cggmp24 development

[survived]

This is the branch in which we will work on updating implementation to the latest revision of CGGMP paper.

Note that cggmp24/m is protected branch, as well as m it requires a PR for any modification.

Upgrade plan:

1. Merge paillier-zk repo into the cggmp repo
2. Develop new ZK proofs needed for cggmp24
3. Update the cggmp implementation
4. Write migration guidelines
5. Rename repo into cggmp24
6. Release new library under cggmp24 name
7. Legacy cggmp21 will get its own cggmp21/m protected branch reserved for security patches

[survived]

@maurges does the plan looks okay?

[maurges]

Sounds reasonable. We can even do the moving of zk-proofs here before starting to work on cggmp24.

I'm not sure we want to rename just the repo. I think the old repo name should stay in some form (didn't we have enough problems with branches disappearing, imagine a whole repo). Maybe we could rename the repo and make a fork under the old name, and immediately archive it

[survived]

I don't anticipate any problems, as github will be redirecting old urls, so even if we have git dependencies (I don't think we do), they will get resolved with new url automatically

[maurges]

github will be redirecting old urls

It's not guaranteed it will do, it even says so when you rename a repo

[survived]

It's not guaranteed it will do, it even says so when you rename a repo

But it does it, e.g. https://github.com/LFDT-Lockness/slip-10 still redirects to the new repo.

The new release is going to be a breaking change, so it's okay even if git deps get broken

[maurges]

It does redirect, but it's not guaranteed that it will do and do it forever

The new release is going to be a breaking change, so it's okay even if git deps get broken

That's why I'm saying we should put an old version on the old URL

[survived]

The new release is going to be a breaking change, so it's okay even if git deps get broken

That's why I'm saying we should put an old version on the old URL

I see. Yes it would be nice, but I want the repo name to reflect the crate name, and I don't want to keep the old one just to keep projects who use cggmp21 as git dependency intact.

[github-actions]

Crate direct deps

Direct deps

cggmp21-keygen v0.5.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/cggmp21-keygen)
digest v0.10.6
futures v0.3.24
generic-ec v0.4.1
generic-ec-zkp v0.4.1
hex v0.4.3
key-share v0.6.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/key-share)
paillier-zk v0.4.2 (/home/runner/work/cggmp21/cggmp21/pr_branch/paillier-zk)
rand_core v0.6.4
rand_hash v0.1.0
round-based v0.4.1
serde v1.0.193
serde_with v2.3.3
sha2 v0.10.6
thiserror v1.0.48
udigest v0.2.1

Compared to base branch

Diff

--- direct-deps-base	2025-01-21 16:01:11.907734601 +0000
+++ direct-deps-pr	2025-01-21 16:01:12.187740026 +0000
@@ -1 +1 @@
-cggmp21-keygen v0.5.0 (/home/runner/work/cggmp21/cggmp21/base_branch/cggmp21-keygen)
+cggmp21-keygen v0.5.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/cggmp21-keygen)
@@ -7,2 +7,2 @@
-key-share v0.6.0 (/home/runner/work/cggmp21/cggmp21/base_branch/key-share)
-paillier-zk v0.4.1
+key-share v0.6.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/key-share)
+paillier-zk v0.4.2 (/home/runner/work/cggmp21/cggmp21/pr_branch/paillier-zk)

