Goals

• Complete a keygen happy path ceremony in axelar-core using tofnd
• Implement sign happy path in tofn. (Then: add sign to tofnd, complete a sign ceremony, etc.)

Additional tasks

• KV store for tofnd
• encrypt sensitive traffic in tofn
• authentication in axelar-core (see axelarnetwork/axelar-core#157 )
• tofn, tofnd should never panic
• better tests
• clean up code and tests

PR #34 started exhibiting mysterious github workflow errors earlier this afternoon. Example:
https://github.com/axelarnetwork/tofnd/pull/34/checks?check_run_id=2422640452

   Compiling tofn v0.1.0 (ssh://[email protected]/axelarnetwork/tofn.git#140a770c)
error[E0308]: mismatched types
   --> src/tests/tofnd_party.rs:156:30
    |
156 |                     result = res.clone();
    |                              ^^^^^^^^^^^ expected struct `Vec`, found struct `SignResult`
    |
    = note: expected struct `Vec<_>`
               found struct `SignResult`

I can't find any code that looks anything like this in tofnd_party.rs in its entire commit history, nor can I find this code anywhere else in either tofn or tofnd repos at the relevant commits.

I re-ran the relevant command (cargo test --release --all-features) on my local machine to reproduce the error, but everything passed.

Moreover, I reverted the commit that first caused this result to a previous commit c77416c where the github workflow has succeeded in the past and that workflow now also fails with the exact same error.

wat do

Current status of rust-tssd is a prototype keygen happy path passing only a minimal test. Next goal is the title: Complete a keygen happy path ceremony in axelar-core using rust-tssd.

Tasks

• Golang client for rust-tssd. I currently have a local golang rust-tssd client repo for rust-tssd with a basic test---this repo should be moved into the rust-tssd repo itself.
• Better tests: golang client, rust-tssd, thrush.
• thrush, rust-tssd should never panic---return errors instead.
• Rust-tssd does not yet store keys it generates. Add a KV store for (pubkey_name, pubkey_data). Need to search for a good KV store rust library.
• Swap rust-tssd into axelar-core, run a ceremony. Prerequisite: figure out the deserialization needs of the resulting pubkey in axelar-core.
• Code review?

Currently we have ugliness in tofnd in order to iterate over malicious behaviours and convert them to/from strings. Whenever MaliciousType is changed we need to update code in two places to reflect the change. Example:

1. tofnd/src/config/mod.rs

   Line 31 in f44a560

   let available_behaviours = [

2. tofnd/src/config/mod.rs

   Line 92 in f44a560

   match behaviour {

We would like a way to automate this process, preferrably without modifying tofn.

axelar-core votes on the public key that all parties computed to get consensus. But, we also need to vote on the list of all public share infos that each party sees for consensus. This is not feasible right now, because the share infos are embedded inside the recovery info bytes that are returned to axelar-core. Modify the KeygenOutput proto to also send the list of share infos separately (like we do for the public key) so that it can be voted on.

Overview

We need a safe and persistent store key-value store in rust.

Currently we use microKV, but this library is fairly new, and it is unknown whether it will be maintained in the future.

Since we need both storage and encryption, we have two options:

1. go for a solution that delivers both, or
2. use a combination of two different libraries for storage and encryption.

Available solutions

Store w/ encryption (Option 1)

Store w/o encryption + encryption library (Option 2)

Store libs

Encryption libs

Discussion

In case we choose option 1, keyring, delivers a complete solution to our issue. Although updated relatively infrequently, an encouraging aspect is its popularity and the fact that a good number of projects already use it.

In case we choose option 2, the combination of sled and sodiumoxide seems the most appropriate way to go. Using a database for this could be an overkill.

Need to add support for timeouts. User notifies tofnd that a party has timed out (or failed for some arbitrary reason). At this point the protocol must abort and drop everything. Tofnd should do the following:

1. Clean up the grpc stream
2. Pass the timeout/abort message to tofn so that tofn can clean up

Eventually we'll need a protobuf API change. That's covered under #55 .

