Merge pull request #223 from skalenetwork/enhancement/SKALE-3504-hash-derived-key

Enhancement/skale 3504 hash derived key

Merge pull request #223 from skalenetwork/enhancement/SKALE-3504-hash-derived-key
Enhancement/skale 3504 hash derived key
e9c0e3e9 · Oleh Nikolaiev · GitHub · afd3ef07 · bb9ecdf1 · e9c0e3e9
Unverified Commit e9c0e3e9 authored Nov 17, 2020 by Oleh Nikolaiev Committed by GitHub Nov 17, 2020
16 changed files
--- a/.gitmodules
+++ b/.gitmodules
@@ -16,7 +16,3 @@
 [submodule "sgx-software-enable"]
 	path = sgx-software-enable
 	url = https://github.com/intel/sgx-software-enable
-[submodule "secure_enclave/secp256k1-sgx"]
-	path = secure_enclave/secp256k1-sgx
-	url = https://github.com/bl4ck5un/secp256k1-sgx
-	branch = master
--- a/DKGCrypto.cpp
+++ b/DKGCrypto.cpp
@@ -284,6 +284,68 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve
    return result;
 }
+string getSecretSharesV2(const string& _polyName, const char* _encryptedPolyHex, const vector<string>& _publicKeys, int _t, int _n) {
+    CHECK_STATE(_encryptedPolyHex);
+    vector<char> hexEncrKey(BUF_LEN, 0);
+    vector<char> errMsg(BUF_LEN, 0);
+    vector <uint8_t> encrDKGPoly(BUF_LEN, 0);
+    int errStatus = 0;
+    uint64_t encLen = 0;
+    if (!hex2carray(_encryptedPolyHex, &encLen, encrDKGPoly.data(), BUF_LEN)) {
+        throw SGXException(INVALID_HEX, "Invalid encryptedPolyHex");
+    }
+    sgx_status_t status = SGX_SUCCESS;
+    READ_LOCK(sgxInitMutex);
+    string result;
+    for (int i = 0; i < _n; i++) {
+        vector <uint8_t> encryptedSkey(BUF_LEN, 0);
+        uint64_t decLen;
+        vector<char> currentShare(193, 0);
+        vector<char> sShareG2(320, 0);
+        string pub_keyB = _publicKeys.at(i);
+        vector<char> pubKeyB(129, 0);
+        strncpy(pubKeyB.data(), pub_keyB.c_str(), 128);
+        pubKeyB.at(128) = 0;
+        spdlog::debug("pubKeyB is {}", pub_keyB);
+        sgx_status_t status = SGX_SUCCESS;
+        status = trustedGetEncryptedSecretShareV2(eid, &errStatus,
+                                                errMsg.data(),
+                                                encrDKGPoly.data(), encLen,
+                                                encryptedSkey.data(), &decLen,
+                                                   currentShare.data(), sShareG2.data(), pubKeyB.data(), _t, _n,
+                                                   i + 1);
+        HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());
+        result += string(currentShare.data());
+        hexEncrKey = carray2Hex(encryptedSkey.data(), decLen);
+        string dhKeyName = "DKG_DH_KEY_" + _polyName + "_" + to_string(i) + ":";
+        string shareG2_name = "shareG2_" + _polyName + "_" + to_string(i) + ":";
+        SGXWalletServer::writeDataToDB(dhKeyName, hexEncrKey.data());
+        SGXWalletServer::writeDataToDB(shareG2_name, sShareG2.data());
+    }
+    string encryptedSecretShareName = "encryptedSecretShare:" + _polyName;
+    SGXWalletServer::writeDataToDB(encryptedSecretShareName, result);
+    return result;
+}
 bool
 verifyShares(const char *publicShares, const char *encr_sshare, const char *encryptedKeyHex, int t, int n, int ind) {
@@ -320,6 +382,42 @@ verifyShares(const char *publicShares, const char *encr_sshare, const char *encr
    return result;
 }
+bool
+verifySharesV2(const char *publicShares, const char *encr_sshare, const char *encryptedKeyHex, int t, int n, int ind) {
