catch up functionality

Author: ross-pure

keygen.go

@@ -5,6 +5,7 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
+	"sort"
 
 	"github.com/renproject/secp256k1"
 )
@@ -73,13 +74,14 @@ func NewEmptyDKGState(n, t int) DKGState {
 	return DKGState{
 		Coefficients: coefficients,
 
+		Step:        1,
 		Commitments: commitments,
 		Shares:      shares,
 	}
 }
 
 func (state *DKGState) Reset() {
-	state.Coefficients = state.Coefficients[:0]
+	state.Step = 1
 
 	for index := range state.Commitments {
 		delete(state.Commitments, index)
@@ -90,14 +92,8 @@ func (state *DKGState) Reset() {
 	}
 }
 
-func DKGStart(state *DKGState, t int, ownIndex uint16, context [32]byte) DKGMessage {
-	state.Step = 1
-	for index := range state.Commitments {
-		delete(state.Commitments, index)
-	}
-	for index := range state.Shares {
-		delete(state.Shares, index)
-	}
+func DKGStart(state *DKGState, info *DKGCatchUpInfo, t int, ownIndex uint16, context [32]byte) DKGMessage {
+	state.Reset()
 
 	coeffs := make([]secp256k1.Fn, t)
 	for i := range coeffs {
@@ -110,6 +106,9 @@ func DKGStart(state *DKGState, t int, ownIndex uint16, context [32]byte) DKGMess
 		commitments[i].BaseExp(&coeffs[i])
 	}
 
+	// @Performance: In the future we might want to reuse the memory of
+	// state.Commitments between executions. This would require potential
+	// resizing to the call to Reset.
 	state.Commitments[ownIndex] = commitments
 
 	var r secp256k1.Point
@@ -124,6 +123,16 @@ func DKGStart(state *DKGState, t int, ownIndex uint16, context [32]byte) DKGMess
 
 	proof := Proof{R: r, Mu: mu}
 
+	if info != nil {
+		info.Commitments = make([]secp256k1.Point, t)
+		copy(info.Commitments, commitments)
+
+		info.Proof = proof
+
+		info.Coefficients = make([]secp256k1.Fn, t)
+		copy(info.Coefficients, coeffs)
+	}
+
 	data := make([]byte, ProofLenMarshalled+t*secp256k1.PointSizeMarshalled)
 	proof.PutBytes(data[:ProofLenMarshalled])
 	tail := data[ProofLenMarshalled:]
@@ -205,7 +214,7 @@ func DKGHandleShare(state *DKGState, ownIndex, from uint16, share secp256k1.Fn)
 	return nil
 }
 
-func DKGHandleMessage(state *DKGState, ownIndex uint16, indices []uint16, t int, context [32]byte, message DKGMessage, from uint16) (bool, DKGOutput, []DKGMessageTo, error) {
+func DKGHandleMessage(state *DKGState, info *DKGCatchUpInfo, ownIndex uint16, indices []uint16, t int, context [32]byte, message DKGMessage, from uint16) (bool, DKGOutput, []DKGMessageTo, error) {
 	n := len(indices)
 
 	switch message.Type {
@@ -244,7 +253,7 @@ func DKGHandleMessage(state *DKGState, ownIndex uint16, indices []uint16, t int,
 		}
 
 		if len(state.Commitments) == n {
-			return transitionToStep2(state, ownIndex, indices)
+			return transitionToStep2(state, info, ownIndex, indices)
 		} else {
 			return false, DKGOutput{}, nil, nil
 		}
@@ -272,7 +281,7 @@ func DKGHandleMessage(state *DKGState, ownIndex uint16, indices []uint16, t int,
 	}
 }
 
-func DKGHandleTimeout(state *DKGState, ownIndex uint16, indices []uint16, t int) (bool, DKGOutput, []DKGMessageTo, error) {
+func DKGHandleTimeout(state *DKGState, info *DKGCatchUpInfo, ownIndex uint16, indices []uint16, t int) (bool, DKGOutput, []DKGMessageTo, error) {
 	if state.Step != 1 {
 		return false, DKGOutput{}, nil, nil
 	}
@@ -281,10 +290,10 @@ func DKGHandleTimeout(state *DKGState, ownIndex uint16, indices []uint16, t int)
 		return false, DKGOutput{}, nil, fmt.Errorf("timeout before obtaining sufficient commitments: needed at least %v, got %v", t, len(state.Commitments))
 	}
 
-	return transitionToStep2(state, ownIndex, indices)
+	return transitionToStep2(state, info, ownIndex, indices)
 }
 
-func transitionToStep2(state *DKGState, ownIndex uint16, indices []uint16) (bool, DKGOutput, []DKGMessageTo, error) {
+func transitionToStep2(state *DKGState, info *DKGCatchUpInfo, ownIndex uint16, indices []uint16) (bool, DKGOutput, []DKGMessageTo, error) {
 	shareMessages := make([]DKGMessageTo, 0, len(state.Commitments)-1)
 	for index := range state.Commitments {
 		if index == ownIndex {
@@ -311,6 +320,15 @@ func transitionToStep2(state *DKGState, ownIndex uint16, indices []uint16) (bool
 		return true, computeOutputs(state, indices, ownIndex), nil, nil
 	}
 