All deps

cargo tree

cggmp21 v0.6.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/cggmp21)
├── cggmp21-keygen v0.5.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/cggmp21-keygen)
│   ├── digest v0.10.6
│   │   ├── block-buffer v0.10.3
│   │   │   └── generic-array v0.14.6
│   │   │       ├── serde v1.0.193
│   │   │       │   └── serde_derive v1.0.193 (proc-macro)
│   │   │       │       ├── proc-macro2 v1.0.92
│   │   │       │       │   └── unicode-ident v1.0.4
│   │   │       │       ├── quote v1.0.37
│   │   │       │       │   └── proc-macro2 v1.0.92 (*)
│   │   │       │       └── syn v2.0.90
│   │   │       │           ├── proc-macro2 v1.0.92 (*)
│   │   │       │           ├── quote v1.0.37 (*)
│   │   │       │           └── unicode-ident v1.0.4
│   │   │       └── typenum v1.15.0
│   │   └── crypto-common v0.1.6
│   │       ├── generic-array v0.14.6 (*)
│   │       └── typenum v1.15.0
│   ├── displaydoc v0.2.5 (proc-macro)
│   │   ├── proc-macro2 v1.0.92 (*)
│   │   ├── quote v1.0.37 (*)
│   │   └── syn v2.0.90 (*)
│   ├── futures-util v0.3.24
│   │   ├── futures-core v0.3.24
│   │   ├── futures-sink v0.3.24
│   │   ├── futures-task v0.3.24
│   │   ├── pin-project-lite v0.2.9
│   │   └── pin-utils v0.1.0
│   ├── generic-ec v0.4.1
│   │   ├── digest v0.10.6 (*)
│   │   ├── generic-ec-core v0.2.0
│   │   │   ├── generic-array v0.14.6 (*)
│   │   │   ├── rand_core v0.6.4
│   │   │   ├── serde v1.0.193 (*)
│   │   │   ├── subtle v2.4.1
│   │   │   └── zeroize v1.6.0
│   │   │       └── zeroize_derive v1.3.2 (proc-macro)
│   │   │           ├── proc-macro2 v1.0.92 (*)
│   │   │           ├── quote v1.0.37 (*)
│   │   │           ├── syn v1.0.101
│   │   │           │   ├── proc-macro2 v1.0.92 (*)
│   │   │           │   ├── quote v1.0.37 (*)
│   │   │           │   └── unicode-ident v1.0.4
│   │   │           └── synstructure v0.12.6
│   │   │               ├── proc-macro2 v1.0.92 (*)
│   │   │               ├── quote v1.0.37 (*)
│   │   │               ├── syn v1.0.101 (*)
│   │   │               └── unicode-xid v0.2.4
│   │   ├── hex v0.4.3
│   │   │   └── serde v1.0.193 (*)
│   │   ├── phantom-type v0.4.2
│   │   │   └── educe v0.4.19 (proc-macro)
│   │   │       ├── enum-ordinalize v3.1.11 (proc-macro)
│   │   │       │   ├── num-bigint v0.4.3
│   │   │       │   │   ├── num-integer v0.1.45
│   │   │       │   │   │   └── num-traits v0.2.15
│   │   │       │   │   └── num-traits v0.2.15
│   │   │       │   ├── num-traits v0.2.15
│   │   │       │   ├── proc-macro2 v1.0.92 (*)
│   │   │       │   ├── quote v1.0.37 (*)
│   │   │       │   └── syn v1.0.101 (*)
│   │   │       ├── proc-macro2 v1.0.92 (*)
│   │   │       ├── quote v1.0.37 (*)
│   │   │       └── syn v1.0.101 (*)
│   │   ├── rand_core v0.6.4
│   │   ├── rand_hash v0.1.0
│   │   │   ├── digest v0.10.6 (*)
│   │   │   ├── rand_core v0.6.4
│   │   │   └── udigest v0.2.1
│   │   │       ├── digest v0.10.6 (*)
│   │   │       └── udigest-derive v0.3.0 (proc-macro)
│   │   │           ├── proc-macro2 v1.0.92 (*)
│   │   │           ├── quote v1.0.37 (*)
│   │   │           └── syn v2.0.90 (*)
│   │   ├── serde v1.0.193 (*)
│   │   ├── serde_with v2.3.3
│   │   │   ├── serde v1.0.193 (*)
│   │   │   └── serde_with_macros v2.3.3 (proc-macro)
│   │   │       ├── darling v0.20.1
│   │   │       │   ├── darling_core v0.20.1
│   │   │       │   │   ├── fnv v1.0.7
│   │   │       │   │   ├── ident_case v1.0.1
│   │   │       │   │   ├── proc-macro2 v1.0.92 (*)
│   │   │       │   │   ├── quote v1.0.37 (*)
│   │   │       │   │   ├── strsim v0.10.0
│   │   │       │   │   └── syn v2.0.90 (*)
│   │   │       │   └── darling_macro v0.20.1 (proc-macro)
