutil.ReadFile("testdata/alice-dkls-v1-dkg.bin")
|
|
require.NoError(t, err)
|
|
bobDkg, err := ioutil.ReadFile("testdata/bob-dkls-v1-dkg.bin")
|
|
require.NoError(t, err)
|
|
|
|
// The choice of json marshaling is arbitrary, the binary could have been marshaled in other forms as well
|
|
// The purpose here is to obtain an instance of `protocol.Message`
|
|
|
|
aliceDkgMessage := &protocol.Message{}
|
|
err = json.Unmarshal(aliceDkg, aliceDkgMessage)
|
|
require.NoError(t, err)
|
|
|
|
bobDkgMessage := &protocol.Message{}
|
|
err = json.Unmarshal(bobDkg, bobDkgMessage)
|
|
require.NoError(t, err)
|
|
|
|
signV1(t, curves.K256(), aliceDkgMessage, bobDkgMessage)
|
|
}
|
|
|
|
func TestEncodeDecode(t *testing.T) {
|
|
curve := curves.K256()
|
|
|
|
alice := NewAliceDkg(256, 80, curve, protocol.Version1)
|
|
bob := NewBobDkg(256, 80, curve, protocol.Version1)
|
|
_, _ = runIteratedProtocol(bob, alice)
|
|
|
|
var aliceBytes []byte
|
|
var bobBytes []byte
|
|
t.Run("Encode Alice/Bob", func(t *testing.T) {
|
|
aliceDkgMessage, err := EncodeAliceDkgOutput(alice.Alice.Output(), protocol.Version1)
|
|
require.NoError(t, err)
|
|
aliceBytes, err = json.Marshal(aliceDkgMessage)
|
|
require.NoError(t, err)
|
|
|
|
bobDkgMessage, err := EncodeBobDkgOutput(bob.Bob.Output(), protocol.Version1)
|
|
require.NoError(t, err)
|
|
bobBytes, err = json.Marshal(bobDkgMessage)
|
|
require.NoError(t, err)
|
|
})
|
|
require.NotEmpty(t, aliceBytes)
|
|
require.NotEmpty(t, bobBytes)
|
|
|
|
t.Run("Decode Alice", func(t *testing.T) {
|
|
decodedAliceMessage := &protocol.Message{}
|
|
err := json.Unmarshal(aliceBytes, decodedAliceMessage)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, decodedAliceMessage)
|
|
decodedAlice, err := DecodeAliceDkgResult(decodedAliceMessage)
|
|
require.NoError(t, err)
|
|
|
|
require.True(t, alice.Output().PublicKey.Equal(decodedAlice.PublicKey))
|
|
require.Equal(t, alice.Output().SecretKeyShare, decodedAlice.SecretKeyShare)
|
|
})
|
|
|
|
t.Run("Decode Bob", func(t *testing.T) {
|
|
decodedBobMessage := &protocol.Message{}
|
|
err := json.Unmarshal(bobBytes, decodedBobMessage)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, decodedBobMessage)
|
|
decodedBob, err := DecodeBobDkgResult(decodedBobMessage)
|
|
require.NoError(t, err)
|
|
|
|
require.True(t, bob.Output().PublicKey.Equal(decodedBob.PublicKey))
|
|
require.Equal(t, bob.Output().SecretKeyShare, decodedBob.SecretKeyShare)
|
|
})
|
|
}
|
|
|
|
func runV0IteratedProtocol(alice v0.ProtocolIterator, bob v0.ProtocolIterator) (error, error) {
|
|
var (
|
|
buf bytes.Buffer
|
|
aErr error
|
|
bErr error
|
|
)
|
|
|
|
for aErr != io.EOF || bErr != io.EOF {
|
|
// Crank each protocol forward one iteration
|
|
aErr = alice.Next(&buf)
|
|
if aErr != nil && aErr != io.EOF {
|
|
return aErr, nil
|
|
}
|
|
|
|
bErr = bob.Next(&buf)
|
|
if bErr != nil && bErr != io.EOF {
|
|
return nil, bErr
|
|
}
|
|
}
|
|
return aErr, bErr
|
|
}
|
|
|
|
// TestV0ToV1 tests the case where a DKG is run on V0 of the protocol and its output is used in V1 signing protocol.
