feat(crypto): CRP-2597 Extend NiDkgTag with HighThresholdForKey variant

rs/consensus/src/consensus/batch_delivery.rs

@@ -308,7 +308,7 @@ pub fn generate_responses_to_setup_initial_dkg_calls(
     for (id, callback_id, transcript) in transcripts_for_remote_subnets.iter() {
         let add_transcript = |transcript_results: &mut TranscriptResults| {
             let value = Some(transcript.clone());
-            match id.dkg_tag {
+            match &id.dkg_tag {
                 NiDkgTag::LowThreshold => {
                     if transcript_results.low_threshold.is_some() {
                         error!(
@@ -327,6 +327,12 @@ pub fn generate_responses_to_setup_initial_dkg_calls(
                     }
                     transcript_results.high_threshold = value;
                 }
+                NiDkgTag::HighThresholdForKey(master_public_key_id) => {
+                    error!(
+                        log,
+                        "Implementation error: NiDkgTag::HighThresholdForKey({master_public_key_id}) used in SetupInitialDKG for callback ID {callback_id}",
+                    );
+                }
             }
         };
         match transcripts.get_mut(callback_id) {

rs/consensus/src/consensus/dkg_key_manager.rs

@@ -535,9 +535,12 @@ impl Drop for DkgKeyManager {
 
 /// Print the information about a [`NiDkgId`] in a concise way for logging
 fn dkg_id_log_msg(id: &NiDkgId) -> String {
-    let tag = match id.dkg_tag {
-        NiDkgTag::LowThreshold => "low",
-        NiDkgTag::HighThreshold => "high",
+    let tag = match &id.dkg_tag {
+        NiDkgTag::LowThreshold => "low".to_string(),
+        NiDkgTag::HighThreshold => "high".to_string(),
+        NiDkgTag::HighThresholdForKey(master_public_key_id) => {
+            format!("highForKey({master_public_key_id})")
+        }
     };
 
     // If the target is local (which it is usually), we don't log the target

rs/consensus/src/dkg/payload_builder.rs

@@ -507,6 +507,21 @@ pub(crate) fn get_configs_for_local_transcripts(
                     resharing_transcript.cloned(),
                 )
             }
+            ////////////////////////////////////////////////////////////////////////////////
+            // TODO: how to behave here? The code below is copied+adapted from the HighThreshold case. However,
+            // this code currently won't be executed because we iterate over TAGS, which is a const that does not
+            // and cannot contain an NiDkgTag::HighThresholdForKey entry
+            ///////////////////////////////////////////////////////////////////////////////
+            NiDkgTag::HighThresholdForKey(master_public_key_id) => {
+                let resharing_transcript = reshared_transcripts
+                    .get(&NiDkgTag::HighThresholdForKey(master_public_key_id.clone()));
+                (
+                    resharing_transcript
+                        .map(|transcript| transcript.committee.get().clone())
+                        .unwrap_or_else(|| node_ids.clone()),
+                    resharing_transcript.cloned(),
+                )
+            }
         };
         let threshold =
             NumberOfNodes::from(tag.threshold_for_subnet_of_size(node_ids.len()) as u32);
@@ -1206,9 +1221,13 @@ mod tests {
                 assert_eq!(conf.max_corrupt_dealers().get(), 2);
                 assert_eq!(
                     conf.threshold().get().get(),
-                    match *tag {
+                    match tag {
                         NiDkgTag::LowThreshold => 3,
                         NiDkgTag::HighThreshold => 5,
+                        /////////////////////////////////////////
+                        // TODO: check with Consensus team
+                        NiDkgTag::HighThresholdForKey(_) => panic!("not applicable"),
+                        /////////////////////////////////////////
                     }
                 );
             }
@@ -1311,9 +1330,13 @@ mod tests {
                     assert_eq!(conf.max_corrupt_dealers().get(), 2);
                     assert_eq!(
                         conf.threshold().get().get(),
-                        match *tag {
+                        match tag {
                             NiDkgTag::LowThreshold => 3,
                             NiDkgTag::HighThreshold => 5,
+                            /////////////////////////////////////////
+                            // TODO: check with Consensus team
+                            NiDkgTag::HighThresholdForKey(_) => panic!("not applicable"),
+                            /////////////////////////////////////////
                         }
                     );
 

rs/crypto/BUILD.bazel

@@ -37,6 +37,7 @@ DEPENDENCIES = [
     "//rs/registry/helpers",
     "//rs/registry/keys",
     "//rs/types/base_types",
+    "//rs/types/management_canister_types",
     "//rs/types/types",
     "@crate_index//:bincode",
     "@crate_index//:hex",

