Merge pull request #55 from dfns-labs/rug

Update protocol to use non-constant time ops
LFDT-Lockness · Sep 5, 2023 · 3fe9e6a · 3fe9e6a
2 parents 4117bea + 645e669
commit 3fe9e6a
Show file tree

Hide file tree

Showing 21 changed files with 26,016 additions and 8,505 deletions.
diff --git a/.github/workflows/deps.yml b/.github/workflows/deps.yml
@@ -21,6 +21,7 @@ jobs:
         ssh-private-key: |
           ${{ secrets.GENERIC_EC_KEY }}
           ${{ secrets.PAILLIER_ZK_KEY }}
+          ${{ secrets.FAST_PAILLIER_KEY }}
     - uses: actions/checkout@v3
       with:
         path: base_branch

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -25,6 +25,7 @@ jobs:
         ssh-private-key: |
           ${{ secrets.GENERIC_EC_KEY }}
           ${{ secrets.PAILLIER_ZK_KEY }}
+          ${{ secrets.FAST_PAILLIER_KEY }}
     - name: Build
       run: cargo build --release
     - uses: actions/upload-artifact@v3

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -138,6 +138,16 @@ Alternatively, you can generate presignature and use it to sign data:
 **Never reuse presignatures!** If you use the same presignature to sign two different messages,
 it leaks private key to anyone who can observe the signatures.
 
+## SPOF code: Key Import and Export
+CGGMP21 protocol is designed to avoid Single Point of Failure by guaranteeing that attacker would
+need to compromise threshold amount of nodes to obtain a secret key. However, some use-cases may
+require you to create a SPOF, for instance, importing an existing key into TSS and exporting key
+from TSS.
+
+Such use-cases contradict to nature of MPC so we don't include those primitives by default.
+However, you may opt for them by enabling `spof` feature, then you can use `trusted_dealer`
+for key import and `key_share::reconstruct_secret_key` for key export.
+
 ## Implementation vs CGGMP21 paper differences
 Original CGGMP21 paper only defines non-threshold (n-out-of-n) protocol. To support threshold
 (t-out-of-n) signing, we defined our own CGGMP21-like key generation and threshold signing
@@ -151,3 +161,9 @@ they are all documented in [the spec].
 [CGGMP21]: https://ia.cr/2021/060
 [the spec]: https://github.com/dfns-labs/cggmp21/tree/m/docs/spec.pdf
 [security guidelines]: #security-guidelines
+
+## Timing attacks
+Timing attacks are type of side-channel attacks that leak sensitive information through duration of
+execution. We consider timing attacks out of scope as they are nearly impossible to perform for such
+complicated protcol as CGGMP21 and impossible to do in our specific deployment. Thus, we intentionally
+don't do constant-time operations which gives us a significant performance boost.
diff --git a/cggmp21/Cargo.toml b/cggmp21/Cargo.toml
@@ -12,7 +12,7 @@ generic-ec = { git = "https://github.com/dfns-labs/generic-ec", branch = "m", fe
 generic-ec-zkp = { git = "https://github.com/dfns-labs/generic-ec", branch = "m", features = ["serde"] }
 round-based = { git = "https://github.com/Zengo-X/round-based-protocol", branch = "round-based2", features = ["derive"] }
 
-paillier-zk = { git = "https://github.com/dfns-labs/paillier-zk", branch = "m", default-features = false, features = ["serde"] }
+paillier-zk = { git = "https://github.com/dfns-labs/paillier-zk", branch = "m", features = ["serde"] }
 
 digest = "0.10"
 sha2 = "0.10"
@@ -38,7 +38,6 @@ rand_chacha = "0.3"
 generic-tests = "0.1"
 
 [features]
-default = ["paillier-zk/gmp"]
 all-curves = ["curve-secp256k1", "curve-secp256r1"]
 curve-secp256k1 = ["generic-ec/curve-secp256k1"]
 curve-secp256r1 = ["generic-ec/curve-secp256r1"]