jonasnick
commented
8 months ago I made some speculation that there may be the possibility at optimizing for efficiency in my comments here:
Cool! So instead of sending having the signers send the commitments to the polynomial coefficients A_{i,0}, ..., A_{i,t-1} to everyone else, they just send it to the coordinator, who would then send
A_{0,0}, ..., A_{n,0}, prod(A_{i,1}), prod(A_{i,1}), ..., prod(A_{i,t-1})i.e. n + t - 1 (EDIT: fixed) group elements back to every signer. We still need to send A_{i,0} to verify the PoK, so it's doesn't seem to be an asymptotic improvement (EDIT: fixed).
It seems plausible that this would work, since the signers are anyway only interested in their summed share and not the individual share.
LLFourn
real-or-random
Is there anything we have to recommend to people running the protocol over a central (possibly malicious) server. Examples are hardware wallets plugged into laptop, or online HTTP server which collects polynomial inputs via HTTP POST/PUT requests and parties can retrieve them using GET requests.
I made some speculation that there may be the possibility at optimizing for efficiency in my comments here: https://gist.github.com/LLFourn/7c8ac4b2058b5f24b7b5f9ce0ab56f19#page-12 In particular it could mean that only the coordinator needs to do the quadratic work of aggregating the polynomial while all the share receivers just do linear work. If we're sure that this works it might be nice to implement this.
For reference in our product we do use a coordinator and we do not just naively make it a message forwarding service -- it inspects messages and organizes them together into a final "FinishKeyGen" message that travels down the USB daisy chain to all devices (devices get redundant data like encrypted shares that are meant for others).