│   │   │       │       ├── darling_core v0.20.1 (*)
│   │   │       │       ├── quote v1.0.37 (*)
│   │   │       │       └── syn v2.0.90 (*)
│   │   │       ├── proc-macro2 v1.0.92 (*)
│   │   │       ├── quote v1.0.37 (*)
│   │   │       └── syn v2.0.90 (*)
│   │   ├── subtle v2.4.1
│   │   ├── udigest v0.2.1 (*)
│   │   └── zeroize v1.6.0 (*)
│   ├── generic-ec-zkp v0.4.1
│   │   ├── generic-array v0.14.6 (*)
│   │   ├── generic-ec v0.4.1 (*)
│   │   ├── rand_core v0.6.4
│   │   ├── serde v1.0.193 (*)
│   │   ├── subtle v2.4.1
│   │   └── udigest v0.2.1 (*)
│   ├── hex v0.4.3 (*)
│   ├── key-share v0.6.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/key-share)
│   │   ├── displaydoc v0.2.5 (proc-macro) (*)
│   │   ├── generic-ec v0.4.1 (*)
│   │   ├── generic-ec-zkp v0.4.1 (*)
│   │   ├── hex v0.4.3 (*)
│   │   ├── serde v1.0.193 (*)
│   │   ├── serde_with v2.3.3 (*)
│   │   └── thiserror v1.0.48
│   │       └── thiserror-impl v1.0.48 (proc-macro)
│   │           ├── proc-macro2 v1.0.92 (*)
│   │           ├── quote v1.0.37 (*)
│   │           └── syn v2.0.90 (*)
│   ├── rand_core v0.6.4
│   ├── round-based v0.4.1
│   │   ├── futures-util v0.3.24 (*)
│   │   ├── phantom-type v0.3.1
│   │   │   └── educe v0.4.19 (proc-macro) (*)
│   │   ├── round-based-derive v0.2.2 (proc-macro)
│   │   │   ├── proc-macro2 v1.0.92 (*)
│   │   │   ├── quote v1.0.37 (*)
│   │   │   └── syn v1.0.101 (*)
│   │   ├── thiserror v2.0.4
│   │   │   └── thiserror-impl v2.0.4 (proc-macro)
│   │   │       ├── proc-macro2 v1.0.92 (*)
│   │   │       ├── quote v1.0.37 (*)
│   │   │       └── syn v2.0.90 (*)
│   │   └── tracing v0.1.36
│   │       ├── cfg-if v1.0.0
│   │       ├── pin-project-lite v0.2.9
│   │       └── tracing-core v0.1.29
│   ├── serde v1.0.193 (*)
│   ├── serde_with v2.3.3 (*)
│   ├── sha2 v0.10.6
│   │   ├── cfg-if v1.0.0
│   │   ├── cpufeatures v0.2.12
│   │   └── digest v0.10.6 (*)
│   ├── thiserror v1.0.48 (*)
│   └── udigest v0.2.1 (*)
├── digest v0.10.6 (*)
├── futures v0.3.24
│   ├── futures-channel v0.3.24
│   │   ├── futures-core v0.3.24
│   │   └── futures-sink v0.3.24
│   ├── futures-core v0.3.24
│   ├── futures-io v0.3.24
│   ├── futures-sink v0.3.24
│   ├── futures-task v0.3.24
│   └── futures-util v0.3.24 (*)
├── generic-ec v0.4.1 (*)
├── generic-ec-zkp v0.4.1 (*)
├── hex v0.4.3 (*)
├── key-share v0.6.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/key-share) (*)
├── paillier-zk v0.4.2 (/home/runner/work/cggmp21/cggmp21/pr_branch/paillier-zk)
│   ├── digest v0.10.6 (*)
│   ├── fast-paillier v0.1.0
│   │   ├── bytemuck v1.13.1
│   │   │   └── bytemuck_derive v1.4.1 (proc-macro)
│   │   │       ├── proc-macro2 v1.0.92 (*)
│   │   │       ├── quote v1.0.37 (*)
│   │   │       └── syn v2.0.90 (*)
│   │   ├── rand_core v0.6.4
│   │   ├── rug v1.21.0
│   │   │   ├── az v1.2.1
│   │   │   ├── gmp-mpfr-sys v1.6.1
│   │   │   │   └── libc v0.2.153
│   │   │   ├── libc v0.2.153
│   │   │   └── serde v1.0.193 (*)
│   │   ├── serde v1.0.193 (*)
│   │   └── thiserror v1.0.48 (*)
│   ├── generic-ec v0.4.1 (*)
│   ├── rand_core v0.6.4
│   ├── rand_hash v0.1.0 (*)
│   ├── rug v1.21.0 (*)
│   ├── serde v1.0.193 (*)
│   ├── serde_with v3.0.0
│   │   ├── serde v1.0.193 (*)
│   │   └── serde_with_macros v3.0.0 (proc-macro)
│   │       ├── darling v0.20.1 (*)
│   │       ├── proc-macro2 v1.0.92 (*)
│   │       ├── quote v1.0.37 (*)
│   │       └── syn v2.0.90 (*)
│   ├── thiserror v1.0.48 (*)
│   └── udigest v0.2.1 (*)
├── rand_core v0.6.4
├── rand_hash v0.1.0 (*)
├── round-based v0.4.1 (*)
├── serde v1.0.193 (*)
├── serde_with v2.3.3 (*)
├── sha2 v0.10.6 (*)
├── thiserror v1.0.48 (*)
└── udigest v0.2.1 (*)