Error handling in tofnd and tofn is currently a mess. Need useful error messages and context. Need to choose a specific error handling pattern and enforce it consistently over both tofnd and https://github.com/axelarnetwork/tofn

Suggestions

• Use thiserror and anyhow crates to reduce boilerplate for error handling as described in Rust: Structuring and handling errors in 2020 - nick.groenen.me.
• Consider the nested result pattern described in Error Handling in a Correctness-Critical Rust Project | sled-rs.github.io.
• Other tips in this video: RustConf 2020 - Error handling Isn't All About Errors by Jane Lusby - YouTube.
• Error handling in a library (eg. tofn) is very different form error handling in an executable (eg. tofnd). Library = producer of errors; Executable = consumer of errors.
• Rust error handling working group: rust-lang/project-error-handling: Error handling project group

As observed here #98 (comment) :
The Rust pipeline doesn't execute paths of the form #[cfg(not(feature = "X"))]. Thus, bugs can slip pass tests. We must eliminate this practice before the audit.

Goal

• Implement sign happy path in tofn. (Then: add sign to tofnd, complete a sign ceremony, etc.)

Tasks

• KV store for tofnd
• encrypt sensitive traffic in tofn
• authentication in axelar-core (see axelarnetwork/axelar-core#157 )
• tofn, tofnd should never panic
• design change: merge stateless functions into stateful

There is repeated in tofnd. Making use of Enums and Traits can prevent that.

Some candidates are:

1. tofnd/src/tests/mod.rs

   Line 64 in 4179451

   fn check_keygen_results(results: Vec<KeygenResult>, expected_crimes: &[Vec<KeygenCrime>]) -> bool {

   and
   

   tofnd/src/tests/mod.rs

   Line 119 in 4179451

   fn check_results(results: Vec<SignResult>, expected_crimes: &[Vec<SignCrime>]) {

2. tofnd/src/tests/tofnd_party.rs

   Line 203 in 4179451

   async fn execute_keygen(

   and
   

   tofnd/src/tests/tofnd_party.rs

   Line 275 in 4179451

   async fn execute_sign(

3. tofnd/src/tests/tofnd_party.rs

   Line 30 in 4179451

   pub(crate) fn should_timeout_keygen(&self, traffic: &proto::TrafficOut) -> bool {

   and
   

   tofnd/src/tests/tofnd_party.rs

   Line 53 in 4179451

   pub(crate) fn should_timeout_sign(&self, traffic: &proto::TrafficOut) -> bool {

4. tofnd/src/tests/tofnd_party.rs

   Line 78 in 4179451

   pub(crate) fn spoof_keygen(

   and
   

   tofnd/src/tests/tofnd_party.rs

   Line 111 in 4179451

   pub(crate) fn spoof_sign(&mut self, traffic: &proto::TrafficOut) -> Option<proto::TrafficOut> {

It was observed that malicious tests fail when multiple core threads are used. Investigate the origin of this failure.

The output is:

h (t,n)=(3,4)"}:{round=3}:Sign:{state="sign [Gus-test-sig] party [uid:D, share:4/4]"}:{round=6}:Keygen:{state="keygen [Gus-test-key] party [B] with (t,n)=(2,4)"}:{round=3}:Sign:{state="sign [Gus-test-sig] party [uid:A, share:1/7]"}:{round=2}:Keygen:{state="keygen [Gus-test-key] party [A] with (t,n)=(6,5)"}:{round=3}:Sign:{state="sign [Gus-test-sig] party [uid:D, share:6/9]"}:{round=2}:Keygen:{state="keygen [Gus-test-key] party [A] with (t,n)=(6,5)"}:{round=3}:Sign:{state="sign [Gus-test-sig] party [uid:A, share:1/8]"}:{round=3}:Keygen:{state="keygen [Gus-test-key] party [C] with (t,n)=(7,8)"}:{round=3}:Sign:{state="sign [Gus-test-sig] party [uid:A, share:1/9]"}:{round=1}: tofnd::gg20: sign failure: "Expected sign init message"
thread 'tokio-runtime-worker' panicked at 'sign failure to complete', src/tests/tofnd_party.rs:167:9
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'tokio-runtime-worker' panicked at 'called `Result::unwrap()` on an `Err` value: RecvError(())', src/tests/tofnd_party.rs:44:45
kv_manager stop

We should not be copying the tofnd.proto protocol buffers file between repos. Instead, we should have a single authoritative source for this file. Unfortunately, there are no obvious best options. Current leading contender is to put tofnd.proto into its own separate git repo and include it as a git submodule in axelar-core, tofnd, and wherever else it's needed.

