Rename Complaint to RecoveryProof; move accuser_id to wire types

Author: jonas-lj

fastcrypto-tbls/src/threshold_schnorr/avss.rs

@@ -14,7 +14,7 @@ use crate::nodes::{Nodes, PartyId};
 use crate::polynomial::{Eval, Poly};
 use crate::random_oracle::RandomOracle;
 use crate::threshold_schnorr::bcs::BCSSerialized;
-use crate::threshold_schnorr::complaint::{Complaint, ComplaintResponse};
+use crate::threshold_schnorr::complaint::{ComplaintResponse, RecoveryProof};
 use crate::threshold_schnorr::Extensions::Encryption;
 use crate::threshold_schnorr::{random_oracle_from_sid, EG, G, S};
 use crate::types;
@@ -63,6 +63,14 @@ pub enum ProcessedMessage {
     Complaint(Complaint),
 }
 
+/// A complaint by a receiver who could not decrypt or verify its shares from the dealer's
+/// broadcast. Given enough responses, the accuser can recover its shares.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct Complaint {
+    pub accuser_id: PartyId,
+    pub proof: RecoveryProof,
+}
+
 /// The output of a receiver after a single instance of AVSS: The shares for each nonce + commitments for the next round.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct PartialOutput {
@@ -284,13 +292,16 @@ impl Receiver {
                 my_shares,
                 feldman_commitment: message.feldman_commitment.clone(),
             })),
-            Err(_) => Ok(ProcessedMessage::Complaint(Complaint::create(
-                self.id,
-                &message.ciphertext.shared(),
-                &self.enc_secret_key,
-                &self.random_oracle(),
-                &mut rand::thread_rng(),
-            ))),
+            Err(_) => Ok(ProcessedMessage::Complaint(Complaint {
+                accuser_id: self.id,
+                proof: RecoveryProof::create(
+                    self.id,
+                    &message.ciphertext.shared(),
+                    &self.enc_secret_key,
+                    &self.random_oracle(),
+                    &mut rand::thread_rng(),
+                ),
+            })),
         }
     }
 
@@ -301,7 +312,8 @@ impl Receiver {
         complaint: &Complaint,
         my_output: &PartialOutput,
     ) -> FastCryptoResult<ComplaintResponse<SharesForNode>> {
-        complaint.check(
+        complaint.proof.check(
+            complaint.accuser_id,
             &self.nodes.node_id_to_node(complaint.accuser_id)?.pk,
             &message.ciphertext.encs[complaint.accuser_id as usize],
             &message.ciphertext.shared(),
@@ -550,11 +562,11 @@ mod tests {
     use crate::ecies_v1::{MultiRecipientEncryption, PublicKey};
     use crate::nodes::{Node, Nodes, PartyId};
     use crate::polynomial::Poly;
+    use crate::threshold_schnorr::avss::Complaint;
     use crate::threshold_schnorr::avss::{Dealer, Message, Receiver};
     use crate::threshold_schnorr::avss::{PartialOutput, ProcessedMessage};
     use crate::threshold_schnorr::avss::{ReceiverOutput, SharesForNode};
     use crate::threshold_schnorr::bcs::BCSSerialized;
-    use crate::threshold_schnorr::complaint::Complaint;
     use crate::threshold_schnorr::tests::restrict;
     use crate::threshold_schnorr::Extensions::Encryption;
     use crate::threshold_schnorr::{EG, G, S};

fastcrypto-tbls/src/threshold_schnorr/batch_avss.rs

@@ -209,7 +209,8 @@ pub struct Vote {
 /// A complaint by a receiver who could not decrypt or verify its shares.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct RevealComplaint {
-    pub proof: complaint::Complaint,
+    pub accuser_id: PartyId,
+    pub proof: complaint::RecoveryProof,
     pub ciphertext: Vec<u8>,
     pub common_message_hash: Digest,
 }
@@ -656,7 +657,8 @@ impl Receiver {
             })
             .or_else(|_| {
                 Ok(DecryptionOutcome::Invalid(RevealComplaint {
-                    proof: complaint::Complaint::create(
+                    accuser_id: self.id,
+                    proof: complaint::RecoveryProof::create(
                         self.id,
                         shared,
                         &self.enc_secret_key,
@@ -684,6 +686,7 @@ impl Receiver {
             compute_challenge_from_common_message(&self.random_oracle(), common_message);
 