|
|
func TestV0ToV1(t *testing.T) {
|
|
params, err := v0.NewParams(btcec.S256(), curves.K256Scalar{})
|
|
require.NoError(t, err)
|
|
|
|
alice := v0.NewAliceDkg(params)
|
|
bob := v0.NewBobDkg(params)
|
|
_, _ = runV0IteratedProtocol(alice, bob)
|
|
|
|
var aliceBytes []byte
|
|
var bobBytes []byte
|
|
t.Run("Encode Alice/Bob", func(t *testing.T) {
|
|
aliceBytes, err = v0.EncodeAlice(alice.Alice)
|
|
require.NoError(t, err)
|
|
|
|
bobBytes, err = v0.EncodeBob(bob.Bob)
|
|
require.NoError(t, err)
|
|
})
|
|
require.NotEmpty(t, aliceBytes)
|
|
require.NotEmpty(t, bobBytes)
|
|
|
|
signV0(params, aliceBytes, bobBytes, t)
|
|
convertV0AndSignV1(params, aliceBytes, bobBytes, t)
|
|
}
|
|
|
|
// The content of this function are copied from the `proto_test.go` file in the v0 package.
|
|
func signV0(params *v0.Params, aliceBytes []byte, bobBytes []byte, t *testing.T) {
|
|
aliceDkg, err := v0.DecodeAlice(params, aliceBytes)
|
|
require.NoError(t, err)
|
|
|
|
// New DklsSign
|
|
msg := []byte("As soon as you trust yourself, you will know how to live.")
|
|
digest := sha256.Sum256(msg)
|
|
aliceSign, err := v0.NewAliceSign(params, digest[:], aliceBytes)
|
|
require.NoError(t, err)
|
|
bobSign, err := v0.NewBobSign(params, digest[:], bobBytes)
|
|
require.NoError(t, err)
|
|
|
|
// Sign
|
|
var aErr error
|
|
var bErr error
|
|
t.Run("sign", func(t *testing.T) {
|
|
aErr, bErr = runV0IteratedProtocol(aliceSign, bobSign)
|
|
require.ErrorIs(t, aErr, io.EOF)
|
|
require.ErrorIs(t, bErr, io.EOF)
|
|
})
|
|
// Don't continue to verifying results if sign didn't run to completion.
|
|
require.ErrorIs(t, aErr, io.EOF)
|
|
require.ErrorIs(t, bErr, io.EOF)
|
|
|
|
// Result
|
|
var result interface{}
|
|
t.Run("bob produces result of correct type", func(t *testing.T) {
|
|
result, err = bobSign.Result()
|
|
require.NoError(t, err)
|
|
})
|
|
require.NotNil(t, result)
|
|
require.IsType(t, &curves.EcdsaSignature{}, result)
|
|
|
|
t.Run("valid signature", func(t *testing.T) {
|
|
require.True(t,
|
|
curves.VerifyEcdsa(aliceDkg.Pk,
|
|
digest[:],
|
|
result.(*curves.EcdsaSignature),
|
|
),
|
|
"signature failed verification",
|
|
)
|
|
})
|
|
}
|
|
|
|
func convertV0AndSignV1(params *v0.Params, aliceBytes []byte, bobBytes []byte, t *testing.T) {
|
|
// Now convert the encoded value to V1 and then run the V1 signing protocol.
|
|
aliceDkgResultMessage, err := ConvertAliceDkgOutputToV1(params, aliceBytes)
|
|
require.NoError(t, err)
|
|
|
|
bobDkgResultMessage, err := ConvertBobDkgOutputToV1(params, bobBytes)
|
|
require.NoError(t, err)
|
|
signV1(t, curves.K256(), aliceDkgResultMessage, bobDkgResultMessage)
|
|
}
|
|
|
|
func signV1(t *testing.T, curve *curves.Curve, aliceDkgResultMessage *protocol.Message, bobDkgResultMessage *protocol.Message) {
|
|
t.Helper()
|
|
// New DklsSign
|
|
msg := []byte("As soon as you trust yourself, you will know how to live.")