+    CHECK_STATE(publicShares);
+    CHECK_STATE(encr_sshare);
+    CHECK_STATE(encryptedKeyHex);
+    vector<char> errMsg(BUF_LEN, 0);
+    int errStatus = 0;
+    uint64_t decKeyLen = 0;
+    int result = 0;
+    SAFE_UINT8_BUF(encr_key, BUF_LEN);
+    if (!hex2carray(encryptedKeyHex, &decKeyLen, encr_key, BUF_LEN)) {
+        throw SGXException(INVALID_HEX, "Invalid encryptedPolyHex");
+    }
+    SAFE_CHAR_BUF(pshares, 8193);
+    strncpy(pshares, publicShares, strlen(publicShares));
+    sgx_status_t status = SGX_SUCCESS;
+    RESTART_BEGIN
+        status = trustedDkgVerifyV2(eid, &errStatus, errMsg.data(), pshares, encr_sshare, encr_key, decKeyLen, t,
+                                     ind, &result);
+    RESTART_END
+    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());
+    if (result == 2) {
+        throw SGXException(INVALID_HEX, "Invalid public shares");
+    }
+    return result;
+}
 bool createBLSShare(const string &blsKeyName, const char *s_shares, const char *encryptedKeyHex) {
    CHECK_STATE(s_shares);

--- a/DKGCrypto.h
+++ b/DKGCrypto.h
@@ -41,8 +41,12 @@ vector<string> splitString(const char* coeffs, const char symbol);
 string getSecretShares(const string& _polyName, const char* _encryptedPolyHex, const vector<string>& _publicKeys, int _t, int _n);
+string getSecretSharesV2(const string& _polyName, const char* _encryptedPolyHex, const vector<string>& _publicKeys, int _t, int _n);
 bool verifyShares(const char* publicShares, const char* encr_sshare, const char * encryptedKeyHex, int t, int n, int ind);
+bool verifySharesV2(const char* publicShares, const char* encr_sshare, const char * encryptedKeyHex, int t, int n, int ind);
 string decryptDHKey(const string& polyName, int ind);
 bool createBLSShare( const string& blsKeyName, const char * s_shares, const char * encryptedKeyHex);

--- a/SGXWalletServer.cpp
+++ b/SGXWalletServer.cpp
@@ -744,6 +744,76 @@ Json::Value SGXWalletServer::deleteBlsKeyImpl(const string &name) {
    RETURN_SUCCESS(result)
 }
+Json::Value SGXWalletServer::getSecretShareV2Impl(const string &_polyName, const Json::Value &_pubKeys, int _t, int _n) {
+    spdlog::info("Entering {}", __FUNCTION__);
+    INIT_RESULT(result);
+    result["secretShare"] = "";
+    try {
+        if (_pubKeys.size() != (uint64_t) _n) {
+            throw SGXException(INVALID_DKG_PARAMS, "invalid number of public keys");
+        }
+        if (!checkName(_polyName, "POLY")) {
+            throw SGXException(INVALID_POLY_NAME, "Invalid polynomial name");
+        }
+        if (!check_n_t(_t, _n)) {
+            throw SGXException(INVALID_DKG_PARAMS, "Invalid DKG parameters: n or t ");
+        }
+        shared_ptr <string> encrPoly = readFromDb(_polyName);
+        vector <string> pubKeysStrs;
+        for (int i = 0; i < _n; i++) {
+            if (!checkHex(_pubKeys[i].asString(), 64)) {
+                throw SGXException(INVALID_HEX, "Invalid public key");
+            }
+            pubKeysStrs.push_back(_pubKeys[i].asString());
+        }
+        string secret_share_name = "encryptedSecretShare:" + _polyName;
+        shared_ptr <string> encryptedSecretShare = checkDataFromDb(secret_share_name);
+        if (encryptedSecretShare != nullptr) {
+            result["secretShare"] = *encryptedSecretShare.get();
+        } else {
+            string s = getSecretSharesV2(_polyName, encrPoly->c_str(), pubKeysStrs, _t, _n);