Originally posted by @cgorenflo in axelarnetwork/axelar-core#297 (comment)

• Add disruption login
• Merge axelarnetwork/tofn#75 to successfully determine deserialization crimes

The following dependencies are outdated:

Before updating we need to investigate if we have conflicts with some of the new versions since some of the updates are major.

Until now, we only accommodate crimes for sign. Add support for keygen crimes, as well.

• get keygen result in keygen.rs; This has alaready been done for Sign. We need this to retrieve the result (SectetKeyShare of Crimes) from a keygen execution and check that it was the expected one
• refactor test cases to support keygen test cases
• add tests for keygen

We need to differentiate between timeouts and non-timeout criminals in axelar-core. Add a MaliciousType at the protobuf and assign it to timeout crimes.

We only provide trivial tests for malicious behaviours with a single malicious type per test case. We should expand those into more complex scenarios, and find bugs that are possibly lurking.

This will be unblocked when axelarnetwork/tofn#35 is merged.

The result contains the uid of the criminal one time for each of his shares because all shares that belong to the malicious party are registered as individual criminals, and multiple shares map to the same uid.

Example: if a malicious party A has shares with tofn indices 0,1,2, the criminal_list will contain [0:Malicious, 1:Malicious, 2:Malicious] (which correspond to [tofn_index, CrimeType] for each pair).

In tofnd, we examine the uid of the criminal, rather than his tofn share indices. This means that the criminal vector will become [A:Malicious, A:Malicious, A:Malicious] (which correspond to [tofnd_index, CrimeType] for each pair).

We need to eliminate these duplicates.

Better logging for tofnd enabled in #31 (review) . Log level is set via environment variable: export RUST_LOG=INFO. How best to configure this option in docker / axelarate? Options:

1. Add export RUST_LOG=INFO to entrypoint.sh in tofnd.
2. Something fancier that allows us to set tofnd log level in axelarate/config.toml?

Currently, tests pass even if a protocol fails. As discussed, need to fix test in tofnd_party.rs to make sure keygen (and sign) completes. if not then fail the test.

Originally posted by @ggutoski in #23 (comment)

In tofnd tests, we only assert that the protocol is terminated gracefully. It would be helpful to actually check at the tofnd level if the protocol result is the expected, although analogous tests already exist in tofn.

This will be unblocked when #34 is merged.

@sammy1991106 reports that a local cluster test with weighted share allocation 1,2,3,4,5 failed to complete keygen. See axelar-core branch feat/weighted-tss-share. Logs and discussion posted to #tofn channel in slack.

This is basically what I did to "fake" the 1, 2, 3, 4, ,5 scenario

IDs are user input fields, so we need to make sure that we cannot inject any malicious behaviour with these strings

There are some structs in tofn that are defined only for testing purposes. Some of these structs are useful in tofnd tests, as well. Investigate what is the best way to import them. Right now we just duplicate code.

Examples:
https://github.com/axelarnetwork/tofn/blob/f05bb0150261fefd383cb0737c7b5ecd15308612/src/protocol/gg20/sign/malicious/tests/test_cases.rs#L41-L68

https://github.com/axelarnetwork/tofn/blob/f05bb0150261fefd383cb0737c7b5ecd15308612/src/protocol/gg20/sign/malicious/tests/test_cases.rs#L41-L68

Options:

• check if we can import structs from test modules
• check if we can expose them in a mod that is visible to tofnd

In https://github.com/axelarnetwork/tofnd/blob/main/src/config/mod.rs, we support command line parsing for sign malicious types. When keygen crimes are accommodated, we need to to extend this config for keygen behaviours, as well.

This config file is already ugly, so that could be a good chance to refactor it. Maybe it'd be cleaner if we use a config file instead of command line args.

