Closed DmytroTym closed 2 years ago
This is a big PR so please take your time to review it. A couple of comments:
Alice's range proofs are added to the protocol in the simplest possible way: parties playing as Alice prove the statement using other parties' h1,h2,N_tilde
and everyone verifies all the proofs (PDLwSlackProof
s in round 5 work in the same way at the moment). This makes computational complexity high and assuming that a single set of parameters h1,h2,N_tilde
is not possible, one way of reducing this complexity is to verify proofs the same way tofn library does it. Namely, parties only verify proofs with their own parameters and if anyone's proof did not check out, a blame message is transmitted instead of normal protocol proceeding. Upon seeing the blame message, all parties verify relevant proofs and either identify faulty proof or incorrect accusation.
Bob's proofs are implemented, but not added to the protocol yet as I'm not sure if you want them added at this point
As for the last fix: this PR: https://github.com/ZenGo-X/multi-party-ecdsa/pull/134 by me contained a bug: clearly, parties that verify dlog between h1
and h2
and vice-versa should use the same values for the two DLogStatement
s. In my implementation, however, verifier verified dlog proofs using two separate DLogStatement
s provided by the prover. Sorry for that, fixed now.
Haven't reviewed the implementation of the rangeproofs
Yeah, I guess accepting such a sizeable contribution from outside might be scary. This code is however a modification of ING bank's implementation that can be found here: https://github.com/ing-bank/threshold-signatures/blob/master/src/algorithms/zkp.rs. As such, it has been audited by Kudelski. After I finished, I checked that all the computations are the same (except for those which we know should not be) one more time.