rs/crypto/Cargo.toml

@@ -31,6 +31,7 @@ ic-crypto-tls-cert-validation = { path = "node_key_validation/tls_cert_validatio
 ic-crypto-tls-interfaces = { path = "tls_interfaces" }
 ic-crypto-utils-basic-sig = { path = "utils/basic_sig" }
 ic-crypto-utils-tls = { path = "utils/tls" }
+ic-management-canister-types = { path = "../types/management_canister_types" }
 ic-interfaces = { path = "../interfaces" }
 ic-interfaces-registry = { path = "../interfaces/registry" }
 ic-logger = { path = "../monitoring/logger" }

rs/crypto/benches/ni_dkg.rs

@@ -258,6 +258,7 @@ impl TestCase {
         let tag_name = match self.dkg_tag {
             NiDkgTag::LowThreshold => "low",
             NiDkgTag::HighThreshold => "high",
+            NiDkgTag::HighThresholdForKey(_) => unimplemented!(),
         };
         format!(
             "crypto_nidkg_{}_nodes_{}_dealers_{}",
@@ -281,6 +282,7 @@ impl TestCase {
                 num_of_dealers: num_of_nodes,
                 dkg_tag,
             },
+            NiDkgTag::HighThresholdForKey(_) => unimplemented!(),
         }
     }
 }

rs/crypto/internal/crypto_service_provider/BUILD.bazel

@@ -80,6 +80,7 @@ DEV_DEPENDENCIES = [
     "//rs/crypto/utils/basic_sig",
     "//rs/test_utilities/in_memory_logger",
     "//rs/test_utilities/time",
+    "//rs/types/management_canister_types",
     "//rs/types/types_test_utils",
     "@crate_index//:assert_matches",
     "@crate_index//:lazy_static",

rs/crypto/internal/crypto_service_provider/Cargo.toml

@@ -76,6 +76,7 @@ ic-crypto-test-utils-local-csp-vault = { path = "../../../crypto/test_utils/loca
 ic-crypto-test-utils-metrics = { path = "../../../crypto/test_utils/metrics" }
 ic-crypto-test-utils-reproducible-rng = { path = "../../../crypto/test_utils/reproducible_rng" }
 ic-crypto-utils-basic-sig = { path = "../../utils/basic_sig" }
+ic-management-canister-types = { path = "../../../types/management_canister_types" }
 ic-test-utilities-compare-dirs = { path = "../../../test_utilities/compare_dirs" }
 ic-test-utilities-in-memory-logger = { path = "../../../test_utilities/in_memory_logger" }
 ic-test-utilities-time = { path = "../../../test_utilities/time" }

rs/crypto/internal/crypto_service_provider/src/vault/test_utils/ni_dkg/fixtures.rs

@@ -10,6 +10,10 @@ use ic_crypto_internal_types::sign::threshold_sig::ni_dkg::{
     CspNiDkgDealing, CspNiDkgTranscript, Epoch,
 };
 use ic_crypto_internal_types::sign::threshold_sig::public_key::CspThresholdSigPublicKey;
+use ic_management_canister_types::{
+    EcdsaCurve, EcdsaKeyId, MasterPublicKeyId, SchnorrAlgorithm, SchnorrKeyId, VetKdCurve,
+    VetKdKeyId,
+};
 use ic_types::crypto::threshold_sig::ni_dkg::config::dealers::NiDkgDealers;
 use ic_types::crypto::threshold_sig::ni_dkg::config::receivers::NiDkgReceivers;
 use ic_types::crypto::threshold_sig::ni_dkg::config::NiDkgThreshold;
@@ -22,7 +26,7 @@ use rand::Rng;
 use rand_chacha::ChaCha20Rng;
 use std::collections::BTreeMap;
 use std::sync::Arc;
-use strum::IntoEnumIterator;
+use strum::{EnumCount, IntoEnumIterator};
 