+            result["secretShare"] = s;
+        }
+    } HANDLE_SGX_EXCEPTION(result)
+    RETURN_SUCCESS(result)
+}
+Json::Value SGXWalletServer::dkgVerificationV2Impl(const string &_publicShares, const string &_ethKeyName,
+                                                 const string &_secretShare, int _t, int _n, int _index) {
+    spdlog::info("Entering {}", __FUNCTION__);
+    INIT_RESULT(result)
+    result["result"] = false;
+    try {
+        if (!checkECDSAKeyName(_ethKeyName)) {
+            throw SGXException(INVALID_ECDSA_KEY_NAME, "Invalid ECDSA key name");
+        }
+        if (!check_n_t(_t, _n) || _index >= _n || _index < 0) {
+            throw SGXException(INVALID_DKG_PARAMS, "Invalid DKG parameters: n or t ");
+        }
+        if (!checkHex(_secretShare, SECRET_SHARE_NUM_BYTES)) {
+            throw SGXException(INVALID_HEX, "Invalid Secret share");
+        }
+        if (_publicShares.length() != (uint64_t) 256 * _t) {
+            throw SGXException(INVALID_DKG_PARAMS, "Invalid length of public shares");
+        }
+        shared_ptr <string> encryptedKeyHex_ptr = readFromDb(_ethKeyName);
+        if (verifySharesV2(_publicShares.c_str(), _secretShare.c_str(), encryptedKeyHex_ptr->c_str(), _t, _n, _index)) {
+            result["result"] = true;
+        }
+    } HANDLE_SGX_EXCEPTION(result)
+    RETURN_SUCCESS(result)
+}
 Json::Value SGXWalletServer::generateDKGPoly(const string &_polyName, int _t) {
    return generateDKGPolyImpl(_polyName, _t);
 }
@@ -827,6 +897,17 @@ Json::Value SGXWalletServer::deleteBlsKey(const string &name) {
    return deleteBlsKeyImpl(name);
 }
+Json::Value SGXWalletServer::getSecretShareV2(const string &_polyName, const Json::Value &_publicKeys, int t, int n) {
+    return getSecretShareV2Impl(_polyName, _publicKeys, t, n);
+}
+Json::Value
+SGXWalletServer::dkgVerificationV2(const string &_publicShares, const string &ethKeyName, const string &SecretShare,
+                                 int t,
+                                 int n, int index) {
+    return dkgVerificationV2Impl(_publicShares, ethKeyName, SecretShare, t, n, index);
+}
 shared_ptr <string> SGXWalletServer::readFromDb(const string &name, const string &prefix) {
    auto dataStr = checkDataFromDb(prefix + name);

--- a/SGXWalletServer.hpp
+++ b/SGXWalletServer.hpp
@@ -91,6 +91,10 @@ public:
    virtual Json::Value deleteBlsKey( const std::string& name );
+    virtual Json::Value getSecretShareV2(const string &_polyName, const Json::Value &_publicKeys, int t, int n);
+    virtual Json::Value dkgVerificationV2(const string &_publicShares, const string &ethKeyName, const string &SecretShare, int t, int n, int index);
    static shared_ptr<string> readFromDb(const string &name, const string &prefix = "");
    static shared_ptr <string> checkDataFromDb(const string &name, const string &prefix = "");
@@ -143,6 +147,10 @@ public:
    static Json::Value deleteBlsKeyImpl(const std::string& name);
+    static Json::Value getSecretShareV2Impl(const string &_polyName, const Json::Value &_pubKeys, int _t, int _n);
+    static Json::Value dkgVerificationV2Impl(const string &_publicShares, const string &_ethKeyName, const string &_secretShare, int _t, int _n, int _index);
    static void printDB();
    static int initHttpServer();

--- a/TestUtils.cpp
+++ b/TestUtils.cpp
--- a/TestUtils.h
+++ b/TestUtils.h
@@ -70,15 +70,23 @@ public:
