feat(frost): conclude the signing done check on the t-subset (7.3 t-of-included PR3/3)

Under RFC-21 Phase 7.3 t-of-included finalize (PR2 #4093), an interactive
signing attempt is signed by the first t responsive committers of an
(optionally) oversized included set. The members the coordinator did not pick,
plus any offline ones, may never broadcast a signing done check, so the outer
done check - which required a confirmation from EVERY attempt member - would
hang an otherwise-successful attempt to its timeout and force a needless retry.

Make signingDoneCheck conclude on the first t (honestThreshold) matching done
checks instead of all attempt members:
- newSigningDoneCheck takes honestThreshold; listen sets
  requiredDoneCount = min(honestThreshold, len(attemptMembersIndexes)).
- waitUntilAllDone completes when len(doneSigners) >= requiredDoneCount (>= not
  ==: an oversized set may have more than t online members report done), with a
  requiredDoneCount > 0 guard against the pre-listen state.

INERT until participant selection oversizes the included set past the threshold:
today the selector trims to exactly honestThreshold, so attemptMembersIndexes ==
threshold and requiredDoneCount == the attempt member count - identical to the
previous all-members rule. The coarse path is unchanged.

Added TestSigningDoneCheck_ThresholdSubsetConcludes (oversized included set, only
t members report done -> concludes with the signature instead of timing out).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: mswilkison

pkg/tbtc/signing.go

@@ -373,6 +373,7 @@ func (se *signingExecutor) signWithTaprootMerkleRoot(
 
 			doneCheck := newSigningDoneCheck(
 				se.groupParameters.GroupSize,
+				se.groupParameters.HonestThreshold,
 				se.broadcastChannel,
 				se.membershipValidator,
 			)

pkg/tbtc/signing_done.go

@@ -47,23 +47,34 @@ func (sdm *signingDoneMessage) Type() string {
 // successful signature calculation across all signing group members.
 type signingDoneCheck struct {
 	groupSize           int
+	honestThreshold     int
 	broadcastChannel    net.BroadcastChannel
 	membershipValidator *group.MembershipValidator
 
-	receiveCtx           context.Context
-	cancelReceiveCtx     context.CancelFunc
-	expectedSignersCount int
-	doneSigners          map[group.MemberIndex]*signingDoneMessage
-	doneSignersMutex     sync.RWMutex
+	receiveCtx       context.Context
+	cancelReceiveCtx context.CancelFunc
+	// requiredDoneCount is the number of matching done checks that conclude the
+	// attempt. For a full-included attempt it equals the attempt member count
+	// (every included member signs), but under RFC-21 Phase 7.3 t-of-included
+	// finalize the attempt is signed by a t-subset of an oversized included set,
+	// so the remaining (possibly offline) members never send a done check;
+	// requiring all of them would hang an otherwise-successful attempt to timeout.
+	// Capped at honestThreshold, which is the minimum that proves a valid
+	// threshold signature was produced.
+	requiredDoneCount int
+	doneSigners       map[group.MemberIndex]*signingDoneMessage
+	doneSignersMutex  sync.RWMutex
 }
 
 func newSigningDoneCheck(
 	groupSize int,
+	honestThreshold int,
 	broadcastChannel net.BroadcastChannel,
 	membershipValidator *group.MembershipValidator,
 ) *signingDoneCheck {
 	return &signingDoneCheck{
 		groupSize:           groupSize,
+		honestThreshold:     honestThreshold,
 		broadcastChannel:    broadcastChannel,
 		membershipValidator: membershipValidator,
 	}
@@ -91,7 +102,16 @@ func (sdc *signingDoneCheck) listen(
 	sdc.receiveCtx, sdc.cancelReceiveCtx = context.WithCancel(ctx)
 
 	sdc.doneSignersMutex.Lock()
-	sdc.expectedSignersCount = len(attemptMembersIndexes)
+	// Conclude on the first t (honestThreshold) matching done checks rather than on
+	// every attempt member: under RFC-21 Phase 7.3 t-of-included finalize the
+	// attempt is signed by a t-subset of an oversized included set, so members
+	// outside the subset (including offline ones) may never report done and
+	// requiring all of them would hang an otherwise-successful attempt. Capped at
+	// the attempt member count so a (degenerate) sub-threshold included set still
+	// requires everyone present. For a full-included attempt (members ==
+	// threshold, the pre-oversizing default) this equals the member count, so the
+	// behavior is unchanged until participant selection oversizes the set.
+	sdc.requiredDoneCount = min(sdc.honestThreshold, len(attemptMembersIndexes))
 	sdc.doneSigners = make(map[group.MemberIndex]*signingDoneMessage)
 	sdc.doneSignersMutex.Unlock()
 
