Merge pull request #444 from bane-labs/zk-dkg

consensus/dbft: add a new goroutine for ZK proof generation

Author: txhsl

Makefile

@@ -12,6 +12,7 @@ MAIN_DIR = ./privnet
 SINGLE_DIR = $(MAIN_DIR)/single
 FOUR_DIR = $(MAIN_DIR)/four
 SEVEN_DIR = $(MAIN_DIR)/seven
+ZK_DIR = $(MAIN_DIR)/zk
 
 BOOTNODE = bootnode
 BOOTNODE_PORT = 30304
@@ -84,6 +85,10 @@ define run_bootnode
     	-verbosity $(BOOTNODE_LOGLEVEL) > $(1)/$(BOOTNODE)/bootnode.log 2>&1 &
 endef
 
+define run_miner_node_with_zk_dkg
+	$(call run_node,$(1),$(2),$(3),$(4),$(5),$(6),--mine --miner.etherbase="0x$$(cat $(1)/$(7)/node_address.txt)" --antimev.password=$(1)/$(7)/password.txt --dkg.one-msg-r1cs=$(1)/r1cs/R1CS_1 --dkg.two-msg-r1cs=$(1)/r1cs/R1CS_2 --dkg.seven-msg-r1cs=$(1)/r1cs/R1CS_7 --dkg.one-msg-pk=$(1)/provingkey/PK_1 --dkg.two-msg-pk=$(1)/provingkey/PK_2 --dkg.seven-msg-pk=$(1)/provingkey/PK_7)
+endef
+
 define run_miner_node
 	$(call run_node,$(1),$(2),$(3),$(4),$(5),$(6),--mine --miner.etherbase="0x$$(cat $(1)/$(7)/node_address.txt)" --antimev.password=$(1)/$(7)/password.txt)
 endef
@@ -239,6 +244,42 @@ $(SEVEN_DIR)/$(NODE8)/geth:
 	@echo "Initializing $(NODE8) (seed) from genesis"
 	$(call init_node,$(SEVEN_DIR),$(NODE8))
 
+$(ZK_DIR)/$(NODE0)/geth:
+	@echo "Initializing $(NODE0) (watch-only CN) from genesis"
+	$(call init_node,$(ZK_DIR),$(NODE0))
+
+$(ZK_DIR)/$(NODE1)/geth:
+	@echo "Initializing $(NODE1) (CN) from genesis"
+	$(call init_node,$(ZK_DIR),$(NODE1))
+
+$(ZK_DIR)/$(NODE2)/geth:
+	@echo "Initializing $(NODE2) (CN) from genesis"
+	$(call init_node,$(ZK_DIR),$(NODE2))
+
+$(ZK_DIR)/$(NODE3)/geth:
+	@echo "Initializing $(NODE3) (CN) from genesis"
+	$(call init_node,$(ZK_DIR),$(NODE3))
+
+$(ZK_DIR)/$(NODE4)/geth:
+	@echo "Initializing $(NODE4) (CN) from genesis"
+	$(call init_node,$(ZK_DIR),$(NODE4))
+
+$(ZK_DIR)/$(NODE5)/geth:
+	@echo "Initializing $(NODE5) (CN) from genesis"
+	$(call init_node,$(ZK_DIR),$(NODE5))
+
+$(ZK_DIR)/$(NODE6)/geth:
+	@echo "Initializing $(NODE6) (CN) from genesis"
+	$(call init_node,$(ZK_DIR),$(NODE6))
+
+$(ZK_DIR)/$(NODE7)/geth:
+	@echo "Initializing $(NODE7) (CN) from genesis"
+	$(call init_node,$(ZK_DIR),$(NODE7))
+
+$(ZK_DIR)/$(NODE8)/geth:
+	@echo "Initializing $(NODE8) (seed) from genesis"
+	$(call init_node,$(ZK_DIR),$(NODE8))
+
 privnet_start: $(SINGLE_DIR)/$(NODE0)/geth $(SINGLE_DIR)/$(NODE1)/geth $(SINGLE_DIR)/$(NODE2)/geth
 	@echo "Starting nodes..."
 	$(call run_bootnode,$(SINGLE_DIR))
@@ -272,6 +313,20 @@ privnet_start_seven: $(SEVEN_DIR)/$(NODE0)/geth $(SEVEN_DIR)/$(NODE1)/geth $(SEV
 	$(call run_node,$(SEVEN_DIR),$(NODE8),$(NODE8_PORT),$(NODE8_AUTH_PORT),$(NODE8_HTTP_PORT),$(NODE8_WS_PORT))
 	@echo "OK! Check logs in $(SEVEN_DIR)/<node_dir>/geth_node.log"
 