    static void sendRPCRequest();
+    static void sendRPCRequestV2();
    static void destroyEnclave();
    static void doDKG(StubClient &c, int n, int t,
                                 vector<string>& _ecdsaKeyNames, vector<string>& _blsKeyNames,
                                 int schainID, int dkgID);
+    static void doDKGV2(StubClient &c, int n, int t,
+                                 vector<string>& _ecdsaKeyNames, vector<string>& _blsKeyNames,
+                                 int schainID, int dkgID);
 };
 int sessionKeyRecoverDH(const char *skey_str, const char *sshare, char *common_key);
 int xorDecryptDH(char *key, const char *cypher, vector<char>& message);
+int xorDecryptDHV2(char *key, const char *cypher, vector<char>& message);
 #endif //SGXWALLET_TESTW_H
--- a/abstractstubserver.h
+++ b/abstractstubserver.h
@@ -58,6 +58,9 @@ class AbstractStubServer : public jsonrpc::AbstractServer<AbstractStubServer>
          this->bindAndAddMethod(jsonrpc::Procedure("getServerStatus", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT,  NULL), &AbstractStubServer::getServerStatusI);
          this->bindAndAddMethod(jsonrpc::Procedure("getServerVersion", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT,  NULL), &AbstractStubServer::getServerVersionI);
          this->bindAndAddMethod(jsonrpc::Procedure("deleteBlsKey", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT, "blsKeyName", jsonrpc::JSON_STRING, NULL), &AbstractStubServer::deleteBlsKeyI);
+          this->bindAndAddMethod(jsonrpc::Procedure("getSecretShareV2", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT, "polyName",jsonrpc::JSON_STRING,"publicKeys",jsonrpc::JSON_ARRAY, "n",jsonrpc::JSON_INTEGER,"t",jsonrpc::JSON_INTEGER, NULL), &AbstractStubServer::getSecretShareV2I);
+          this->bindAndAddMethod(jsonrpc::Procedure("dkgVerificationV2", jsonrpc::PARAMS_BY_NAME, jsonrpc::JSON_OBJECT, "publicShares",jsonrpc::JSON_STRING, "ethKeyName",jsonrpc::JSON_STRING, "secretShare",jsonrpc::JSON_STRING,"t",jsonrpc::JSON_INTEGER, "n",jsonrpc::JSON_INTEGER, "index",jsonrpc::JSON_INTEGER, NULL), &AbstractStubServer::dkgVerificationV2I);
        }
        inline virtual void importBLSKeyShareI(const Json::Value &request, Json::Value &response)
@@ -144,6 +147,15 @@ class AbstractStubServer : public jsonrpc::AbstractServer<AbstractStubServer>
            response = this->deleteBlsKey(request["blsKeyName"].asString());
        }
+        inline virtual void getSecretShareV2I(const Json::Value &request, Json::Value &response)
+        {
+            response = this->getSecretShareV2(request["polyName"].asString(), request["publicKeys"], request["t"].asInt(),request["n"].asInt());
+        }
+        inline virtual void dkgVerificationV2I(const Json::Value &request, Json::Value &response)
+        {
+            response = this->dkgVerificationV2(request["publicShares"].asString(), request["ethKeyName"].asString(), request["secretShare"].asString(), request["t"].asInt(), request["n"].asInt(), request["index"].asInt());
+        }
        virtual Json::Value importBLSKeyShare(const std::string& keyShare, const std::string& keyShareName) = 0;
        virtual Json::Value blsSignMessageHash(const std::string& keyShareName, const std::string& messageHash, int t, int n ) = 0;
        virtual Json::Value importECDSAKey(const std::string& keyShare, const std::string& keyShareName) = 0;