The build is currently broken on master: https://github.com/axelarnetwork/tofnd/runs/2196540191

#25 125.5 error[E0463]: can't find crate for `serde_derive`
#25 125.5   --> /usr/local/cargo/git/checkouts/rust-gmp-ec80bc1e51a8ce8f/641a89f/src/lib.rs:13:1
#25 125.5    |
#25 125.5 13 | extern crate serde_derive;
#25 125.5    | ^^^^^^^^^^^^^^^^^^^^^^^^^^ can't find crate
#25 125.5 
#25 125.5 error: aborting due to previous error

Log output has pretty colours in the terminal. Unfortunately, when this log output is redirected to a file the resulting text contains unreadable cruft about colour. We had a similar issue with Binance's tss-lib. What to do? Is it possible to get both (1) pretty coloured logs in the terminal, and (2) readable plaintext logs when redirected to file?

Before mnemonic, we only had a single kv-store created at .kvstore path. Now that we have two kvstores we need to create two directories under .kvstore: .kvstore/shares and .kvstore/mnemonic.

Tofnd allows the end-user to specify a malicious behaviour in a config file or CLI flag. We currently enforce that all malicious behaviours include a victim arg, even those malicious variants that do not have a victim arg. For those variants, the victim arg is simply ignored:

• tofnd/src/config/mod.rs

  Line 71 in 192d954

  .arg(Arg::with_name("victim").required(true).help("victim")),

• tofnd/src/config/mod.rs

  Line 91 in 192d954

  fn match_string_to_behaviour(behaviour: &str, victim: usize) -> MaliciousType {

We do this only because it's easy. Instead, we should demand a victim arg only for those malicious variants that actually need it.

In general, each malicious variant might have ts own custom args list. For each such variant, we'll need to write custom code to parse config data for that variant. That could become tedious in the future but we should do it anyway. See discussion in axelarnetwork/tofn#38.

Overview

Use testdir to allow for concurrent execution of all async rust tests that create conflicting kv-stores.

Summary

tests/mod.rs::basic_keygen_and_sign and tests/mod.rs::restart_one_party try to create kv-stores under the same directory. So far, we had to toggle these tests so that only one runs a time.

By using a library such as testdir, we can assign unique directories to each test to enable concurrent execution.

Investigate whether the use building pattern can be used to reduce the clutter of #[cfg(not(feature = "malicious"))].

Example:

Originally posted by @ggutoski in #43 (comment)

Goal

Swap from tssd to tofnd. All tasks that do not block this goal are postponed. The intent is to have everyone using tofnd exclusively so that we can find pain points and build a track record. Any time remaining in the sprint upon completion of this goal will be spent on non-blocking tasks.

Blocking tasks

• Do whatever tests are needed to give us confidence that we can swap from tssd to tofnd.
• Get tofnd working with AWS, axelarate the way tssd currently works.
• Code review tofn, tofnd. Merge into master.

Non-blocking tasks

A to-do list of ongoing tasks to be rolled over to future sprints.

• encrypt sensitive traffic in tofn
• authentication in axelar-core (see axelarnetwork/axelar-core#157 )
• do not store party IDs in tofnd---store them in axelar-core instead. Restrict the tofnd API so that all party IDs are indices in 0..share_count.
• tofn, tofnd should never panic
• tofn keygen code clean: merge stateless functions into stateful
• KV store: currently using microkv. Seeking alternatives. A leading contender is kv but there are concerns about in-memory security.
• Eliminate use of zengo crates. Use k256 for math.
• When to make the switch from GG20 to CGGMP? GG20 is currently incomplete, so perhaps it's best to switch now.
• What to do about safe primes?
• Testing/benchmark for 1-25 validators.
• Edge case testing for bad messages.
• Cleaning function in case of timelines to clean-up intermediate state if protocol stalls.
• Restarts of the nodes: a node had a share, participated in the protocol, went offline, and then restarted. Want to make sure it can continue participating in the protocol.
• Useful error messages and context. Use thiserror and anyhow crates to reduce boilerplate for error handling as described in Rust: Structuring and handling errors in 2020 - nick.groenen.me

We need different images/containers for default and malicious build. Update Makefile and Dockerfile to address that.

We have github actions for testing only the regular build. Tests for --feature="malicious" need to be added.

The following options didn't work

- name: Run cargo test
   uses: actions-rs/cargo@v1
   with:
     command: test 
     args: --all-features

- name: Run cargo test
   uses: actions-rs/cargo@v1
   with:
     command: test --all-features

The following scenario causes Sign to stall:

• uids: 5
• party_share_counts: [1,2,3,4,10]
• threshold: 13
• sign_participants: [0,1,2,3,4]

Not sure if this is a tofn or tofnd issue, but am leaning towards tofn since the changes there are more drastic.