+privnet_start_zk: $(ZK_DIR)/$(NODE0)/geth $(ZK_DIR)/$(NODE1)/geth $(ZK_DIR)/$(NODE2)/geth $(ZK_DIR)/$(NODE3)/geth $(ZK_DIR)/$(NODE4)/geth $(ZK_DIR)/$(NODE5)/geth $(ZK_DIR)/$(NODE6)/geth $(ZK_DIR)/$(NODE7)/geth $(ZK_DIR)/$(NODE8)/geth
+	@echo "Starting nodes..."
+	$(call run_bootnode,$(ZK_DIR))
+	$(call run_miner_node_with_zk_dkg,$(ZK_DIR),$(NODE0),$(NODE0_PORT),$(NODE0_AUTH_PORT),$(NODE0_HTTP_PORT),$(NODE0_WS_PORT),$(NODE0))
+	$(call run_miner_node_with_zk_dkg,$(ZK_DIR),$(NODE1),$(NODE1_PORT),$(NODE1_AUTH_PORT),$(NODE1_HTTP_PORT),$(NODE1_WS_PORT),$(NODE1))
+	$(call run_miner_node_with_zk_dkg,$(ZK_DIR),$(NODE2),$(NODE2_PORT),$(NODE2_AUTH_PORT),$(NODE2_HTTP_PORT),$(NODE2_WS_PORT),$(NODE2))
+	$(call run_miner_node_with_zk_dkg,$(ZK_DIR),$(NODE3),$(NODE3_PORT),$(NODE3_AUTH_PORT),$(NODE3_HTTP_PORT),$(NODE3_WS_PORT),$(NODE3))
+	$(call run_miner_node_with_zk_dkg,$(ZK_DIR),$(NODE4),$(NODE4_PORT),$(NODE4_AUTH_PORT),$(NODE4_HTTP_PORT),$(NODE4_WS_PORT),$(NODE4))
+	$(call run_miner_node_with_zk_dkg,$(ZK_DIR),$(NODE5),$(NODE5_PORT),$(NODE5_AUTH_PORT),$(NODE5_HTTP_PORT),$(NODE5_WS_PORT),$(NODE5))
+	$(call run_miner_node_with_zk_dkg,$(ZK_DIR),$(NODE6),$(NODE6_PORT),$(NODE6_AUTH_PORT),$(NODE6_HTTP_PORT),$(NODE6_WS_PORT),$(NODE6))
+	$(call run_miner_node_with_zk_dkg,$(ZK_DIR),$(NODE7),$(NODE7_PORT),$(NODE7_AUTH_PORT),$(NODE7_HTTP_PORT),$(NODE7_WS_PORT),$(NODE7))
+	$(call run_node,$(ZK_DIR),$(NODE8),$(NODE8_PORT),$(NODE8_AUTH_PORT),$(NODE8_HTTP_PORT),$(NODE8_WS_PORT))
+	@echo "OK! Check logs in $(ZK_DIR)/<node_dir>/geth_node.log"
+
 docker_privnet_start:
 	docker compose -f .docker/docker-compose.yml up -d
 

antimev/keygroup.go

@@ -5,8 +5,6 @@ import (
 	"errors"
 	"math/big"
 
-	"github.com/bane-labs/zk-dkg/encryption"
-	"github.com/ethereum/go-ethereum/crypto/ecies"
 	"github.com/ethereum/go-ethereum/crypto/tpke"
 )
 
@@ -72,12 +70,12 @@ func (tkg *thresholdKeyGroup) copy() *thresholdKeyGroup {
 }
 
 // prepare generates local secrets and returns sharing messages.
-func (tkg *thresholdKeyGroup) prepare(threshold int, messagePubKeys []*ecies.PublicKey) ([][]byte, *tpke.PVSS, error) {
+func (tkg *thresholdKeyGroup) prepare(size int, threshold int) ([]*big.Int, *tpke.PVSS) {
 	// Generate local secret
 	secret := tpke.RandomSecret(threshold)
 	tkg.pendingSecrets = append(tkg.pendingSecrets, secret)
 	// Generate and encrypt messages to share the secret
-	return generateShareMessages(secret, messagePubKeys)
+	return generateShares(secret, size)
 }
 
 // confirmSecret requires the final contract-received PVSS to confirm the secret.
@@ -114,34 +112,35 @@ func (tkg *thresholdKeyGroup) aggregate(scaler int, aggregatedCmt []byte, isRece
 }
 
