I have been investigating using multi-party ECDSA in WASM and wanted to know if there are plans to support the wasm32-unknown-unknown target so we could use this library from the browser?

I have explored your emerald-city library and have used it to put together a very simple demo of using WASM (via wasm-pack) but would prefer to use something that is ready for production and has been audited, like this library or threshold-signatures.

All my attempts to compile for wasm32-unknown-unknown have failed so far and when I tried with multi-party-ecdsa I get an error (that is now quite familiar!):

error[E0046]: not all trait items implemented, missing: `encode`
    --> /home/muji/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-serialize-0.3.24/src/serialize.rs:1358:1
     |
853  |     fn encode<S: Encoder>(&self, s: &mut S) -> Result<(), S::Error>;
     |     ---------------------------------------------------------------- `encode` from trait
...
1358 | impl Encodable for path::Path {
     | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ missing `encode` in implementation

error[E0046]: not all trait items implemented, missing: `decode`
    --> /home/muji/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-serialize-0.3.24/src/serialize.rs:1382:1
     |
904  |     fn decode<D: Decoder>(d: &mut D) -> Result<Self, D::Error>;
     |     ----------------------------------------------------------- `decode` from trait
...
1382 | impl Decodable for path::PathBuf {
     | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ missing `decode` in implementation

Which is due to the deprecated rustc-serialize library being used by rust-crypto. If we look at the code there is no implementation for the unknown target OS.

We can't fix rustc-serialize so the solution I would imagine is to remove the dependency on rust-crypto which I believe is now deprecated in favour of RustCrypto.

Would it be possible to merge the experimental work in emerald-city so we can build this library for WASM?

Thanks :pray:

Hi, I have problem with signing a "hello" sentence in the GG20 example. I am trying commands from the example and the result is:

Error: online stage failed

Caused by: couldn't complete signing: round 7: InvalidSig

Please give me a small advice :) What I am doing wrong.

We are using 0.7.4 release tag. We have tried to implement GG20 and we are running Offline rounds (1-6) everytime when we generate signature and it gives same R's value in signature even if we are running Offline rounds before generate signature. Attaching logs may be that can help to see an issue.

I am intentionally opening a draft PR to show you where I am heading and get some early feedback in case I am going totally wrong. This is definitely not the final version of how I want to structure this. @omershlo

I have totally skipped the blame steps for signing. That I am planning to keep for a future PR. I still need to grok that part better.

I still have to:

1. Add structures for all input/output pairs for keygen and sign.
2. Right now the KeyPairResult has to be broken down so that until sign_stage8 there is no need for anything from keypair generation. That is essential for one round.
3. Add comments all along for things that have to be private(encrypted for the intended party). Seems to be a long list.
4. Some improvements to the interface like not passing full objects if only one of the items of the objects are needed in a stage.

Thanks for the great repository! I have walked through the example for GG20 keygen and signing. I can successfully generate the signature but I don't actually know how to extract the public key and actually verify the generated signature.

Is there any instructions or examples that I can refer to? Thanks!

Hello,

I was going through the library and got stuck at sign_stage6 method of orchestrate.rs. If I understand correctly, it corresponds to this line at page 15 of GG20 (specifically, the zero-knowledge proof part of it):

Each player P_i broadcasts R_i = R^{k_i} as well as a zero-knowledge proof of consistency between R_i and E_i(k_i), which each player sent as the first message of the MtA protocol in Phase 2.

But from the code it seems that we actually prove the statement t times, just with different Fujisaki-Okamoto commitments, and then verify our own proofs instead of broadcasting them. Also, I don't really understand why this stage is called in online stage of signing protocol (paper seems to suggest it can be done offline). Am I missing something?

Thanks!

At the moment it is not possible to build the project. The zeroize: 0.10.x has been yanked so cargo cannot find it.

Shall we update the crate to the latest version?

This issue is dependent of https://github.com/KZen-networks/multi-party-ecdsa/issues/5. Code has been added to https://github.com/mortendahl/rust-paillier in order to do this. Need to be use in 2 party ECDSA.

Hey, @MatanHamilis! Sorry for taking so long to write two lines of code. Quite frankly, I just forgot about this. I think there are no more places in the code where the length check needs to be performed (in keygen round 3 and sign round 2, P2P container is used where parties need to send a list of messages). PS. I only added an assert_eq, without returning the vector of misbehaving parties. When implementing identifiable aborts, this should be changed. Or I can do it now.