@@ -165,6 +177,9 @@ class AbstractStubServer : public jsonrpc::AbstractServer<AbstractStubServer>
        virtual Json::Value getServerStatus() = 0;
        virtual Json::Value getServerVersion() = 0;
        virtual Json::Value deleteBlsKey(const std::string& name) = 0;
+        virtual Json::Value getSecretShareV2(const std::string& polyName, const Json::Value& publicKeys, int t, int n) = 0;
+        virtual Json::Value dkgVerificationV2( const std::string& publicShares, const std::string& ethKeyName, const std::string& SecretShare, int t, int n, int index) = 0;
 };
 #endif //JSONRPC_CPP_STUB_ABSTRACTSTUBSERVER_H_
--- a/secure_enclave/DHDkg.c
+++ b/secure_enclave/DHDkg.c
@@ -161,7 +161,7 @@ int session_key_recover(const char *skey_str, const char *sshare, char *common_k
    point_clear(pub_keyB);
    point_clear(session_key);
-    return  ret;
+    return ret;
 }
 int xor_encrypt(char *key, char *message, char *cypher) {
@@ -209,6 +209,44 @@ int xor_encrypt(char *key, char *message, char *cypher) {
    return ret;
 }
+int xor_encrypt_v2(char *key, char *message, char *cypher) {
+    int ret = -1;
+    if (!cypher) {
+        LOG_ERROR("xor_encrypt: null cypher");
+        return ret;
+    }
+    if (!key) {
+        LOG_ERROR("xor_encrypt: null key");
+        return ret;
+    }
+    if (!message) {
+        LOG_ERROR("xor_encrypt: null message");
+        return ret;
+    }
+    SAFE_CHAR_BUF(cypher_bin, 33);
+    uint64_t msg_length;
+    uint8_t msg_bin[33];
+    if (!hex2carray(message, &msg_length, msg_bin)) {
+        return ret;
+    }
+    for (int i = 0; i < 32; i++) {
+        cypher_bin[i] = msg_bin[i] ^ (uint8_t)key[i];
+    }
+    carray2Hex((unsigned char*) cypher_bin, 32, cypher);
+    ret = 0;
+    return ret;
+}
 int xor_decrypt(char *key, char *cypher, char *message) {
    int ret = -1;
@@ -254,3 +292,60 @@ int xor_decrypt(char *key, char *cypher, char *message) {
    return ret;
 }
+int xor_decrypt_v2(char *key, char *cypher, char *message) {
+    int ret = -1;
+    if (!cypher) {
+        LOG_ERROR("xor_encrypt: null cypher");
+        return ret;
+    }
+    if (!key) {
+        LOG_ERROR("xor_encrypt: null key");
+        return ret;
+    }
+    if (!message) {
+        LOG_ERROR("xor_encrypt: null message");
+        return ret;
+    }
+    SAFE_CHAR_BUF(msg_bin,33);
+    uint64_t cypher_length;
+    SAFE_CHAR_BUF(cypher_bin, 33);
+    if (!hex2carray(cypher, &cypher_length, (uint8_t *) cypher_bin)) {
+        return ret;
+    }
+    for (int i = 0; i < 32; i++) {
+        msg_bin[i] = cypher_bin[i] ^ (uint8_t)key[i];
+    }
+    carray2Hex((unsigned char*) msg_bin, 32, message);
+    ret = 0;
+    return ret;
+}
+int hash_key(char* key, char* hashed_key) {
+    int ret = -1;
+    if (!key) {
+        LOG_ERROR("hash_key: null key");
+        return ret;
+    }
+    if (!hashed_key) {
+        LOG_ERROR("hash_key: null hashed_key");
+        return ret;
+    }
+    ret = sgx_sha256_msg((uint8_t*)key, ECDSA_SKEY_LEN - 1, (uint8_t*)hashed_key);
+    return ret;
+}
--- a/secure_enclave/DHDkg.h
+++ b/secure_enclave/DHDkg.h
@@ -30,6 +30,12 @@ int session_key_recover(const char *skey_str, const char* sshare, char* common_k
 int xor_encrypt(char* key, char* message, char* cypher);
+int xor_encrypt_v2(char* key, char* message, char* cypher);
 int xor_decrypt(char* key, char* cypher, char* message);
+int xor_decrypt_v2(char* key, char* cypher, char* message);
