feat: make encryption per partition instead of per message

chain-signatures/keys/Cargo.toml

@@ -8,6 +8,7 @@ crate-type = ["cdylib", "lib"]
 
 [dependencies]
 borsh = "1.5.3"
+hex = "0.4.3"
 hpke = { version = "0.11", features = ["serde_impls", "std"] }
 serde = { version = "1", features = ["derive"] }
 rand = { version = "0.8" }

chain-signatures/keys/src/hpke.rs

@@ -1,4 +1,4 @@
-use std::io;
+use std::{fmt, io};
 
 use borsh::{self, BorshDeserialize, BorshSerialize};
 use hpke::{
@@ -37,6 +37,14 @@ pub struct PublicKey(<Kem as hpke::Kem>::PublicKey);
 #[derive(Clone, PartialEq, Eq, Serialize, Deserialize)]
 pub struct SecretKey(<Kem as hpke::Kem>::PrivateKey);
 
+impl fmt::Debug for SecretKey {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("SecretKey")
+            .field("key", &hex::encode(self.to_bytes()))
+            .finish()
+    }
+}
+
 #[derive(Clone, Serialize, Deserialize)]
 pub struct EncappedKey(<Kem as hpke::Kem>::EncappedKey);
 
@@ -101,6 +109,10 @@ impl SecretKey {
         hpke::Serializable::to_bytes(&self.0).into()
     }
 
+    pub fn from_bytes(bytes: &[u8]) -> Self {
+        Self(hpke::Deserializable::from_bytes(bytes).expect("invalid bytes"))
+    }
+
     pub fn try_from_bytes(bytes: &[u8]) -> Result<Self, hpke::HpkeError> {
         Ok(Self(hpke::Deserializable::from_bytes(bytes)?))
     }

chain-signatures/node/Cargo.toml

@@ -15,6 +15,7 @@ aws-sdk-s3 = "1.29"
 aws-types = "1.2"
 axum = { version = "0.6.19" }
 axum-extra = "0.7"
+bincode = "1.3.3"
 borsh = "1.5.3"
 cait-sith = { git = "https://github.com/LIT-Protocol/cait-sith.git", features = [
     "k256",

chain-signatures/node/src/cli.rs

@@ -246,6 +246,7 @@ pub fn run(cmd: Cli) -> anyhow::Result<()> {
             let config = Arc::new(RwLock::new(Config::new(LocalConfig {
                 over: override_config.unwrap_or_else(Default::default),
                 network: NetworkConfig {
+                    cipher_sk: hpke::SecretKey::try_from_bytes(&hex::decode(cipher_sk)?)?,
                     cipher_pk: hpke::PublicKey::try_from_bytes(&hex::decode(cipher_pk)?)?,
                     sign_sk,
                 },
@@ -256,12 +257,14 @@ pub fn run(cmd: Cli) -> anyhow::Result<()> {
                 crate::contract_updater::ContractUpdater::init(&rpc_client, &mpc_contract_id);
 
             rt.block_on(async {
+                let state = Arc::new(RwLock::new(crate::protocol::NodeState::Starting));
                 let (sender, channel) =
-                    MessageChannel::spawn(client, &account_id, &config, &mesh_state).await;
-                let (protocol, protocol_state) = MpcSignProtocol::init(
+                    MessageChannel::spawn(client, &account_id, &config, &state, &mesh_state).await;
+                let protocol = MpcSignProtocol::init(
                     my_address,
                     mpc_contract_id,
                     account_id,
+                    state.clone(),
                     rpc_client,
                     signer,
                     channel,
@@ -272,22 +275,13 @@ pub fn run(cmd: Cli) -> anyhow::Result<()> {
                 );
 
                 tracing::info!("protocol initialized");
-                let contract_handle = tokio::spawn({
-                    let contract_state = Arc::clone(&contract_state);
-                    let config = Arc::clone(&config);
-                    async move { contract_updater.run(contract_state, config).await }
-                });
-                let mesh_handle = tokio::spawn({
-                    let contract_state = Arc::clone(&contract_state);
-                    async move { mesh.run(contract_state).await }
-                });
+                let contract_handle =
+                    tokio::spawn(contract_updater.run(contract_state.clone(), config.clone()));
+                let mesh_handle = tokio::spawn(mesh.run(contract_state.clone()));
                 let protocol_handle =
                     tokio::spawn(protocol.run(contract_state, config, mesh_state));
-                tracing::info!("protocol thread spawned");
-                let cipher_sk = hpke::SecretKey::try_from_bytes(&hex::decode(cipher_sk)?)?;
-                let web_handle = tokio::spawn(async move {
-                    web::run(web_port, sender, cipher_sk, protocol_state, indexer).await
-                });
+                tracing::info!("protocol task spawned");
+                let web_handle = tokio::spawn(web::run(web_port, sender, state, indexer));
                 tracing::info!("protocol http server spawned");
 
                 contract_handle.await??;

chain-signatures/node/src/config.rs

@@ -72,6 +72,7 @@ pub struct LocalConfig {
 #[derive(Clone, Debug)]
 pub struct NetworkConfig {
     pub sign_sk: near_crypto::SecretKey,
+    pub cipher_sk: hpke::SecretKey,
     pub cipher_pk: hpke::PublicKey,
 }
 