Last working commits:
tofnd: 3c760
tofn: cde2a

diffs between last working and first not working commit
tofnd: https://github.com/axelarnetwork/tofnd/compare/3c76050..be8f15e
tofn: https://github.com/axelarnetwork/tofn/compare/cde2aeb..36a85b0

Even though the last working commit of tofnd works for that scenario, it still fails with [1,2,3,4,20]. A solution is to increase the capacity of the channel between sign threads and the aggregator from 4 bytes to 100 bytes. Intermediate values might also work but are not tested. However, this does not fix the problem in master branch of tofnd.

Support for fault attribution requires that all p2p messages are broadcast to all parties. (eg. p2p messages from Alice to Bob should also be delivered to Charlie.) This is now implemented in tofn for both keygen and sign in branch https://github.com/axelarnetwork/tofn/tree/blame

I began modifying tofnd to support this new requirement in branch https://github.com/axelarnetwork/tofnd/tree/blame2 . It works for test cases with only one share per party, but breaks if any party has >1 share. I tried to fix it but gave up. Instead I put a few TODOs in the code to mark potential trouble spots. The blame2 tofnd branch has very few changes from master, so you should be able to see all I've done just by viewing the diffs.

I suspect we might be able to completely eliminate the need for the TofndP2pMsg struct now that all parties need to receive all p2p messages but I'm not certain. Please take a look @sdaveas and see if you can get it working. You now know that part of tofnd better than I do.

Test cases are taking too much time to complete. An easy way to speed them up is to perform separate tests for each test case. That way rust's parallel test execution will kick in.

Steps

1. Create an execute_test_case(test_case: &TestCase) function.
2. Create multiple tests for reach test case:

   fn test_spoofs() {
       execute_test_case(&SPOOFS);
   }
   

Discussion

Perhaps an even better way to achieve speed up thnings is to use the core_threads option of tokio. This produced problems in the past (see #58) and needs reiteration.

Migrated from Tss checklist notion doc.

• fault attribution
  • easy faults
  • hard faults, requiring additional rounds of msgs
  • deserialization faults
  • timeouts
  • tests
  • Design note: Begin each round with a list of messages received from other parties. 3 states: timeout (or other declared failure), deserialization failure, or successfully deserialized message.
• multiple shares per validator for stake-weighted threshold crypto
• authentication of messages (Stelios)
  • in axelar-core axelarnetwork/axelar-core#157
  • in tofnd #60
  • in tofn axelarnetwork/tofn#42
• tofn, tofnd should never panic (Stelios?)
• use sled for KV store (done in #15)
• better handling of test files. (done in #18)
• Eliminate use of zengo crates. Use k256 for math. axelarnetwork/tofn#58
• check for places where we need secure erasures of secrets in memory
• research logging libraries, choose one and deploy it in tofn and tofnd. #19
• Sad path should return specific crimes axelarnetwork/tofn#44
• check the tofn, tofnd APIs to make sure no leakage of secrets is allowed via various queries, "injection attacks" (put a command inside some field to trigger a malicious behavior), etc.

Keygen enhancements

• safe primes axelarnetwork/tofn#18
• key share recovery from mnemonic
  • axelar-core
  • tofnd
  • tofn (done in axelarnetwork/tofn#80 )
• encrypt p2p keygen traffic axelarnetwork/tofn#17
• Keygen zk proofs for Paillier keys axelarnetwork/tofn#74

Nice to have but not needed for mainnet

• robust keygen: new protocol design. (Do we want robust sign, too?)
• Useful error messages and context. #28
• Eliminate confusion on party vs participant indices axelarnetwork/tofn#11
• git submodule for shared protobuf file #9
  • tofnd: done in #64
  • axelar-core: TODO
• do not store party IDs in tofnd axelarnetwork/axelar-core#171
• Switch from GG20 to CGGMP

Some idiot* used an unnecessary message type CriminalList to wrap a repeated Criminal message:

* that would be me

As discussed, we can respond to the Abort message with the list of parties we have not received an answer from.
Note that malicious parties can choose not to respond to Abort message. Need to think if this complicates our task.

