From d99a7b8aa240e4af1e4be5296608ded5306c90e7 Mon Sep 17 00:00:00 2001
From: Jacinta Ferrant <jacinta@trustmachines.co>
Date: Fri, 7 Jun 2024 09:08:26 -0400
Subject: [PATCH 1/2] Only store verified encrypted private shares within
 Signer

Signed-off-by: Jacinta Ferrant <jacinta@trustmachines.co>
---
 src/state_machine/signer/mod.rs | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/state_machine/signer/mod.rs b/src/state_machine/signer/mod.rs
index 96fcb87..71fbe6b 100644
--- a/src/state_machine/signer/mod.rs
+++ b/src/state_machine/signer/mod.rs
@@ -1075,23 +1075,23 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
             return Ok(vec![]);
         }
 
-        self.dkg_private_shares
-            .insert(src_signer_id, dkg_private_shares.clone());
 
         // make a HashSet of our key_ids so we can quickly query them
         let key_ids: HashSet<u32> = self.signer.get_key_ids().into_iter().collect();
 
         let shared_key = self.kex_private_key * kex_public_key;
         let shared_secret = make_shared_secret(&self.kex_private_key, &kex_public_key);
-
+        let mut verified_shares = Vec::with_capacity(dkg_private_shares.shares.len());
         for (src_id, shares) in &dkg_private_shares.shares {
             let mut decrypted_shares = HashMap::new();
+            let mut encrypted_shares = HashMap::new();
             for (dst_key_id, bytes) in shares {
                 if key_ids.contains(dst_key_id) {
                     match decrypt(&shared_secret, bytes) {
                         Ok(plain) => match Scalar::try_from(&plain[..]) {
                             Ok(s) => {
                                 decrypted_shares.insert(*dst_key_id, s);
+                                encrypted_shares.insert(*dst_key_id, bytes.clone());
                             }
                             Err(e) => {
                                 warn!("Failed to parse Scalar for dkg private share from src_id {src_id} to dst_id {dst_key_id}: {e:?}");
@@ -1114,7 +1114,16 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
             self.decrypted_shares.insert(*src_id, decrypted_shares);
             self.decryption_keys
                 .insert(*src_id, (dkg_private_shares.signer_id, shared_key));
+            verified_shares.push((*src_id, encrypted_shares));
         }
+        self.dkg_private_shares.insert(
+            src_signer_id,
+            DkgPrivateShares {
+                dkg_id: dkg_private_shares.dkg_id,
+                signer_id: dkg_private_shares.signer_id,
+                shares: verified_shares,
+            },
+        );
         debug!(
             "received DkgPrivateShares from signer {} {}/{}",
             dkg_private_shares.signer_id,

From 2359205881fc5a1f0998f672aac0929342e26331 Mon Sep 17 00:00:00 2001
From: Jacinta Ferrant <jacinta.ferrant@gmail.com>
Date: Fri, 27 Mar 2026 16:29:40 -0700
Subject: [PATCH 2/2] Fix formatting

Signed-off-by: Jacinta Ferrant <jacinta.ferrant@gmail.com>
---
 src/state_machine/signer/mod.rs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/state_machine/signer/mod.rs b/src/state_machine/signer/mod.rs
index 71fbe6b..0d55f9a 100644
--- a/src/state_machine/signer/mod.rs
+++ b/src/state_machine/signer/mod.rs
@@ -1075,7 +1075,6 @@ impl<SignerType: SignerTrait> Signer<SignerType> {
             return Ok(vec![]);
         }
 
-
         // make a HashSet of our key_ids so we can quickly query them
         let key_ids: HashSet<u32> = self.signer.get_key_ids().into_iter().collect();