Here is my step:

1. Git clone this repository, and build the examples
2. Copy the Rocket.toml to ./target/release/examples
3. Run the demo: ./demo/run.sh

Here is error logs:

$ ./demo/run.sh 
    Finished release [optimized] target(s) in 0.12s
Params: {"parties":"3", "threshold":"1"}
./demo/run.sh: Multi-party ECDSA parties:3 threshold:1
🔧 Configured for production.
    => address: 0.0.0.0
    => port: 8001
    => log: critical
    => workers: 12
    => secret key: private-cookies disabled
    => limits: forms = 32KiB
    => keep-alive: 5s
    => tls: disabled
🚀 Rocket has launched from http://0.0.0.0:8001
keygen part
key gen for client 1 out of 3
number: 1, uuid: "f2d83d40-c967-43f0-b468-4b1b5fdf0952"
key gen for client 2 out of 3
number: 2, uuid: "f2d83d40-c967-43f0-b468-4b1b5fdf0952"
["round1"] party 2 => party 1
["round1"] party 1 => party 2
key gen for client 3 out of 3
number: 3, uuid: "f2d83d40-c967-43f0-b468-4b1b5fdf0952"
["round1"] party 3 => party 2
["round1"] party 3 => party 1
["round1"] party 1 => party 3
["round2"] party 1 => party 2
["round2"] party 2 => party 1
["round1"] party 2 => party 3
["round2"] party 3 => party 2
["round2"] party 3 => party 1
["round2"] party 1 => party 3
["round2"] party 2 => party 3
["round3"] party 1 => party 2
["round3"] party 2 => party 1
["round3"] party 3 => party 2
["round3"] party 1 => party 3
["round3"] party 3 => party 1
["round4"] party 1 => party 2
["round3"] party 2 => party 3
["round4"] party 2 => party 1
["round4"] party 3 => party 2
["round4"] party 1 => party 3
["round4"] party 3 => party 1
["round5"] party 1 => party 2
["round4"] party 2 => party 3
["round5"] party 2 => party 1
["round5"] party 3 => party 2
["round5"] party 1 => party 3
["round5"] party 3 => party 1
["round5"] party 2 => party 3
sign
signing for client 1 out of 2
number: 1, uuid: "051bea03-eb9c-43ec-9532-4251ffdbdfcd"
signing for client 2 out of 2
number: 2, uuid: "051bea03-eb9c-43ec-9532-4251ffdbdfcd"
["round0"] party 2 => party 1
["round0"] party 1 => party 2
["round1"] party 2 => party 1
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error("invalid type: map, expected BigInt", line: 1, column: 77)', src/libcore/result.rs:1051:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.
["round1"] party 1 => party 2
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error("invalid type: map, expected BigInt", line: 1, column: 77)', src/libcore/result.rs:1051:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

Please let me know if there are any issues with this. Some code is commented out because I found that an unwrap would crash everything. I presume these issues are known. I didn't add deserialization support for all objects since I don't think they'll be sent over the wire. The code is very repetitive, I don't know what your policy regarding macros is.

I'm relatively new to Rust. Let me know if this question is totally off. My idea is to put the local-share into the local storage of browser extension or of mobile device. Just wondering if the Rust code of the core library (or gg20_sm_client.rs, gg20_signing.rs) can be integrated into those developments?

After cargo build, on running ./run.sh or run20.sh script, getting below error.

keygen part key gen for client 1 out of 3 dyld[46200]: symbol not found in flat namespace '_rust_crypto_util_fixed_time_eq_asm' ./demo/run.sh: line 21: 46200 Abort trap: 6 ./target/release/examples/gg18_keygen_client http://127.0.0.1:8001 keys"$i".store key gen for client 2 out of 3 dyld[46202]: symbol not found in flat namespace '_rust_crypto_util_fixed_time_eq_asm' ./demo/run.sh: line 21: 46202 Abort trap: 6 ./target/release/examples/gg18_keygen_client http://127.0.0.1:8001 keys"$i".store key gen for client 3 out of 3 dyld[46204]: symbol not found in flat namespace '_rust_crypto_util_fixed_time_eq_asm' ./demo/run.sh: line 21: 46204 Abort trap: 6 ./target/release/examples/gg18_keygen_client http://127.0.0.1:8001 keys"$i".store sign signing for client 1 out of 2 thread 'main' panicked at 'Unable to load keys, did you run keygen first? : Os { code: 2, kind: NotFound, message: "No such file or directory" }', examples/gg18_sign_client.rs:47:10 note: run with RUST_BACKTRACE=1 environment variable to display a backtrace signing for client 2 out of 2 thread 'main' panicked at 'Unable to load keys, did you run keygen first? : Os { code: 2, kind: NotFound, message: "No such file or directory" }', examples/gg18_sign_client.rs:47:10 note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

System Software Overview:

  System Version: macOS 12.2.1 (21D62)
  Kernel Version: Darwin 21.3.0
  Boot Volume: Macintosh HD
  Boot Mode: Normal

Hardware Overview:

  Model Name: MacBook Pro
  Model Identifier: MacBookPro18,1
  Chip: Apple M1 Pro

Has the protocol some features to proof that the public key participates in the multisig or that the multisig is created by a set of public keys? There is some task to proof that some user is part of multisig or some group of users created a multisig. If it is possible how can it be done?

https://github.com/ZenGo-X/multi-party-ecdsa/blob/9193fb7d42178fe854688b1874a9a7cd61b540c9/src/protocols/multi_party_ecdsa/gg_2020/state_machine/sign/rounds.rs#L259