 // Generate random data structures:
 // Alternatively we could implement Distribution for all of these types.
@@ -33,10 +37,45 @@ pub fn random_height(rng: &mut ChaCha20Rng) -> Height {
 pub fn random_subnet_id(rng: &mut ChaCha20Rng) -> SubnetId {
     subnet_test_id(rng.gen::<u64>())
 }
+pub fn random_master_public_key_id(rng: &mut ChaCha20Rng) -> MasterPublicKeyId {
+    assert_eq!(MasterPublicKeyId::COUNT, 3);
+    assert_eq!(EcdsaCurve::iter().count(), 1);
+    assert_eq!(SchnorrAlgorithm::iter().count(), 2);
+    assert_eq!(VetKdCurve::iter().count(), 1);
+
+    use rand::prelude::SliceRandom;
+    [
+        MasterPublicKeyId::Ecdsa(EcdsaKeyId {
+            curve: EcdsaCurve::Secp256k1,
+            name: "some key".to_string(),
+        }),
+        MasterPublicKeyId::Schnorr(SchnorrKeyId {
+            algorithm: SchnorrAlgorithm::Bip340Secp256k1,
+            name: "some key".to_string(),
+        }),
+        MasterPublicKeyId::Schnorr(SchnorrKeyId {
+            algorithm: SchnorrAlgorithm::Ed25519,
+            name: "some key".to_string(),
+        }),
+        MasterPublicKeyId::VetKd(VetKdKeyId {
+            curve: VetKdCurve::Bls12_381_G2,
+            name: "some key".to_string(),
+        }),
+    ]
+    .choose(rng)
+    .cloned()
+    .expect("Could not choose a MasterPublicKeyId")
+}
 pub fn random_ni_dkg_tag(rng: &mut ChaCha20Rng) -> NiDkgTag {
-    NiDkgTag::iter()
-        .choose(rng)
-        .expect("Could not choose a NiDkgTag")
+    use rand::prelude::SliceRandom;
+    [
+        NiDkgTag::LowThreshold,
+        NiDkgTag::HighThreshold,
+        NiDkgTag::HighThresholdForKey(random_master_public_key_id(rng)),
+    ]
+    .choose(rng)
+    .cloned()
+    .expect("Could not choose a NiDkgTag")
 }
 pub fn random_ni_dkg_id(rng: &mut ChaCha20Rng) -> NiDkgId {
     NiDkgId {

rs/crypto/src/sign/threshold_sig.rs

@@ -22,6 +22,9 @@ mod tests;
 pub struct ThresholdSignerInternal {}
 
 impl ThresholdSignerInternal {
+    ////////////////////////////////////////
+    #[allow(clippy::result_large_err)]
+    ////////////////////////////////////////
     pub fn sign_threshold<C: ThresholdSignatureCspClient, H: Signable>(
         lockable_threshold_sig_data_store: &LockableThresholdSigDataStore,
         threshold_sig_csp_client: &C,
@@ -70,6 +73,9 @@ fn sig_data_not_found_error(dkg_id: NiDkgId) -> ThresholdSigDataNotFoundError {
     ThresholdSigDataNotFoundError::ThresholdSigDataNotFound { dkg_id }
 }
 
+////////////////////////////////////////
+#[allow(clippy::result_large_err)]
+////////////////////////////////////////
 fn threshold_sig_share_or_panic<H: Signable>(
     csp_signature: CspSignature,
 ) -> Result<ThresholdSigShareOf<H>, ThresholdSignError> {
@@ -441,12 +447,8 @@ impl ThresholdSigVerifierInternal {
         H: Signable,
     {
         let csp_signature = CspSignature::try_from(signature)?;
-        let transcript = initial_ni_dkg_transcript_from_registry(
-            registry,
-            subnet_id,
-            version,
-            NiDkgTag::HighThreshold,
-        )?;
+        let transcript =
+            initial_high_threshold_ni_dkg_transcript_from_registry(registry, subnet_id, version)?;
         let csp_pub_coeffs = CspPublicCoefficients::from(&transcript);
         threshold_sig_csp_client
             .threshold_verify_combined_signature(
@@ -459,20 +461,16 @@ impl ThresholdSigVerifierInternal {
     }
 }
 
-fn initial_ni_dkg_transcript_from_registry(
+fn initial_high_threshold_ni_dkg_transcript_from_registry(
     registry: &dyn RegistryClient,
     subnet_id: SubnetId,
     registry_version: RegistryVersion,
-    dkg_tag: NiDkgTag,
 ) -> CryptoResult<NiDkgTranscript> {
     let maybe_transcripts = registry
         .get_initial_dkg_transcripts(subnet_id, registry_version)
         .map_err(CryptoError::RegistryClient)?;
     match maybe_transcripts.value {
-        Some(transcripts) => Ok(match dkg_tag {
-            NiDkgTag::LowThreshold => transcripts.low_threshold,
-            NiDkgTag::HighThreshold => transcripts.high_threshold,
-        }),
+        Some(transcripts) => Ok(transcripts.high_threshold),
         None => Err(CryptoError::DkgTranscriptNotFound {
             subnet_id,
             registry_version,