Currently only the recipients of DkgPrivateShares can verify that they have received correct shares. This is because the shares are encrypted to the recipients using symmetric encryption, with a Diffie-Hellman shared secret key. The protocol allows recipients to prove that a share is bad using a Chaum-Pedersen proof of the shared secret, which then allows anyone to verify that the share does not match the public polynomial of the sender.
It would be better if the DkgPrivateShares were publicly verifiable; this would allow the Coordinator to verify DkgPrivateShares before sending DkgEndBegin, so byzantine actors will be quickly marked as malicious and prevented from slowing the protocol. DKG can be robust in the face of anything but bad connectivity or non-participation.
Currently only the recipients of
DkgPrivateSharescan verify that they have received correct shares. This is because the shares are encrypted to the recipients using symmetric encryption, with a Diffie-Hellman shared secret key. The protocol allows recipients to prove that a share is bad using aChaum-Pedersenproof of the shared secret, which then allows anyone to verify that the share does not match the public polynomial of the sender.It would be better if the
DkgPrivateShareswere publicly verifiable; this would allow theCoordinatorto verifyDkgPrivateSharesbefore sendingDkgEndBegin, so byzantine actors will be quickly marked as malicious and prevented from slowing the protocol.DKGcan be robust in the face of anything but bad connectivity or non-participation.