1use std::collections::BTreeMap;
2use std::iter::once;
3
4use anyhow::{Context, bail, ensure};
5use async_trait::async_trait;
6use bls12_381::{G1Projective, G2Projective, Scalar};
7use fedimint_core::bitcoin::hashes::sha256;
8use fedimint_core::config::{DkgMessage, P2PMessage};
9use fedimint_core::encoding::Encodable as _;
10use fedimint_core::net::peers::{DynP2PConnections, Recipient};
11use fedimint_core::{NumPeers, PeerId};
12use fedimint_logging::LOG_NET_PEER_DKG;
13use fedimint_server_core::config::{PeerHandleOps, g1, g2, scalar};
14use group::ff::Field;
15use rand::rngs::OsRng;
16use tracing::{info, trace};
17
18use super::peer_handle::PeerHandle;
19
20struct Dkg {
23 num_peers: NumPeers,
24 identity: PeerId,
25 polynomial: Vec<Scalar>,
26 hash_commitments: BTreeMap<PeerId, sha256::Hash>,
27 commitments: BTreeMap<PeerId, Vec<(G1Projective, G2Projective)>>,
28 sk_shares: BTreeMap<PeerId, Scalar>,
29}
30
31impl Dkg {
32 fn new(num_peers: NumPeers, identity: PeerId) -> Self {
33 let polynomial = (0..num_peers.threshold())
34 .map(|_| Scalar::random(&mut OsRng))
35 .collect::<Vec<Scalar>>();
36
37 let commitment = polynomial
38 .iter()
39 .map(|f| (g1(f), g2(f)))
40 .collect::<Vec<(G1Projective, G2Projective)>>();
41
42 Dkg {
43 num_peers,
44 identity,
45 polynomial,
46 hash_commitments: once((identity, commitment.consensus_hash_sha256())).collect(),
47 commitments: once((identity, commitment)).collect(),
48 sk_shares: BTreeMap::new(),
49 }
50 }
51
52 fn commitment(&self) -> Vec<(G1Projective, G2Projective)> {
53 self.polynomial.iter().map(|f| (g1(f), g2(f))).collect()
54 }
55
56 fn initial_message(&self) -> DkgMessage {
57 DkgMessage::Hash(self.commitment().consensus_hash_sha256())
58 }
59
60 fn step(&mut self, peer: PeerId, msg: DkgMessage) -> anyhow::Result<DkgStep> {
62 trace!(?peer, ?msg, "Running DKG step");
63 match msg {
64 DkgMessage::Hash(hash) => {
65 ensure!(
66 self.hash_commitments.insert(peer, hash).is_none(),
67 "DKG: peer {peer} sent us two hash commitments."
68 );
69
70 if self.hash_commitments.len() == self.num_peers.total() {
71 return Ok(DkgStep::Broadcast(DkgMessage::Commitment(
72 self.commitment(),
73 )));
74 }
75 }
76 DkgMessage::Commitment(polynomial) => {
77 ensure!(
78 *self.hash_commitments.get(&peer).with_context(|| format!(
79 "DKG: hash commitment not found for peer {peer}"
80 ))? == polynomial.consensus_hash_sha256(),
81 "DKG: polynomial commitment from peer {peer} is of wrong degree."
82 );
83
84 ensure!(
85 self.num_peers.threshold() == polynomial.len(),
86 "DKG: polynomial commitment from peer {peer} is of wrong degree."
87 );
88
89 ensure!(
90 self.commitments.insert(peer, polynomial).is_none(),
91 "DKG: peer {peer} sent us two commitments."
92 );
93
94 if self.commitments.len() == self.num_peers.total() {
97 let mut messages = vec![];
98
99 for peer in self.num_peers.peer_ids() {
100 let s = eval_poly_scalar(&self.polynomial, &scalar(&peer));
101
102 if peer == self.identity {
103 self.sk_shares.insert(self.identity, s);
104 } else {
105 messages.push((peer, DkgMessage::Share(s)));
106 }
107 }
108
109 return Ok(DkgStep::Messages(messages));
110 }
111 }
112 DkgMessage::Share(s) => {
113 let polynomial = self.commitments.get(&peer).with_context(|| {
114 format!("DKG: polynomial commitment not found for peer {peer}.")