+int hash_key(char* key, char* hashed_key);
 #endif //SGXD_DRIVE_KEY_DKG_H
--- a/secp256k1-sgx @ 5f235e8e
+++ b/secp256k1-sgx @ 5f235e8e
-Subproject commit 5f235e8e9e821cd972c4a57afdfe47a7fe83acd0
--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -917,6 +917,86 @@ void trustedGetEncryptedSecretShare(int *errStatus, char *errString,
    LOG_INFO("SGX call completed");
 }
+void trustedGetEncryptedSecretShareV2(int *errStatus, char *errString,
+                                      uint8_t *_encrypted_poly,  uint64_t _enc_len,
+                                      uint8_t *encrypted_skey, uint64_t *dec_len,
+                                      char *result_str, char *s_shareG2, char *pub_keyB, uint8_t _t, uint8_t _n,
+                                      uint8_t ind) {
+    LOG_INFO(__FUNCTION__);
+    INIT_ERROR_STATE
+    uint64_t enc_len;
+    int status;
+    CHECK_STATE(encrypted_skey);
+    CHECK_STATE(result_str);
+    CHECK_STATE(s_shareG2);
+    CHECK_STATE(pub_keyB);
+    LOG_DEBUG(__FUNCTION__);
+    trustedSetEncryptedDkgPoly(&status, errString, _encrypted_poly, _enc_len);
+    CHECK_STATUS2("trustedSetEncryptedDkgPoly failed with status %d ");
+    SAFE_CHAR_BUF(skey, BUF_LEN);
+    SAFE_CHAR_BUF(pub_key_x, BUF_LEN);
+    SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
+    trustedGenerateEcdsaKey(&status, errString, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
+    CHECK_STATUS("trustedGenerateEcdsaKey failed");
+    uint8_t type = 0;
+    uint8_t exportable = 0;
+    status = AES_decrypt(encrypted_skey, enc_len, skey, BUF_LEN, &type, &exportable);
+    skey[ECDSA_SKEY_LEN - 1] = 0;
+    CHECK_STATUS2("AES_decrypt failed (in trustedGetEncryptedSecretShareAES) with status %d");
+    *dec_len = enc_len;
+    SAFE_CHAR_BUF(common_key, BUF_LEN);
+    status = gen_session_key(skey, pub_keyB, common_key);
+    CHECK_STATUS("gen_session_key failed")
+    SAFE_CHAR_BUF(s_share, BUF_LEN);
+    status = calc_secret_share(getThreadLocalDecryptedDkgPoly(), s_share, _t, _n, ind);
+    CHECK_STATUS("calc secret share failed")
+    status = calc_secret_shareG2(s_share, s_shareG2);
+    CHECK_STATUS("invalid decr secret share");
+    SAFE_CHAR_BUF(derived_key, BUF_LEN);
+    status = hash_key(common_key, derived_key);
+    CHECK_STATUS("hash key failed")
+    derived_key[ECDSA_BIN_LEN - 1] = 0;
+    SAFE_CHAR_BUF(cypher, BUF_LEN);
+    status = xor_encrypt_v2(derived_key, s_share, cypher);
+    CHECK_STATUS("xor_encrypt failed")
+    strncpy(result_str, cypher, strlen(cypher));
+    strncpy(result_str + strlen(cypher), pub_key_x, strlen(pub_key_x));
+    strncpy(result_str + strlen(pub_key_x) + strlen(pub_key_y), pub_key_y, strlen(pub_key_y));
+    SET_SUCCESS
+    clean:
+    ;
+    LOG_INFO(__FUNCTION__ );
+    LOG_INFO("SGX call completed");
+}
 void trustedGetPublicShares(int *errStatus, char *errString, uint8_t *encrypted_dkg_secret, uint64_t enc_len,
                               char *public_shares,
                               unsigned _t, unsigned _n) {
@@ -983,12 +1063,68 @@ void trustedDkgVerify(int *errStatus, char *errString, const char *public_shares
    SAFE_CHAR_BUF(decr_sshare, BUF_LEN);
-    status=xor_decrypt(common_key, encr_sshare, decr_sshare);
+    status = xor_decrypt(common_key, encr_sshare, decr_sshare);
    CHECK_STATUS("xor_decrypt failed")
+    status = mpz_set_str(s, decr_sshare, 16);
+    CHECK_STATUS("invalid decr secret share");