+	if info != nil {
+		info.IndexSubset = make([]uint16, 0, len(state.Commitments))
+		for index := range state.Commitments {
+			info.IndexSubset = append(info.IndexSubset, index)
+		}
+
+		sort.Slice(info.IndexSubset, func(i, j int) bool { return info.IndexSubset[i] < info.IndexSubset[j] })
+	}
+
 	return false, DKGOutput{}, shareMessages, nil
 }
 
@@ -388,3 +406,97 @@ func computeOutputs(state *DKGState, indices []uint16, ownIndex uint16) DKGOutpu
 
 	return DKGOutput{Share: share, PubKey: pubKey, PubKeyShares: pubKeyShares}
 }
+
+type DKGCatchUpInfo struct {
+	Commitments []secp256k1.Point
+	Proof
+	Coefficients []secp256k1.Fn
+	IndexSubset  []uint16
+}
+
+func commitmentsMsgLen(t int) int {
+	return 1 + t*secp256k1.PointSizeMarshalled + ProofLenMarshalled
+}
+
+func shareMsgLen() int {
+	return 1 + secp256k1.FnSizeMarshalled
+}
+
+func (info *DKGCatchUpInfo) SerialisedMessage(index uint16) []byte {
+	t := len(info.Coefficients)
+
+	l := commitmentsMsgLen(t) + shareMsgLen() + len(info.IndexSubset)*2
+	bs := make([]byte, l)
+	rem := bs
+
+	rem[0] = DKGTypeContribution
+	rem = rem[1:]
+
+	info.Proof.PutBytes(rem)
+	rem = rem[ProofLenMarshalled:]
+
+	for i := range info.Commitments {
+		info.Commitments[i].PutBytes(rem)
+		rem = rem[secp256k1.PointSizeMarshalled:]
+	}
+
+	rem[0] = DKGTypeShare
+	rem = rem[1:]
+	share := computeShare(index, info.Coefficients)
+	share.PutB32(rem)
+	rem = rem[secp256k1.FnSizeMarshalled:]
+
+	for i := range info.IndexSubset {
+		binary.LittleEndian.PutUint16(rem, info.IndexSubset[i])
+		rem = rem[2:]
+	}
+
+	return bs
+}
+
+type DKGCatchUpMessage struct {
+	IndexSubset    []uint16
+	CommitmentsMsg DKGMessage
+	ShareMsg       DKGMessage
+}
+
+func DKGDeserialiseCatchUpMessage(bs []byte, n, t int) (DKGCatchUpMessage, error) {
+	commitmentsMsgLen := commitmentsMsgLen(t)
+	shareMsgLen := shareMsgLen()
+
+	minLen := commitmentsMsgLen + shareMsgLen + t*2
+	maxLen := commitmentsMsgLen + shareMsgLen + n*2
+
+	if len(bs) < minLen {
+		return DKGCatchUpMessage{}, fmt.Errorf("serialised message too short: expected at least %v bytes, got %v", minLen, len(bs))
+	}
+
+	if len(bs) > maxLen {
+		return DKGCatchUpMessage{}, fmt.Errorf("serialised message too long: expected at most %v bytes, got %v", maxLen, len(bs))
+	}
+
+	commitmentsMsg := DKGMessage{
+		Type: bs[0],
+		Data: bs[1:commitmentsMsgLen],
+	}
+	bs = bs[commitmentsMsgLen:]
+
+	shareMsg := DKGMessage{
+		Type: bs[0],
+		Data: bs[1:shareMsgLen],
+	}
+	bs = bs[shareMsgLen:]
+
+	numIndices := len(bs) / 2
+	indexSubset := make([]uint16, numIndices)
+	for i := range indexSubset {
+		indexSubset[i] = binary.LittleEndian.Uint16(bs)
+		bs = bs[2:]
+	}
+
+	return DKGCatchUpMessage{
+		IndexSubset:    indexSubset,
+		CommitmentsMsg: commitmentsMsg,
+		ShareMsg:       shareMsg,
+	}, nil
+}