Compared to base branch

Diff

--- all-deps-base	2025-01-21 16:01:12.041737197 +0000
+++ all-deps-pr	2025-01-21 16:01:12.319742606 +0000
@@ -6 +6 @@
-cggmp21-keygen v0.5.0 (/home/runner/work/cggmp21/cggmp21/base_branch/cggmp21-keygen)
+cggmp21-keygen v0.5.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/cggmp21-keygen)
@@ -32 +32 @@
-key-share v0.6.0 (/home/runner/work/cggmp21/cggmp21/base_branch/key-share)
+key-share v0.6.0 (/home/runner/work/cggmp21/cggmp21/pr_branch/key-share)
@@ -37 +37 @@
-paillier-zk v0.4.1
+paillier-zk v0.4.2 (/home/runner/work/cggmp21/cggmp21/pr_branch/paillier-zk)

[github-actions]

The spec was successfully compiled. PDF is available here.

[github-actions]

Benchmark Result

Benchmarks

RUST_TESTS_SEED=0da80068c22292a40ae533a718b0390aaa5f1ed11e2e77ecd3b85ec5bba57396
n = 3

Non-threshold DKG
Protocol Performance:
  - Protocol took 428.15µs to complete
In particular:
  - Stage: 6.50µs
    - Setup networking: 6.18µs (95.1%)
    - Unstaged: 321.00ns (4.9%)
  - Round 1: 147.86µs
    - Sample x_i, rid_i, chain_code: 66.95µs (45.3%)
    - Sample schnorr commitment: 58.58µs (39.6%)
    - Commit to public data: 22.00µs (14.9%)
    - Unstaged: 331.00ns (0.2%)
  - Round 2: 1.27µs
    - Hash received msgs (reliability check): 1.05µs (82.6%)
    - Unstaged: 221.00ns (17.4%)
  - Round 3: 281.00ns
    - Assert other parties hashed messages (reliability check): 171.00ns (60.9%)
    - Unstaged: 110.00ns (39.1%)
  - Round 4: 36.06µs
    - Validate decommitments: 32.86µs (91.1%)
    - Calculate chain_code: 661.00ns (1.8%)
    - Calculate challege rid: 2.20µs (6.1%)
    - Prove knowledge of `x_i`: 190.00ns (0.5%)
    - Unstaged: 151.00ns (0.4%)
  - Round 5: 236.18µs
    - Validate schnorr proofs: 235.85µs (99.9%)
    - Unstaged: 330.00ns (0.1%)


Threshold DKG
Protocol Performance:
  - Protocol took 1.32ms to complete
In particular:
  - Stage: 2.09µs
    - Setup networking: 2.01µs (96.2%)
    - Unstaged: 80.00ns (3.8%)
  - Round 1: 202.32µs
    - Sample rid_i, schnorr commitment, polynomial, chain_code: 177.40µs (87.7%)
    - Commit to public data: 24.68µs (12.2%)
    - Unstaged: 240.00ns (0.1%)
  - Round 2: 1.20µs
    - Hash received msgs (reliability check): 1.04µs (86.7%)
    - Unstaged: 160.00ns (13.3%)
  - Round 3: 341.00ns
    - Assert other parties hashed messages (reliability check): 221.00ns (64.8%)
    - Unstaged: 120.00ns (35.2%)
  - Round 4: 815.88µs
    - Validate decommitments: 48.04µs (5.9%)
    - Validate data size: 390.00ns (0.0%)
    - Validate Feldmann VSS: 375.94µs (46.1%)
    - Compute rid: 290.00ns (0.0%)
    - Compute chain_code: 882.00ns (0.1%)
    - Compute Ys: 356.55µs (43.7%)
    - Compute sigma: 450.00ns (0.1%)
    - Calculate challenge: 32.87µs (4.0%)
    - Prove knowledge of `sigma_i`: 281.00ns (0.0%)
    - Unstaged: 181.00ns (0.0%)
  - Round 5: 300.89µs
    - Validate schnorr proofs: 299.60µs (99.6%)
    - Derive resulting public key and other data: 1.03µs (0.3%)
    - Unstaged: 260.00ns (0.1%)