Originally posted by @sdaveas in axelarnetwork/tofn#65 (comment)

Motivation

We must allow users of tonfd to test sad-path. Thus, we must somehow expose an option for tofnd to behave maliciously (eg. emit a zk proof or commitment that fails to verify, etc). There is a danger that this malicious behaviour could be triggered by accident in real-world use. To minimize this danger I propose we use conditional compilation. That way, malicious behaviour is possible only if the tofnd binary was built to enable it.

Tasks

• Research options for conditional compilation
• Implement conditional compilation at the appropriate parts in tofnd to enable malicious behaviour
• Whatever solution we implement will probably need to be replicated in tofn, too. Talk to @ggutoski about this. I suspect tofn will be easier than tofnd.

Suggestions for first steps

I think cargo "features" is the way to go. Enable malicious behaviour compile time:

cargo build --features malicious

Recommended reading:

1. Features - The Cargo Book
2. Conditional compilation - The Rust Reference
3. Traps to avoid: Cargo [features] explained with examples - DEV Community

Implementation suggestions

Tofnd currently instantiates a non-malicious tofn::Sign struct here:

Unfortunately, I see no way to achieve our goal without modifying happy-path production code to facilitate it. My first instinct is to replace the tofn method call Sign::new with a call to a factory function like this:

fn new_sign( /* same args as Sign::new */ ) -> Box<dyn SignOutputter>

where SignOutputter is a new trait that replaces the concrete tofn type Sign. (What is Box and dyn? You can learn here: Implementing an Object-Oriented Design Pattern - The Rust Programming Language. Feel free to chat with @ggutoski about it.)

This new trait should:

1. be a supertrait of the Protocol trait defined in tofn.
2. have a single method clone_output() that returns the output of the completed protocol.

Happy-path tofn Sign already has a clone_output method, so it's trivial to make Sign implement the new SignOutputter trait. (Until recently, this method was named get_result.)

I don't know whether the new SignOutputter trait should be defined in tofn or tofnd.

Sign::clone_output currently called here in tofnd:

Confine conditional compilation to one source file

I suggest all conditional compilation be confined to a single new source file (eg. malicious_feature.rs or something). That's where the new new_sign factory function should go. It'll look something like this:

// sad path: "malicious" feature is enabled
#[cfg(feature = "malicious")]
fn new_sign( /* args */ ) -> Box<dyn SignOutputter> {
  Box::new( SignMaliciousR1BadProof::new( /* args */ ) )
}

// happy path: "malicious" feature is disabled
#[cfg(not(feature = "malicious"))]
fn new_sign( /* args */ ) -> Box<dyn SignOutputter> {
  Box::new( Sign::new( /* args */ ) )
}

Print a warning to stdout on launch

Currently, on startup tofnd prints something like the following to stdout:

tofnd listen addr 0.0.0.0:50051, use ctrl+c to shutdown
kv_manager found existing db [.kvstore]

Code to print this message occurs in main.rs here:

WARNING: THIS tofnd BINARY AS COMPILED IN 'MALICIOUS' MODE.  MALICIOUS BEHAVIOUR IS INTENTIONALLY INSERTED INTO SOME MESSAGES.  THIS BEHAVIOUR WILL CAUSE OTHER tofnd PROCESSES TO IDENTIFY THE CURRENT PROCESS AS MALICIOUS. 
tofnd listen addr 0.0.0.0:50051, use ctrl+c to shutdown
kv_manager found existing db [.kvstore]

As suggested above, malicious code should be confined to a single new source file. Thus, the above println! in main.rs should be replaced with a function call (something like print_startup_message) that's implemented elsewhere with conditional compilation to print the warning whenever the "malicious" feature is set.

user-story:

• when a user wants to become a validator, they run Paillier keygen and record their public key on the axelar-chain. No user can be a validator within registering this key first.

• either through axelar / or tss itself, users can export their Paillier keys as a mnemonic (24-48 words...).

• at the end of each keygen, encrypted shares are recorded on chain (shares are encrypted under Paillier key with the corresponding proofs of correctness).

• recovery mode: I was a validator in the past, I lost my keys, but I have my mnemonic. I want to re-register as a validator and recover a) my Paillier key, master key shares (if any) from the encryptions on chain.