 // recover returns received shared secrets with different message encryption.
-func (tkg *thresholdKeyGroup) recover(secretIndexs []int, receiverEthPubKeys []*ecies.PublicKey) ([][]byte, error) {
+func (tkg *thresholdKeyGroup) recover(secretIndexs []int) ([]*big.Int, error) {
 	// Generate message
-	srms := make([][]byte, len(secretIndexs))
+	ss := make([]*big.Int, len(secretIndexs))
 	for i, index := range secretIndexs {
 		arrIndex := index - 1
 		if tkg.receivedSecrets[arrIndex] == nil {
 			return nil, ErrUnrecoverable
 		}
-		srms[i] = encryptShareMessage(receiverEthPubKeys[i], tkg.receivedSecrets[arrIndex].Bytes())
+		ss[i] = tkg.receivedSecrets[arrIndex]
 	}
 
-	return srms, nil
+	return ss, nil
 }
 
 // reshare does almost the same as dkgPrepare, but local secret is reused to
 // produce the same global public key.
-func (tkg *thresholdKeyGroup) reshare(messagePubKeys []*ecies.PublicKey) ([][]byte, *tpke.PVSS, error) {
+func (tkg *thresholdKeyGroup) reshare(size int) ([]*big.Int, *tpke.PVSS, error) {
 	// Check if has a local secret
 	if tkg.localSecret == nil {
 		return nil, nil, ErrNoSecretToReshare
 	}
 	// Generate and encrypt messages to share the secret
-	return generateShareMessages(tkg.localSecret.Renovate(), messagePubKeys)
+	ss, pvss := generateShares(tkg.localSecret.Renovate(), size)
+	return ss, pvss, nil
 }
 
 // reshareRecovered tries to recover a dkg secret, and returns an error if
 // the attempt fails when shares are not enough.
-func (tkg *thresholdKeyGroup) reshareRecovered(threshold int, messagePubKeys []*ecies.PublicKey) ([][]byte, *tpke.PVSS, error) {
+func (tkg *thresholdKeyGroup) reshareRecovered(size int, threshold int) ([]*big.Int, *tpke.PVSS, error) {
 	// Collect all shares
 	is := make([]int, 0)
 	fis := make([]*big.Int, 0)
@@ -156,37 +155,17 @@ func (tkg *thresholdKeyGroup) reshareRecovered(threshold int, messagePubKeys []*
 	}
 	// Recover the secret
 	tkg.localSecret = tpke.RecoverSecret(is[:threshold], fis[:threshold])
-	return tkg.reshare(messagePubKeys)
+	return tkg.reshare(size)
 }
 
-// generateShareMessages generates secret sharing messages.
+// generateShares generates shares from a secret.
 // Secret shares can be decrypted by specific receivers, but pvss is public.
-func generateShareMessages(secret *tpke.Secret, messagePubkeys []*ecies.PublicKey) ([][]byte, *tpke.PVSS, error) {
+func generateShares(secret *tpke.Secret, size int) ([]*big.Int, *tpke.PVSS) {
 	// Random value for pvss generation
 	randR := randScalar()
-	size := len(messagePubkeys)
 	pvss, ss := tpke.GenerateSecretShares(randR, size, secret)
-	// Generate message
-	messages := make([][]byte, size)
-	for i, key := range messagePubkeys {
-		if key == nil {
-			return nil, nil, ErrInvalidMessageKey
-		}
-		messages[i] = encryptShareMessage(key, ss[i].Bytes())
-	}
-
-	return messages, pvss, nil
-}
 
-func encryptShareMessage(pub *ecies.PublicKey, share []byte) []byte {
-	nonce, ess, _, bigR := encryption.ECIESEncrypt(pub, share)
-	bigRBytes := bigR.RawBytes()
-	// len(message)=64+12+len(ess)
-	msg := make([]byte, 0)
-	msg = append(msg, bigRBytes[:]...)
-	msg = append(msg, nonce...)
-	msg = append(msg, ess...)
-	return msg
+	return ss, pvss
 }
 
 // receiveShareMessage verifies received sharing messages. It verifies shared

antimev/keystore.go

@@ -220,77 +220,54 @@ func (ks *KeyStore) OnRecoverPeriodStart() {
 	ks.recovering = newThresholdKeyGroup(ks.size)
 }
 