|
|
aliceSign, err := NewAliceSign(256, 80, curve, sha3.New256(), msg, aliceDkgResultMessage, protocol.Version1)
|
|
require.NoError(t, err)
|
|
bobSign, err := NewBobSign(256, 80, curve, sha3.New256(), msg, bobDkgResultMessage, protocol.Version1)
|
|
require.NoError(t, err)
|
|
|
|
// Sign
|
|
var aErr error
|
|
var bErr error
|
|
t.Run("sign", func(t *testing.T) {
|
|
aErr, bErr = runIteratedProtocol(aliceSign, bobSign)
|
|
require.ErrorIs(t, aErr, protocol.ErrProtocolFinished)
|
|
require.ErrorIs(t, bErr, protocol.ErrProtocolFinished)
|
|
})
|
|
// Don't continue to verifying results if sign didn't run to completion.
|
|
require.ErrorIs(t, aErr, protocol.ErrProtocolFinished)
|
|
require.ErrorIs(t, bErr, protocol.ErrProtocolFinished)
|
|
|
|
// Output
|
|
var result *curves.EcdsaSignature
|
|
t.Run("bob produces result of correct type", func(t *testing.T) {
|
|
resultMessage, err := bobSign.Result(protocol.Version1)
|
|
require.NoError(t, err)
|
|
result, err = DecodeSignature(resultMessage)
|
|
require.NoError(t, err)
|
|
})
|
|
require.NotNil(t, result)
|
|
|
|
aliceDkg, err := DecodeAliceDkgResult(aliceDkgResultMessage)
|
|
require.NoError(t, err)
|
|
|
|
t.Run("valid signature", func(t *testing.T) {
|
|
hash := sha3.New256()
|
|
_, err = hash.Write(msg)
|
|
require.NoError(t, err)
|
|
digest := hash.Sum(nil)
|
|
unCompressedAffinePublicKey := aliceDkg.PublicKey.ToAffineUncompressed()
|
|
require.Equal(t, 65, len(unCompressedAffinePublicKey))
|
|
x := new(big.Int).SetBytes(unCompressedAffinePublicKey[1:33])
|
|
y := new(big.Int).SetBytes(unCompressedAffinePublicKey[33:])
|
|
ecCurve, err := curve.ToEllipticCurve()
|
|
require.NoError(t, err)
|
|
publicKey := &curves.EcPoint{
|
|
Curve: ecCurve,
|
|
X: x,
|
|
Y: y,
|
|
}
|
|
require.True(t,
|
|
curves.VerifyEcdsa(publicKey,
|
|
digest[:],
|
|
result,
|
|
),
|
|
"signature failed verification",
|
|
)
|
|
})
|
|
}
|
|
|
|
func refreshV1(t *testing.T, curve *curves.Curve, aliceDkgResultMessage, bobDkgResultMessage *protocol.Message) (aliceRefreshResultMessage, bobRefreshResultMessage *protocol.Message) {
|
|
t.Helper()
|
|
aliceRefresh, err := NewAliceRefresh(256, 80, curve, aliceDkgResultMessage, protocol.Version1)
|
|
require.NoError(t, err)
|
|
bobRefresh, err := NewBobRefresh(256, 80, curve, bobDkgResultMessage, protocol.Version1)
|
|
require.NoError(t, err)
|
|
|
|
aErr, bErr := runIteratedProtocol(aliceRefresh, bobRefresh)
|
|
require.ErrorIs(t, aErr, protocol.ErrProtocolFinished)
|
|
require.ErrorIs(t, bErr, protocol.ErrProtocolFinished)
|
|
|
|
aliceRefreshResultMessage, err = aliceRefresh.Result(protocol.Version1)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, aliceRefreshResultMessage)
|
|
_, err = DecodeAliceRefreshResult(aliceRefreshResultMessage)
|
|
require.NoError(t, err)
|
|
|
|
bobRefreshResultMessage, err = bobRefresh.Result(protocol.Version1)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, bobRefreshResultMessage)
|
|
_, err = DecodeBobRefreshResult(bobRefreshResultMessage)
|
|
require.NoError(t, err)
|
|
|
|
return aliceRefreshResultMessage, bobRefreshResultMessage
|
|
}
|