115 })?;
116
117 let checksum: (G1Projective, G2Projective) = polynomial
118 .iter()
119 .zip((0..).map(|k| scalar(&self.identity).pow(&[k, 0, 0, 0])))
120 .map(|(c, x)| (c.0 * x, c.1 * x))
121 .reduce(|(a1, a2), (b1, b2)| (a1 + b1, a2 + b2))
122 .expect("DKG: polynomial commitment from peer is empty.");
123
124 ensure!(
125 (g1(&s), g2(&s)) == checksum,
126 "DKG: share from {peer} is invalid."
127 );
128
129 ensure!(
130 self.sk_shares.insert(peer, s).is_none(),
131 "Peer {peer} sent us two sk shares."
132 );
133
134 if self.sk_shares.len() == self.num_peers.total() {
135 let sks = self.sk_shares.values().sum();
136
137 let pks = (0..self.num_peers.threshold())
138 .map(|i| {
139 self.commitments
140 .values()
141 .map(|coefficients| coefficients[i])
142 .reduce(|(a1, a2), (b1, b2)| (a1 + b1, a2 + b2))
143 .expect("DKG: polynomial commitments are empty.")
144 })
145 .collect();
146
147 return Ok(DkgStep::Result((pks, sks)));
148 }
149 }
150 }
151
152 Ok(DkgStep::Messages(vec![]))
153 }
154}
155
156pub async fn run_dkg(
159 num_peers: NumPeers,
160 identity: PeerId,
161 connections: &DynP2PConnections<P2PMessage>,
162) -> anyhow::Result<(Vec<(G1Projective, G2Projective)>, Scalar)> {
163 let mut dkg = Dkg::new(num_peers, identity);
164
165 connections.send(Recipient::Everyone, P2PMessage::Dkg(dkg.initial_message()));
166
167 loop {
168 for peer in num_peers.peer_ids().filter(|p| *p != identity) {
169 let message = connections
170 .receive_from_peer(peer)
171 .await
172 .context("Unexpected shutdown of p2p connections during dkg")?;
173
174 let message = match message {
175 P2PMessage::Dkg(message) => message,
176 _ => bail!("Received unexpected message: {message:?}"),
177 };
178
179 match dkg.step(peer, message)? {
180 DkgStep::Broadcast(message) => {
181 connections.send(Recipient::Everyone, P2PMessage::Dkg(message));
182 }
183 DkgStep::Messages(messages) => {
184 for (peer, message) in messages {
185 connections.send(Recipient::Peer(peer), P2PMessage::Dkg(message));
186 }
187 }
188 DkgStep::Result(result) => {
189 return Ok(result);
190 }
191 }
192 }
193 }
194}
195
196fn eval_poly_scalar(coefficients: &[Scalar], x: &Scalar) -> Scalar {
197 coefficients
198 .iter()
199 .copied()
200 .rev()
201 .reduce(|acc, coefficient| acc * x + coefficient)
202 .expect("We have at least one coefficient")
203}
204
205enum DkgStep {
206 Broadcast(DkgMessage),
207 Messages(Vec<(PeerId, DkgMessage)>),
208 Result((Vec<(G1Projective, G2Projective)>, Scalar)),
209}
210
211#[async_trait]
212impl PeerHandleOps for PeerHandle<'_> {
213 fn num_peers(&self) -> NumPeers {
214 self.num_peers
215 }
216
217 async fn run_dkg_g1(&self) -> anyhow::Result<(Vec<G1Projective>, Scalar)> {
218 info!(
219 target: LOG_NET_PEER_DKG,
220 "Running distributed key generation for group G1..."
221 );
222
223 run_dkg(self.num_peers, self.identity, self.connections)
224 .await
225 .map(|(poly, sk)| (poly.into_iter().map(|c| c.0).collect(), sk))
226 }
227
228 async fn run_dkg_g2(&self) -> anyhow::Result<(Vec<G2Projective>, Scalar)> {
229 info!(
230 target: LOG_NET_PEER_DKG,
231 "Running distributed key generation for group G2..."
