Skip to content

Clearing the landing for Handover Protocol#186

Merged
cygnusv merged 49 commits intonucypher:rocknrollfrom
cygnusv:spongebob
Apr 14, 2025
Merged

Clearing the landing for Handover Protocol#186
cygnusv merged 49 commits intonucypher:rocknrollfrom
cygnusv:spongebob

Conversation

@cygnusv
Copy link
Copy Markdown
Member

@cygnusv cygnusv commented Mar 7, 2024
edited
Loading

Type of PR:

  • Bugfix
  • Feature
  • Documentation
  • Refactor
  • Other

Required reviews:

How many reviews does the PR author need?

  • 1
  • 2
  • 3

What this does:
... How do I even begin? 😅

The goals of this PR have shifted over time, so sorry for the twists and turns. Initially this PR was intended to implement Refresh & Recovery protocols (see this comment from the this PRs of the R&R epic here #175 (review)) , but I detected several problems along the way with some low-level Ferveo abstractions that weren't used correctly. At roughly the same time I realized two additional things, one bad and another good: (👎) the recovery protocol was more complex than expected since one of their steps requires encrypted protocol messages, which hinders verifiability of protocol objects, and (👍) I came up with the handover protocol that greatly simplifies most of the situations that we wanted to solve via recovery. This forced us to shift again the focus of this PR towards refresh & handover, instead of refresh & recovery.

Some additional context:

The current objectives of this PR are:

  • Make sure we use the correct low-level abstractions when possible (e.g., not using lowest-level entities like G1/G2 points as part of high-level protocols)
  • Refactor refreshing, making sure refresh tests work
  • Break recovery logic that interfered with refactor of refreshing and preparation of handover. Fixing this will have to be handled later Plan what to do with Recovery protocols and tests #193
  • Identify as many open problems as possible and cross-reference them throughout the codebase with an issue

Issues fixed/closed:
None 😅 Even though this PR does a ton of preparatory work, most of it was surfaced while trying to implement refresh & recovery protocols and realizing necessary refactors. In hindsight, it was a bad decision not to open issues along the way instead of trying to fix them in this living PR.

Why it's needed:
This PR is very important since the handover protocol could only be implemented on top of these changes. See #198

Notes for reviewers:
This PR is difficult to review, unless you have relatively deep knowledge of the codebase. Still, there's some commits that are very revealing:

  • b6aac7d, which adds refresh functionality at the API level
  • 096b91c, which shows evolution of refresh at the API level to use proper lower-level abstractions
  • 8296118, one of many examples of using proper lower-level abstractions, in this case PublicKeys instead of EC points directly.
  • b8a4c5c, which removes a function that allows direct blinding of PrivateKeys, which doesn't make sense, since PrivateKeys are always generated through a DKG process which only produces BlindedPrivateKeys (again, an abstraction misconception)
  • cac942a, which defines the notion of UpdateTranscript, the basic protocol object during refresh, recovery and, potentially, handover protocols

@cygnusv cygnusv force-pushed the spongebob branch 3 times, most recently from 6a26e82 to 57f46bd Compare March 18, 2024 21:04
@cygnusv cygnusv mentioned this pull request Mar 19, 2024
Merged
@cygnusv cygnusv changed the base branch from main to rocknroll March 20, 2024 17:07
@cygnusv cygnusv mentioned this pull request May 18, 2024
Open
@cygnusv cygnusv force-pushed the spongebob branch 3 times, most recently from 9ffb75c to 580fcc2 Compare May 27, 2024 10:38
@cygnusv cygnusv force-pushed the spongebob branch 2 times, most recently from 704bdc0 to 2304710 Compare September 23, 2024 20:26
@cygnusv cygnusv changed the title [draft] Spongebob [draft] Handover Protocol (or The PR Formerly Known as Spongebob) Sep 23, 2024
cygnusv and others added 13 commits February 14, 2025 11:06
@cygnusv @piotr-roslaniec
Jammin' with Piotr: draft of share update helpers with verifiability
574d0ba 
Co-authored-by: Piotr Roslaniec <p.roslaniec@gmail.com>
@cygnusv
Distinction between ShareCommitments and TDec PublicKeys
0cfa02e
@cygnusv
Clarifying some refresh tests
1020d00
@cygnusv
Yay! Tests work when blinding is deactivated, so the problem is unbli…
ba6cd93 
…nding