+    *result = Verification(public_shares, s, _t, _ind);
+    SET_SUCCESS
+    clean:
+    mpz_clear(s);
+    LOG_INFO(__FUNCTION__ );
+    LOG_INFO("SGX call completed");
+}
+void trustedDkgVerifyV2(int *errStatus, char *errString, const char *public_shares, const char *s_share,
+                         uint8_t *encryptedPrivateKey, uint64_t enc_len, unsigned _t, int _ind, int *result) {
+    LOG_INFO(__FUNCTION__);
+    INIT_ERROR_STATE
+    CHECK_STATE(public_shares);
+    CHECK_STATE(s_share);
+    CHECK_STATE(encryptedPrivateKey);
+    SAFE_CHAR_BUF(skey,BUF_LEN);
+    mpz_t s;
+    mpz_init(s);
+    uint8_t type = 0;
+    uint8_t exportable = 0;
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN,
+                             &type, &exportable);
+    CHECK_STATUS2("AES_decrypt failed (in trustedDkgVerifyAES) with status %d");
+    SAFE_CHAR_BUF(encr_sshare, BUF_LEN);
+    strncpy(encr_sshare, s_share, ECDSA_SKEY_LEN - 1);
+    SAFE_CHAR_BUF(common_key, BUF_LEN);
+    status = session_key_recover(skey, s_share, common_key);
+    CHECK_STATUS("session_key_recover failed");
+    SAFE_CHAR_BUF(derived_key, BUF_LEN);
+    status = hash_key(common_key, derived_key);
+    CHECK_STATUS("hash key failed")
+    derived_key[ECDSA_BIN_LEN - 1] = 0;
+    SAFE_CHAR_BUF(decr_sshare, BUF_LEN);
+    status = xor_decrypt_v2(derived_key, encr_sshare, decr_sshare);
+    CHECK_STATUS("xor_decrypt failed")
-    status  = mpz_set_str(s, decr_sshare, 16);
+    status = mpz_set_str(s, decr_sshare, 16);
    CHECK_STATUS("invalid decr secret share");
    *result = Verification(public_shares, s, _t, _ind);

--- a/secure_enclave/secure_enclave.edl
+++ b/secure_enclave/secure_enclave.edl
@@ -88,10 +88,6 @@ enclave {
                                [out, count = 3072] uint8_t* decrypted_dkg_secret
                                );
        public void trustedGetEncryptedSecretShare(
                                [out]int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char *err_string,
@@ -106,6 +102,20 @@ enclave {
                                uint8_t _n,
                                uint8_t ind);
+        public void trustedGetEncryptedSecretShareV2(
+                                [out]int *errStatus,
+                                [out, count = SMALL_BUF_SIZE] char *err_string,
+                                [in, count = 3050] uint8_t* encrypted_poly,
+                                uint64_t enc_len,
+                                [out, count = SMALL_BUF_SIZE] uint8_t *encrypted_skey,
+                                [out] uint64_t* dec_len,
+                                [out, count = 193] char* result_str,
+                                [out, count = 320] char* s_shareG2,
+                                [in, string] char* pub_keyB,
+                                uint8_t _t,
+                                uint8_t _n,
+                                uint8_t ind);
        public void trustedGetPublicShares(
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
@@ -126,6 +136,17 @@ enclave {
                                int _ind,
                                [out] int* result);
+        public void trustedDkgVerifyV2(
+                                [out] int *errStatus,
+                                [out, count = SMALL_BUF_SIZE] char* err_string,
+                                [in, string] const char* public_shares,