@@ -82,6 +83,7 @@ impl Default for NetworkConfig {
                 near_crypto::KeyType::ED25519,
                 "test-entropy",
             ),
+            cipher_sk: hpke::SecretKey::from_bytes(&[0; 32]),
             cipher_pk: hpke::PublicKey::from_bytes(&[0; 32]),
         }
     }

chain-signatures/node/src/contract_updater.rs

@@ -20,7 +20,7 @@ impl ContractUpdater {
     }
 
     pub async fn run(
-        &self,
+        self,
         contract_state: Arc<RwLock<Option<ProtocolState>>>,
         config: Arc<RwLock<Config>>,
     ) -> anyhow::Result<()> {

chain-signatures/node/src/node_client.rs

@@ -1,4 +1,5 @@
 use crate::web::StateView;
+use hyper::StatusCode;
 use mpc_keys::hpke::Ciphered;
 use reqwest::IntoUrl;
 use std::str::Utf8Error;
@@ -31,25 +32,15 @@ impl Options {
 }
 
 #[derive(Debug, thiserror::Error)]
-pub enum SendError {
-    #[error("http request was unsuccessful: {0}")]
-    Unsuccessful(String),
-    #[error("serialization unsuccessful: {0}")]
-    DataConversionError(serde_json::Error),
+pub enum RequestError {
+    #[error("http request was unsuccessful: {0} => {1}")]
+    Unsuccessful(StatusCode, String),
     #[error("http client error: {0}")]
-    ReqwestClientError(#[from] reqwest::Error),
+    ReqwestClient(#[from] reqwest::Error),
     #[error("http response could not be parsed: {0}")]
-    ReqwestBodyError(reqwest::Error),
+    MalformedBody(reqwest::Error),
     #[error("http response body is not valid utf-8: {0}")]
     MalformedResponse(Utf8Error),
-    #[error("encryption error: {0}")]
-    EncryptionError(String),
-    #[error("http request timeout: {0}")]
-    Timeout(String),
-    #[error("participant is not alive: {0}")]
-    ParticipantNotAlive(String),
-    #[error("cannot convert into json: {0}")]
-    Conversion(#[from] serde_json::Error),
 }
 
 #[derive(Debug, Clone)]
@@ -69,7 +60,7 @@ impl NodeClient {
         }
     }
 
-    async fn post_msg(&self, url: &Url, msg: &[Ciphered]) -> Result<(), SendError> {
+    async fn post_msg(&self, url: &Url, msg: &[Ciphered]) -> Result<(), RequestError> {
         let resp = self
             .http
             .post(url.clone())
@@ -82,26 +73,27 @@ impl NodeClient {
         if status.is_success() {
             Ok(())
         } else {
-            let bytes = resp.bytes().await.map_err(SendError::ReqwestBodyError)?;
-            let resp = std::str::from_utf8(&bytes).map_err(SendError::MalformedResponse)?;
+            // TODO: parse response body and convert to mpc_node::Error type.
+            let bytes = resp.bytes().await.map_err(RequestError::MalformedBody)?;
+            let resp = std::str::from_utf8(&bytes).map_err(RequestError::MalformedResponse)?;
             tracing::warn!("failed to send a message to {url} with code {status}: {resp}");
-            Err(SendError::Unsuccessful(resp.into()))
+            Err(RequestError::Unsuccessful(status, resp.into()))
         }
     }
 
-    pub async fn msg(&self, base: impl IntoUrl, msg: &[Ciphered]) -> Result<(), SendError> {
+    pub async fn msg(&self, base: impl IntoUrl, msg: &[Ciphered]) -> Result<(), RequestError> {
         let mut url = base.into_url()?;
         url.set_path("msg");
 
         let strategy = ExponentialBackoff::from_millis(10).map(jitter).take(3);
         Retry::spawn(strategy, || self.post_msg(&url, msg)).await
     }
 
-    pub async fn msg_empty(&self, base: impl IntoUrl) -> Result<(), SendError> {
+    pub async fn msg_empty(&self, base: impl IntoUrl) -> Result<(), RequestError> {
         self.msg(base, &[]).await
     }
 