• do we add new queries at the core to import/export keys?

When a crime is detected, parties can immediately stop the execution of the protocol. Although this is expected behaviour from tofn's side, our test framework in tofnd expect all threads to return. This causes some issues. The problem manifests when criminals are exposed, honest parties stop, but criminals still wait for messages. The result is that some tests are running for ever.

A temporary hacky solution is to make criminals have multiple shares. That way each one of the criminal shares can notify the other that the protocol is over. A proper solution is to decouple the data that are related to the protocol and the ones that are related to the communication inside Party struct.

When this is done, we will not need to wait threads to return in order to reclaim their resources (as done below).

Currently, we're missing more visibility in where tss is at, and it prevents us from debugging quickly.
Since keygen/sign are computationally heavy protocols, it would be useful to logs more details on where we're at during the computations.
e.g., for keygen with 25 validators, we could capture:

• "starting keygen phase 1. generating 1 broadcast message."
• "finished generating phase 1 messages.
• "starting keygen phase 2, generating 25 p2p messages."
• "finished generating 12/25 messages."
• "finished generating all phase 2 messages". etc.

maybe this needs to be captured at tofn (vs tofnd).

Description/Reasoning

• When keygen starts all parties store the keygen in their KV store
• When an already existing key is used for keygen, keygen init fails in tofnd then the socket connection to the client is closed with no message.
• This happens when a key ID is reused for keygen init, regardless of keygen success or failure

i.e. A key ID can never be reused to start the keygen operation

Current Behaviour

• In case of duplicate key ID a tofnd client (vald) has no way of differentiating between an error (keygen failure: "kv_manager key eth-master-E53757BAC7 already reserved")vs a network send/receive omission failure.

• This causes axelard to commit the KeygenInit request, responding with message broadcast success

• This causes c2d2 controller to believe keygen is in progress, then wait until timeout (e.g. 3 hours) to consider the keygen a de-facto failure.

  • This situation lead to c2d2 getting into a stuck state where it could not complete key rotation because it was reusing the same key ID until it was able to generate the key with that ID successfully.

• A workaround is used in c2d2 to address this: we always randomize the new key ID after keygen failure.

  • This is a necessary mechanism at the application layer regardless (sergey to add rationale where appropriate), but tofnd should make this failure case explicit to the client regardless. KeygenInit should not leave the client in an undefined state.

Expected Behaviour

• KeygenInit should not leave the client in an undefined state.
• @sdaveas Stelios @ggutoski

Steps to reproduce (for bugs)

1. Start a keygen
2. wait for keygen success or force a failure
3. attempt keygen with same keyID

Relevant Logs or Files

• https://app.datadoghq.com/logs?query=service%3Atofnd eth-master-E53757BAC7&cols=host%2Cservice&event=AQAAAXq7g92-2k9pkQAAAABBWHE3Zzk0TkFBQTZpclpsajYxdVZnQUM&index=&integration_id=&integration_short_name=&messageDisplay=expanded-md&saved_view=418062&stream_sort=desc&viz=stream&from_ts=1624139377455&to_ts=1626731377455&live=true

tofn has now migrated SignOutput sad-path return type from Vec<Criminal> to Vec<Vec<Crime>>. Need to upgrade tofnd to accept this new return type. The only use of tofn's Criminal is in proto_helpers.rs:

Currently, the sender of a tofnd message is not authenticated. Thus, malicious parties could spoof messages from other parties.

Tofnd currently processes incoming traffic as follows: we ignore all fields of TrafficIn messages except the binary payload, which is passed directly to tofn for deserialization:

struct MsgMeta {
    msg_type: MsgType,
    from: usize,
    payload: MsgBytes,
}

It is easy for a malicious actor to dig into the binary payload and spoof this from field and therefore send messages on behalf of other parties.

Instead of ignoring TrafficIn metadata, tofnd must somehow verify that the from_party_uid field in TrafficIn is consistent with the from field wrapped in the tofn binary payload.

Tofn currently does not expose the format of the binary payload. Thus, in order to enable tofnd to perform the above mentioned authentication, tofn must expose the necessary data in its API. This requirement is posted in a separate issue in the tofn repo: axelarnetwork/tofn#42