+                                [in, string] const char* s_share,
+                                [in, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
+                                uint64_t key_len,
+                                unsigned _t,
+                                int _ind,
+                                [out] int* result);
        public void trustedCreateBlsKey(
                                [out]int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,

--- a/stubclient.h
+++ b/stubclient.h
@@ -125,6 +125,20 @@ class StubClient : public jsonrpc::Client
                throw jsonrpc::JsonRpcException(jsonrpc::Errors::ERROR_CLIENT_INVALID_RESPONSE, result.toStyledString());
        }
+        Json::Value getSecretShareV2(const std::string& polyName, const Json::Value& publicKeys, int t, int n)
+        {
+            Json::Value p;
+            p["polyName"] = polyName;
+            p["publicKeys"] = publicKeys;
+            p["n"] = n;
+            p["t"] = t;
+            Json::Value result = this->CallMethod("getSecretShareV2",p);
+            if (result.isObject())
+                return result;
+            else
+                throw jsonrpc::JsonRpcException(jsonrpc::Errors::ERROR_CLIENT_INVALID_RESPONSE, result.toStyledString());
+        }
        Json::Value dkgVerification(const std::string& publicShares, const std::string& ethKeyName, const std::string& SecretShare, int t, int n, int index) 
        {
            Json::Value p;
@@ -141,6 +155,22 @@ class StubClient : public jsonrpc::Client
              throw jsonrpc::JsonRpcException(jsonrpc::Errors::ERROR_CLIENT_INVALID_RESPONSE, result.toStyledString());
        }
+        Json::Value dkgVerificationV2(const std::string& publicShares, const std::string& ethKeyName, const std::string& SecretShare, int t, int n, int index)
+        {
+            Json::Value p;
+            p["ethKeyName"] = ethKeyName;
+            p["secretShare"] = SecretShare;
+            p["index"] = index;
+            p["n"] = n;
+            p["publicShares"] = publicShares;
+            p["t"] = t;
+            Json::Value result = this->CallMethod("dkgVerificationV2",p);
+            if (result.isObject())
+              return result;
+            else
+              throw jsonrpc::JsonRpcException(jsonrpc::Errors::ERROR_CLIENT_INVALID_RESPONSE, result.toStyledString());
+        }
        Json::Value createBLSPrivateKey(const std::string & blsKeyName, const std::string& ethKeyName, const std::string& polyName, const std::string& SecretShare, int t, int n) 
        {
          Json::Value p;

--- a/testw.cpp
+++ b/testw.cpp
--- a/testw.py
+++ b/testw.py
@@ -31,6 +31,7 @@ print("Top directory is:" + topDir)
 testList = ["[first-run]",
            "[second-run]",
            "[many-threads-crypto]",
+            "[many-threads-crypto-v2]",
            "[backup-restore]",
            "[cert-sign]",
            "[get-server-status]",
@@ -45,12 +46,16 @@ testList = ["[first-run]",
            "[bls-key-encrypt]",
            "[dkg-aes-gen]",
            "[dkg-aes-encr-sshares]",
+            "[dkg-aes-encr-sshares-v2]",
            "[dkg-api]",
+            "[dkg-api-v2]",
            "[dkg-bls]",
+            "[dkg-bls-v2]",
            "[dkg-poly-exists]",
            "[dkg-aes-pub-shares]",
            "[aes-encrypt-decrypt]",
-            "[aes-dkg]"
+            "[aes-dkg]",
+            "[aes-dkg-v2]"
            ]