-    pub async fn state(&self, base: impl IntoUrl) -> Result<StateView, SendError> {
+    pub async fn state(&self, base: impl IntoUrl) -> Result<StateView, RequestError> {
         let mut url = base.into_url()?;
         url.set_path("state");
 

chain-signatures/node/src/protocol/consensus.rs

@@ -63,13 +63,7 @@ pub enum ConsensusError {
     #[error("cait-sith initialization error: {0}")]
     CaitSithInitializationError(#[from] InitializationError),
     #[error("secret storage error: {0}")]
-    SecretStorageError(SecretStorageError),
-}
-
-impl From<SecretStorageError> for ConsensusError {
-    fn from(err: SecretStorageError) -> Self {
-        ConsensusError::SecretStorageError(err)
-    }
+    SecretStorageError(#[from] SecretStorageError),
 }
 
 #[async_trait]

chain-signatures/node/src/protocol/cryptography.rs

@@ -1,18 +1,16 @@
-use std::sync::PoisonError;
-
 use super::message::MessageChannel;
 use super::signature::SignatureManager;
 use super::state::{GeneratingState, NodeState, ResharingState, RunningState};
 use crate::config::Config;
 use crate::gcp::error::SecretStorageError;
-use crate::node_client::SendError;
 use crate::protocol::message::{GeneratingMessage, ResharingMessage};
 use crate::protocol::presignature::PresignatureManager;
 use crate::protocol::state::{PersistentNodeData, WaitingForConsensusState};
 use crate::protocol::MeshState;
 use crate::storage::secret_storage::SecretNodeStorageBox;
+
 use async_trait::async_trait;
-use cait_sith::protocol::{Action, InitializationError, Participant, ProtocolError};
+use cait_sith::protocol::{Action, InitializationError, ProtocolError};
 use k256::elliptic_curve::group::GroupEncoding;
 use near_account_id::AccountId;
 use near_crypto::InMemorySigner;
@@ -28,35 +26,14 @@ pub trait CryptographicCtx {
 
 #[derive(thiserror::Error, Debug)]
 pub enum CryptographicError {
-    #[error("failed to send a message: {0}")]
-    SendError(#[from] SendError),
-    #[error("unknown participant: {0:?}")]
-    UnknownParticipant(Participant),
-    #[error("rpc error: {0}")]
-    RpcError(#[from] near_fetch::Error),
     #[error("cait-sith initialization error: {0}")]
     CaitSithInitializationError(#[from] InitializationError),
     #[error("cait-sith protocol error: {0}")]
     CaitSithProtocolError(#[from] ProtocolError),
-    #[error("sync failed: {0}")]
-    SyncError(String),
-    #[error(transparent)]
-    DataConversion(#[from] serde_json::Error),
-    #[error("encryption failed: {0}")]
-    Encryption(String),
-    #[error("more than one writing to state: {0}")]
-    InvalidStateHandle(String),
     #[error("secret storage error: {0}")]
     SecretStorageError(#[from] SecretStorageError),
 }
 
-impl<T> From<PoisonError<T>> for CryptographicError {
-    fn from(_: PoisonError<T>) -> Self {
-        let typename = std::any::type_name::<T>();
-        Self::SyncError(format!("PoisonError: {typename}"))
-    }
-}
-
 #[async_trait]
 pub trait CryptographicProtocol {
     async fn progress<C: CryptographicCtx + Send + Sync>(
@@ -132,6 +109,7 @@ impl CryptographicProtocol for GeneratingState {
                         public_key = hex::encode(r.public_key.to_bytes()),
                         "generating: successfully completed key generation"
                     );
+                    // TODO: handle secret storage error
                     ctx.secret_storage()
                         .store(&PersistentNodeData {
                             epoch: 0,
@@ -219,22 +197,20 @@ impl CryptographicProtocol for ResharingState {
                 }
                 Action::SendPrivate(to, data) => {
                     tracing::debug!("resharing: sending a private message to {to:?}");
-                    match self.new_participants.get(&to) {
-                        Some(_) => {
-                            ctx.channel()
-                                .send(
-                                    self.me,
-                                    to,
-                                    ResharingMessage {
-                                        epoch: self.old_epoch,
-                                        from: self.me,
-                                        data,
-                                    },
-                                )
-                                .await;
-                        }
-                        None => return Err(CryptographicError::UnknownParticipant(to)),
+                    if self.new_participants.get(&to).is_none() {
+                        tracing::error!("resharing: send_private unknown participant {to:?}");
                     }
+                    ctx.channel()
+                        .send(
+                            self.me,
+                            to,
+                            ResharingMessage {
+                                epoch: self.old_epoch,
+                                from: self.me,
+                                data,
+                            },
+                        )
+                        .await;
                 }
                 Action::Return(private_share) => {
                     tracing::debug!("resharing: successfully completed key reshare");