         let RevealComplaint {
+            accuser_id,
             proof,
             ciphertext: reveal_ciphertext,
             common_message_hash,
@@ -692,11 +695,12 @@ impl Receiver {
         if *common_message_hash != common_message.hash() {
             return Err(InvalidProof);
         }
-        let recipient_root = common_message.recipient_root(proof.accuser_id)?;
+        let recipient_root = common_message.recipient_root(*accuser_id)?;
         self.check_avid_consistency(reveal_ciphertext, recipient_root)
             .map_err(|_| InvalidProof)?;
-        let accuser = self.nodes.node_id_to_node(proof.accuser_id)?;
+        let accuser = self.nodes.node_id_to_node(*accuser_id)?;
         proof.check(
+            *accuser_id,
             &accuser.pk,
             reveal_ciphertext,
             &common_message.ciphertext_shared,

fastcrypto-tbls/src/threshold_schnorr/complaint.rs

@@ -14,18 +14,19 @@ use fastcrypto::traits::AllowedRng;
 use serde::{Deserialize, Serialize};
 use tracing::debug;
 
-/// A complaint by an accuser that it could not decrypt or verify its shares.
-/// Given enough responses to the complaint, the accuser can recover its shares.
+/// Cryptographic proof attached to a complaint: an ECIES recovery package that opens the
+/// dealer's shared ciphertext with the accuser's private key and produces shares that fail a
+/// supplied verifier.
 #[derive(Clone, Debug, Serialize, Deserialize)]
-pub struct Complaint {
-    pub(crate) accuser_id: PartyId,
-    pub(crate) proof: RecoveryPackage<EG>,
-}
+pub struct RecoveryProof(RecoveryPackage<EG>);
 
-impl Complaint {
-    /// Try to decrypt the shares for the accuser.
+impl RecoveryProof {
+    /// Verify the proof for the given `accuser_id`: decrypt `ciphertext` via the recovery
+    /// package and confirm the resulting shares fail `verifier`. The caller supplies
+    /// `accuser_id` from their protocol context — it is *not* carried inside the proof.
     pub fn check<S: BCSSerialized>(
         &self,
+        accuser_id: PartyId,
         enc_pk: &ecies_v1::PublicKey<EG>,
         ciphertext: &[u8],
         shared: &SharedComponents<EG>,
@@ -35,31 +36,31 @@ impl Complaint {
         // Check that the recovery package is valid, and if not, return an error since the complaint is invalid.
         let buffer = shared.decrypt_with_recovery_package(
             ciphertext,
-            &self.proof,
-            &random_oracle.extend(&Recovery(self.accuser_id).to_string()),
+            &self.0,
+            &random_oracle.extend(&Recovery(accuser_id).to_string()),
             &random_oracle.extend(&Encryption.to_string()),
             enc_pk,
-            self.accuser_id as usize,
+            accuser_id as usize,
         )?;
 
         let Ok(shares) = S::from_bytes(&buffer) else {
             debug!(
                 "Complaint by party {} is valid: Failed to deserialize shares",
-                self.accuser_id
+                accuser_id
             );
             return Ok(());
         };
 
         if verifier(&shares).is_ok() {
             debug!(
                 "Complaint by party {} is invalid: Shares verify correctly",
-                self.accuser_id
+                accuser_id
             );
             Err(InvalidProof)
         } else {
             debug!(
                 "Complaint by party {} is valid: Shares do not verify correctly",
-                self.accuser_id
+                accuser_id
             );
             Ok(())
         }
@@ -72,14 +73,11 @@ impl Complaint {
         random_oracle: &RandomOracle,
         rng: &mut impl AllowedRng,
     ) -> Self {
-        Self {
-            accuser_id,
-            proof: ciphertext.create_recovery_package(
-                enc_sk,
-                &random_oracle.extend(&Recovery(accuser_id).to_string()),
-                rng,
-            ),
-        }
+        Self(ciphertext.create_recovery_package(
+            enc_sk,
+            &random_oracle.extend(&Recovery(accuser_id).to_string()),
+            rng,
+        ))
     }
 }