-// DKGReshare generates and returns resharing messages and pvss. The input key
-// array should be ordered by DKG index, e.g. keystore will use 1 as the index
-// to generate a reshare message for messagePubKeys[0].
-func (ks *KeyStore) DKGReshare(messagePubKeys []*ecies.PublicKey) ([][]byte, []byte, error) {
+// DKGReshare generates and returns resharing secrets and pvss.
+func (ks *KeyStore) DKGReshare() ([]*big.Int, []byte, error) {
 	if ks.shared == nil {
 		return nil, nil, ErrKeyGroupNotExists
 	}
-	if len(messagePubKeys) != ks.size {
-		return nil, nil, ErrInvalidLength
-	}
-	// Generate secret resharing messages and pvss
-	rMsgs, rPvss, err := ks.shared.reshare(messagePubKeys)
+	// Generate secret resharing secrets and pvss
+	rss, rPvss, err := ks.shared.reshare(ks.size)
 	if err != nil {
 		return nil, nil, err
 	}
 	// No data changed so no need to persist
-	return rMsgs, rPvss.Encode(), nil
+	return rss, rPvss.Encode(), nil
 }
 
-// DKGShare generates and returns sharing messages and pvss. The input key array
-// should be ordered by DKG index, e.g. keystore will use 1 as the index to
-// generate a share message for messagePubKeys[0].
-func (ks *KeyStore) DKGShare(messagePubKeys []*ecies.PublicKey) ([][]byte, []byte, error) {
+// DKGShare generates and returns sharing secrets and pvss.
+func (ks *KeyStore) DKGShare() ([]*big.Int, []byte, error) {
 	if ks.sharing == nil {
 		return nil, nil, ErrKeyGroupNotExists
 	}
-	if len(messagePubKeys) != ks.size {
-		return nil, nil, ErrInvalidLength
-	}
-	// Generate secret sharing messages and pvss
-	sMsgs, sPvss, err := ks.sharing.prepare(ks.threshold, messagePubKeys)
-	if err != nil {
-		return nil, nil, err
-	}
-	return sMsgs, sPvss.Encode(), nil
+	// Generate sharing secrets and pvss
+	ss, sPvss := ks.sharing.prepare(ks.size, ks.threshold)
+	return ss, sPvss.Encode(), nil
 }
 
-// DKGRecover generates and returns recovering messages and pvss. The input index
-// should be a DKG index starts from 1, and the size of two inputs should be the
-// same.
-func (ks *KeyStore) DKGRecover(indexes []int, messagePubKeys []*ecies.PublicKey) ([][]byte, error) {
+// DKGRecover generates and returns recovering secrets and pvss.
+func (ks *KeyStore) DKGRecover(indexes []int) ([]*big.Int, error) {
 	if ks.shared == nil {
 		return nil, ErrKeyGroupNotExists
 	}
-	if len(indexes) != len(messagePubKeys) {
-		return nil, ErrLengthMismatch
-	}
-	if len(messagePubKeys) < 1 {
-		return nil, ErrNoNeedToRecover
-	}
-	if len(messagePubKeys) > ks.size-ks.threshold {
+	if len(indexes) > ks.size-ks.threshold {
 		return nil, ErrUnrecoverable
 	}
-	// Generate secret recovering messages
-	return ks.shared.recover(indexes, messagePubKeys)
+	// Generate recovering secrets
+	return ks.shared.recover(indexes)
 }
 
-// TryRecoverReshare tries to recover a resharing message, should be called when
-// resharing fails and receives a recover message. It returns resharing messages
-// immediately if recoverd, otherwise an error. The input key array should be
-// ordered by DKG index, e.g. keystore will use 1 as the index to generate a
-// share message for messagePubKeys[0].
-func (ks *KeyStore) TryRecoverReshare(messagePubKeys []*ecies.PublicKey) ([][]byte, []byte, error) {
+// TryRecoverReshare tries to recover a local secret, should be called when
+// resharing fails and receives a recover message. It returns resharing secrets
+// immediately if recoverd, otherwise an error.
+func (ks *KeyStore) TryRecoverReshare() ([]*big.Int, []byte, error) {
 	if ks.recovering == nil {
 		return nil, nil, ErrKeyGroupNotExists
 	}
-	msgs, pvss, err := ks.recovering.reshareRecovered(ks.threshold, messagePubKeys)
+	ss, pvss, err := ks.recovering.reshareRecovered(ks.size, ks.threshold)
 	if err != nil {
 		return nil, nil, err
 	}
-	return msgs, pvss.Encode(), nil
+	return ss, pvss.Encode(), nil
 }
 
 // RevertRound reverts all progress of current round of DKG.