232 );
233
234 run_dkg(self.num_peers, self.identity, self.connections)
235 .await
236 .map(|(poly, sk)| (poly.into_iter().map(|c| c.1).collect(), sk))
237 }
238
239 async fn exchange_bytes(&self, bytes: Vec<u8>) -> anyhow::Result<BTreeMap<PeerId, Vec<u8>>> {
240 info!(
241 target: LOG_NET_PEER_DKG,
242 "Exchanging raw bytes..."
243 );
244
245 let mut peer_data: BTreeMap<PeerId, Vec<u8>> = BTreeMap::new();
246
247 self.connections
248 .send(Recipient::Everyone, P2PMessage::Encodable(bytes.clone()));
249
250 peer_data.insert(self.identity, bytes);
251
252 for peer in self.num_peers.peer_ids().filter(|p| *p != self.identity) {
253 let message = self
254 .connections
255 .receive_from_peer(peer)
256 .await
257 .context("Unexpected shutdown of p2p connections")?;
258
259 match message {
260 P2PMessage::Encodable(bytes) => {
261 peer_data.insert(peer, bytes);
262 }
263 message => {
264 anyhow::bail!("Invalid message from {peer}: {message:?}");
265 }
266 }
267 }
268
269 Ok(peer_data)
270 }
271}
272
273#[cfg(test)]
274mod tests {
275 use std::collections::{BTreeMap, VecDeque};
276
277 use bls12_381::{G1Projective, G2Projective};
278 use fedimint_core::{NumPeersExt, PeerId};
279 use fedimint_server_core::config::{eval_poly_g1, eval_poly_g2, g1, g2};
280 use group::Curve;
281
282 use crate::config::dkg::{Dkg, DkgStep};
283
284 #[test_log::test]
285 fn test_dkg() {
286 let peers = (0..7_u16).map(PeerId::from).collect::<Vec<PeerId>>();
287
288 let mut dkgs = peers
289 .iter()
290 .map(|peer| (*peer, Dkg::new(peers.to_num_peers(), *peer)))
291 .collect::<BTreeMap<PeerId, Dkg>>();
292
293 let mut steps = dkgs
294 .iter()
295 .map(|(peer, dkg)| (*peer, DkgStep::Broadcast(dkg.initial_message())))
296 .collect::<VecDeque<(PeerId, DkgStep)>>();
297
298 let mut keys = BTreeMap::new();
299
300 while keys.len() < peers.len() {
301 match steps.pop_front().unwrap() {
302 (send_peer, DkgStep::Broadcast(message)) => {
303 for receive_peer in peers.iter().filter(|p| **p != send_peer) {
304 let step = dkgs
305 .get_mut(receive_peer)
306 .unwrap()
307 .step(send_peer, message.clone());
308
309 steps.push_back((*receive_peer, step.unwrap()));
310 }
311 }
312 (send_peer, DkgStep::Messages(messages)) => {
313 for (receive_peer, messages) in messages {
314 let step = dkgs
315 .get_mut(&receive_peer)
316 .unwrap()
317 .step(send_peer, messages);
318
319 steps.push_back((receive_peer, step.unwrap()));
320 }
321 }
322 (send_peer, DkgStep::Result(step_keys)) => {
323 keys.insert(send_peer, step_keys);
324 }
325 }
326 }
327
328 assert!(steps.is_empty());
329
330 for (peer, (poly, sks)) in keys {
331 let poly_g1: Vec<G1Projective> = poly.clone().into_iter().map(|c| c.0).collect();
332 let poly_g2: Vec<G2Projective> = poly.clone().into_iter().map(|c| c.1).collect();
333
334 assert_eq!(poly_g1.len(), 5);
335 assert_eq!(eval_poly_g1(&poly_g1, &peer), g1(&sks).to_affine());
336
337 assert_eq!(poly_g2.len(), 5);
338 assert_eq!(eval_poly_g2(&poly_g2, &peer), g2(&sks).to_affine());
339 }
340 }
341}