Or more correctly, the problem must be we're not unblinding shares in tests. This makes sense because the new verifiability features for updates were designed to work on top of blinded shares, and these tests were written for the previous share update code
@cygnusv
Some tests fixed: share updating should be done on top of blinded shares
ec9e368 
As suspected 2 commits ago
@cygnusv
ShareUpdate verification method
bf94aba
@cygnusv
Clarification
86469bc
@cygnusv
Verify share update in first tests
e7704db
@cygnusv
UpdateTranscript struct to encapsulate updates and poly commitments
cac942a
@cygnusv
Move methods to create updates from ShareUpdate to UpdateTranscript
40df9ae
@cygnusv
Use UpdateTranscripts instead of ShareUpdate
b63c927
@cygnusv
First version of UpdateTranscript validation
50b2259 
For the moment, just validating share update commitments
@cygnusv
UpdateTranscript validation: add consistency checks with update poly
c83e2d9
@cygnusv cygnusv changed the title [draft] Handover Protocol (or The PR Formerly Known as Spongebob) [draft] Clearing the landing for Handover Protocol Feb 17, 2025
@cygnusv
Code areas marked for refactor or removal
35eb653 
See #197
@cygnusv
Common test parameters for shares_num and threshold
66bfd37 
Two reasons:
* We don't consider the case for num_validators != shares_num, so all the places that account for this can be refactored (see #197)
* We always need to consider the case when threshold == shares_num because some tests have failed in the past in this situation.
@cygnusv
At the API level, use local type for Refresh Transcripts
664f8ea
@cygnusv
Remove unnecessary code in context.rs
0efb567 
* PublicDecryptionContextFast was unused (we use the simple variant)
* Remove h parameter in the simple one, which has some simplifying downstream effects
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Feb 18, 2025

Codecov Report

Attention: Patch coverage is 74.24658% with 188 lines in your changes missing coverage. Please review.

Project coverage is 72.32%. Comparing base (4713848) to head (0efb567).
Report is 19 commits behind head on rocknroll.

Files with missing lines Patch % Lines
ferveo/src/refresh.rs 71.87% 81 Missing ⚠️
ferveo/src/lib.rs 45.76% 64 Missing ⚠️
ferveo/src/api.rs 74.63% 35 Missing ⚠️
ferveo/src/bindings_python.rs 71.42% 4 Missing ⚠️
ferveo/src/bindings_wasm.rs 0.00% 4 Missing ⚠️
Additional details and impacted files 
@@              Coverage Diff              @@
##           rocknroll     #186      +/-   ##
=============================================
- Coverage      79.76%   72.32%   -7.44%     
=============================================
  Files             24       24              
  Lines           5856     5460     -396     
=============================================
- Hits            4671     3949     -722     
- Misses          1185     1511     +326

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cygnusv
Remove generator inverse from API
bf1cf0f 
We can always obtain it as a public parameter
@cygnusv cygnusv changed the title [draft] Clearing the landing for Handover Protocol Clearing the landing for Handover Protocol Mar 26, 2025
@cygnusv cygnusv marked this pull request as ready for review March 26, 2025 17:56
derekpierre
derekpierre approved these changes Apr 3, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@derekpierre derekpierre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎸 - I don't know if I understood all of the change, but looks reasonable.

ferveo-tdec/src/lib.rs Outdated
g_inv,
)
.is_err());
assert!(decrypt_with_shared_secret(&ciphertext, aad, shared_secret,)
Copy link
Copy Markdown
Member

@derekpierre derekpierre Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we just get rid of the trailing comma (one other spot on L261)?

Suggested change
assert!(decrypt_with_shared_secret(&ciphertext, aad, shared_secret,)
assert!(decrypt_with_shared_secret(&ciphertext, aad, shared_secret)

Copy link
Copy Markdown
Member Author

@cygnusv cygnusv Apr 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems both options (with or without comma) are accepted by the linter. Anyway, I'll remove them.

@cygnusv cygnusv merged commit bc64858 into nucypher:rocknroll Apr 14, 2025
10 of 11 checks passed
@derekpierre derekpierre mentioned this pull request Aug 15, 2025
Merged
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theref theref theref approved these changes

@derekpierre derekpierre derekpierre approved these changes

@KPrasch KPrasch Awaiting requested review from KPrasch

Assignees

@cygnusv cygnusv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cygnusv @codecov-commenter @theref @derekpierre @arjunhassard