keygen_test.go

@@ -73,6 +73,82 @@ var _ = Describe("DKG", func() {
 			outputs := executeDKG(players, step1Timeout)
 			checkOutputs(outputs, n, t, indices)
 		})
+
+		FIt("should allow a node to catch up if it was offline", func() {
+			n := 10
+			t := 5
+
+			indices := sequentialIndices(n)
+			context := [32]byte{}
+			copy(context[:], []byte("context"))
+			step1Timeout := time.Duration(500 * time.Millisecond)
+
+			players := createDKGPlayers(indices, t, context)
+			for i := range players {
+				players[i].enableCatchUpInfo()
+			}
+			for i := 0; i < t; i++ {
+				players[i].online = false
+			}
+
+			outputs := executeDKG(players, step1Timeout)
+
+			for i := range players {
+				if players[i].online {
+					continue
+				}
+
+				msgsFrom := map[uint16]frost.DKGCatchUpMessage{}
+
+				for j := range players {
+					if !players[j].online {
+						continue
+					}
+
+					msgBytes := players[j].info.SerialisedMessage(players[i].index)
+
+					msg, err := frost.DKGDeserialiseCatchUpMessage(msgBytes, n, t)
+					Expect(err).ToNot(HaveOccurred())
+
+					msgsFrom[players[j].index] = msg
+				}
+
+				// TODO(ross): Probably simulate picking the most commonly seen
+				// subset.
+				var indexSubset []uint16
+				for _, msg := range msgsFrom {
+					indexSubset = msg.IndexSubset
+					break
+				}
+
+				for _, index := range indexSubset {
+					done, _, _, err := frost.DKGHandleMessage(&players[i].state, nil, players[i].index, players[i].indices, players[i].t, players[i].context, msgsFrom[index].CommitmentsMsg, index)
+					Expect(err).ToNot(HaveOccurred())
+					Expect(done).To(BeFalse())
+				}
+
+				done, _, _, err := frost.DKGHandleTimeout(&players[i].state, nil, players[i].index, players[i].indices, players[i].t)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(done).To(BeFalse())
+
+				for j, index := range indexSubset {
+					done, output, _, err := frost.DKGHandleMessage(&players[i].state, nil, players[i].index, players[i].indices, players[i].t, players[i].context, msgsFrom[index].ShareMsg, index)
+					Expect(err).ToNot(HaveOccurred())
+					if j != len(indexSubset)-1 {
+						Expect(done).To(BeFalse())
+					} else {
+						Expect(done).To(BeTrue())
+						outputs = append(outputs, dkgSimOutput{
+							index:  players[i].index,
+							output: output,
+							err:    nil,
+						})
+					}
+				}
+			}
+
+			checkOutputs(outputs, n, t, indices)
+		})
 	})
 })
 
@@ -109,10 +185,6 @@ func checkOutputs(outputs []dkgSimOutput, n, t int, indices []uint16) {
 		Expect(outputs[i].output.PubKey.Eq(&expectedPubKey)).To(BeTrue())
 
 		for j := range outputs[i].output.PubKeyShares {
-			if !setContains(outputIndices, indices[j]) {
-				continue
-			}
-
 			Expect(outputs[i].output.PubKeyShares[j].Eq(&expectedPubKeyShares[j])).To(BeTrue())
 		}
 	}
@@ -141,6 +213,7 @@ type dkgPlayer struct {
 	t       int
 	context [32]byte
 	state   frost.DKGState
+	info    *frost.DKGCatchUpInfo
 
 	online  bool
 	aborted bool
@@ -156,6 +229,7 @@ func createDKGPlayers(indices []uint16, t int, context [32]byte) []dkgPlayer {
 			t:       t,
 			context: context,
 			state:   frost.NewEmptyDKGState(len(indices), t),
+			info:    nil,
 
 			online:  true,
 			aborted: false,
@@ -165,6 +239,10 @@ func createDKGPlayers(indices []uint16, t int, context [32]byte) []dkgPlayer {
 	return players
 }
 
+func (player *dkgPlayer) enableCatchUpInfo() {
+	player.info = &frost.DKGCatchUpInfo{}
+}
+
 func (player *dkgPlayer) reset() {
 	player.state.Reset()
 	player.online = true
@@ -184,7 +262,7 @@ func executeDKG(players []dkgPlayer, step1Timeout time.Duration) []dkgSimOutput
 
 	for i := range players {
 		if players[i].online {
-			msg := frost.DKGStart(&players[i].state, players[i].t, players[i].index, players[i].context)
+			msg := frost.DKGStart(&players[i].state, players[i].info, players[i].t, players[i].index, players[i].context)
 			for j := range players {
 				if players[i].index != players[j].index {
 					msgQueue.push(dkgMessage{
@@ -209,7 +287,7 @@ func executeDKG(players []dkgPlayer, step1Timeout time.Duration) []dkgSimOutput
 
 			for i := range players {
 				if players[i].online {
-					done, output, newMessages, err := frost.DKGHandleTimeout(&players[i].state, players[i].index, players[i].indices, players[i].t)
+					done, output, newMessages, err := frost.DKGHandleTimeout(&players[i].state, players[i].info, players[i].index, players[i].indices, players[i].t)
 
 					processHandleOutput(&msgQueue, &players[i], &outputs, done, output, newMessages, err)
 					if simulationDone(players, outputs) {
@@ -236,7 +314,7 @@ func executeDKG(players []dkgPlayer, step1Timeout time.Duration) []dkgSimOutput
 			continue
 		}
 
-		done, output, newMessages, err := frost.DKGHandleMessage(&player.state, player.index, player.indices, player.t, player.context, m.msg, m.from)
+		done, output, newMessages, err := frost.DKGHandleMessage(&player.state, player.info, player.index, player.indices, player.t, player.context, m.msg, m.from)
 
 		processHandleOutput(&msgQueue, player, &outputs, done, output, newMessages, err)
 		if simulationDone(players, outputs) {