Auxiliary data generation protocol
Protocol Performance:
  - Protocol took 9.61s to complete
In particular:
  - Stage: 17.36µs
    - Retrieve auxiliary data: 220.00ns (1.3%)
    - Setup networking: 17.05µs (98.2%)
    - Unstaged: 91.00ns (0.5%)
  - Round 1: 1.17s
    - Retrieve primes (p and q): 130.00ns (0.0%)
    - Compute paillier decryption key (N): 3.21µs (0.0%)
    - Generate auxiliary params r, λ, t, s: 9.05ms (0.8%)
    - Prove Πprm (ψˆ_i): 1.16s (99.2%)
    - Sample random bytes: 3.08µs (0.0%)
    - Compute hash commitment and sample decommitment: 300.07µs (0.0%)
    - Unstaged: 240.00ns (0.0%)
  - Round 2: 1.79µs
    - Hash received msgs (reliability check): 1.20µs (67.0%)
    - Unstaged: 591.00ns (33.0%)
  - Round 3: 341.00ns
    - Assert other parties hashed messages (reliability check): 181.00ns (53.1%)
    - Unstaged: 160.00ns (46.9%)
  - Round 4: 5.93s
    - Validate round 1 decommitments: 606.86µs (0.0%)
    - Validate П_prm (ψ_i): 2.31s (38.9%)
    - Add together shared random bytes: 1.16µs (0.0%)
    - Compute П_mod (ψ_i): 3.45s (58.1%)
    - Assemble security params for П_fac (ф_i): 8.20µs (0.0%)
    - Compute П_fac (ф_i^j): 172.34ms (2.9%)
    - Unstaged: 903.00ns (0.0%)
  - Round 5: 2.50s
    - Validate ψ_j (П_mod): 2.33s (93.1%)
    - Validate ф_j (П_fac): 173.10ms (6.9%)
    - Assemble auxiliary info: 143.64µs (0.0%)
    - Unstaged: 2.54µs (0.0%)


Signing protocol
Protocol Performance:
  - Protocol took 1.60s to complete
In particular:
  - Stage: 142.64µs
    - Map t-out-of-n protocol to t-out-of-t: 73.50µs (51.5%)
    - Retrieve auxiliary data: 65.08µs (45.6%)
    - Precompute execution id and security params: 421.00ns (0.3%)
    - Setup networking: 3.46µs (2.4%)
    - Unstaged: 180.00ns (0.1%)
  - Round 1: 117.79ms
    - Generate local ephemeral secrets (k_i, y_i, p_i, v_i): 48.13µs (0.0%)
    - Encrypt G_i and K_i: 35.98ms (30.5%)
    - Prove ψ0_j: 81.77ms (69.4%)
    - Unstaged: 692.00ns (0.0%)
  - Round 2: 15.54µs
    - Hash received msgs (reliability check): 15.18µs (97.7%)
    - Unstaged: 361.00ns (2.3%)
  - Round 3: 807.41ms
    - Assert other parties hashed messages (reliability check): 801.00ns (0.0%)
    - Verify psi0 proofs: 92.69ms (11.5%)
    - Sample random r, hat_r, s, hat_s, beta, hat_beta: 17.59µs (0.0%)
    - Encrypt D_ji: 70.64ms (8.7%)
    - Encrypt F_ji: 35.91ms (4.4%)
    - Encrypt hat_D_ji: 70.54ms (8.7%)
    - Encrypt hat_F_ji: 36.01ms (4.5%)
    - Prove psi_ji: 209.92ms (26.0%)
    - Prove psiˆ_ji: 209.92ms (26.0%)
    - Prove psi_prime_ji : 81.75ms (10.1%)
    - Unstaged: 3.65µs (0.0%)
  - Round 4: 578.39ms
    - Retrieve auxiliary data: 5.04µs (0.0%)
    - Validate psi: 165.41ms (28.6%)
    - Validate hat_psi: 165.45ms (28.6%)
    - Validate psi_prime: 93.63ms (16.2%)
    - Compute Gamma, Delta_i, delta_i, chi_i: 72.28ms (12.5%)
    - Prove psi_prime_prime: 81.61ms (14.1%)
    - Unstaged: 691.00ns (0.0%)
  - Presig output: 93.17ms
    - Validate psi_prime_prime: 93.03ms (99.9%)
    - Calculate presignature: 134.44µs (0.1%)
    - Unstaged: 1.22µs (0.0%)
  - Partial signing: 8.89µs
  - Signature reconstruction: 196.63µs

[survived]

@maurges just to add to this discussion: actually, we have already changed repo URL in the past, when we migrated from dfns org to LFDT, so why not doing it again? I don't see how anybody could reasonably expect stability from git dependencies...