@@ -171,8 +191,14 @@ func (sdc *signingDoneCheck) waitUntilAllDone(ctx context.Context) (
 			return nil, 0, errWaitDoneTimedOut
 
 		case <-ticker.C:
-			expectedSignersCount, doneSigners := sdc.snapshotDoneSigners()
-			if expectedSignersCount == len(doneSigners) {
+			requiredDoneCount, doneSigners := sdc.snapshotDoneSigners()
+			// >= (not ==): in an oversized included set more than the required t
+			// members may report done (every online member - signers and observers
+			// alike - reports the same signature), and the attempt concludes as soon
+			// as t matching signatures confirm a valid threshold signature. The
+			// requiredDoneCount > 0 guard rejects the pre-listen state (no attempt
+			// configured yet) so an empty done set is never read as success.
+			if requiredDoneCount > 0 && len(doneSigners) >= requiredDoneCount {
 				var signature *frost.Signature
 				var latestEndBlock uint64
 
@@ -262,7 +288,7 @@ func (sdc *signingDoneCheck) snapshotDoneSigners() (
 		result = append(result, doneMessage.clone())
 	}
 
-	return sdc.expectedSignersCount, result
+	return sdc.requiredDoneCount, result
 }
 
 func (sdm *signingDoneMessage) clone() *signingDoneMessage {

pkg/tbtc/signing_done_test.go

@@ -281,16 +281,83 @@ func TestSigningDoneCheck_AnotherSignature(t *testing.T) {
 	}
 }
 
+// TestSigningDoneCheck_ThresholdSubsetConcludes covers RFC-21 Phase 7.3
+// t-of-included finalize: the attempt's included set is oversized (larger than
+// the honest threshold) and only the t-subset that actually signed reports done -
+// the remaining included members are offline. The check must conclude on the t
+// matching done messages and return the signature, rather than hanging for the
+// absent members the way the pre-7.3 all-members rule did.
+func TestSigningDoneCheck_ThresholdSubsetConcludes(t *testing.T) {
+	groupParameters := &GroupParameters{
+		GroupSize:       5,
+		GroupQuorum:     4,
+		HonestThreshold: 3,
+	}
+
+	doneCheck := setupSigningDoneCheck(t, groupParameters)
+
+	memberIndexes := make([]group.MemberIndex, doneCheck.groupSize)
+	for i := range memberIndexes {
+		memberIndexes[i] = group.MemberIndex(i + 1)
+	}
+
+	ctx, cancelCtx := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancelCtx()
+
+	message := big.NewInt(100)
+	attemptNumber := uint64(1)
+	attemptTimeoutBlock := uint64(1000)
+	// Oversized included set: ALL five members are included, but only the first
+	// three (the chosen signing subset) report done; members 4 and 5 are offline.
+	attemptMemberIndexes := memberIndexes
+	result := &signing.Result{
+		Signature: mustFrostSignatureFromBigInts(big.NewInt(200), big.NewInt(300)),
+	}
+
+	doneCheck.listen(
+		ctx,
+		message,
+		attemptNumber,
+		attemptTimeoutBlock,
+		attemptMemberIndexes,
+	)
+
+	for i := 1; i <= groupParameters.HonestThreshold; i++ {
+		err := doneCheck.signalDone(
+			ctx,
+			uint8(i),
+			message,
+			attemptNumber,
+			result,
+			500+uint64(i),
+		)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	returnedResult, endBlock, err := doneCheck.waitUntilAllDone(ctx)
+	if err != nil {
+		t.Fatalf("expected conclusion on the t-subset, got error: [%v]", err)
+	}
+	if returnedResult == nil || !result.Signature.Equals(returnedResult.Signature) {
+		t.Fatalf("unexpected result: [%v]", returnedResult)
+	}
+	// Latest end block among the three members that reported done (500+3).
+	testutils.AssertIntsEqual(t, "end block", 503, int(endBlock))
+}
+
 // signingDoneCheckComponents holds the shared state used to construct one or
 // more signingDoneCheck instances that communicate over the same channel.
 type signingDoneCheckComponents struct {
 	groupSize           int
+	honestThreshold     int
 	broadcastChannel    net.BroadcastChannel
 	membershipValidator *group.MembershipValidator
 }
 
 func (c *signingDoneCheckComponents) newCheck() *signingDoneCheck {
-	return newSigningDoneCheck(c.groupSize, c.broadcastChannel, c.membershipValidator)
+	return newSigningDoneCheck(c.groupSize, c.honestThreshold, c.broadcastChannel, c.membershipValidator)
 }
 
 // setupSigningDoneCheckComponents builds the shared channel and validator
@@ -341,6 +408,7 @@ func setupSigningDoneCheckComponents(
 
 	return &signingDoneCheckComponents{
 		groupSize:           groupParameters.GroupSize,
+		honestThreshold:     groupParameters.HonestThreshold,
 		broadcastChannel:    broadcastChannel,
 		membershipValidator: membershipValidator,
 	}