This PR implements the Tshare protocol, which is responsible for transforming additive shares into Shamir shares. Beyond, a non-interactive transformation is provided to compute a t-out-of-t share, such that participants can obtain new shares that can be used in the remaining phases of the protocol.
In particular, Tshare works as follows:
Input:
The threshold t of parties needed to reconstruct the shared secret.
The auxiliary information for encryption.
Optionally, an existing n-out-of-n share to be converted to t-out-of-n. Otherwise, a random secret is generated.
Rounds 1:
Each participant generates a random polynomial of degree threshold - 1.
Alternatively, set an existing additive share as the constant term.
Each participant commits to their polynomial and a Schnorr proof.
Rounds 2:
Each participant decommits the public form of their polynomial and Schnorr proofs.
Rounds 3:
Each participant shares a private evaluation of the polynomial with each of the other participants.
Output:
The public commitment to the shared polynomial. It is represented in coefficients form in the exponent (EC points). The constant term corresponds to the shared value. This can be used to evaluate the commitment to the share of any participant.
The private evaluation of the shared polynomial for our participant. t of those can reconstruct the secret.
This PR implements the Tshare protocol, which is responsible for transforming additive shares into Shamir shares. Beyond, a non-interactive transformation is provided to compute a t-out-of-t share, such that participants can obtain new shares that can be used in the remaining phases of the protocol.
In particular, Tshare works as follows:
Input:
tof parties needed to reconstruct the shared secret.Rounds 1:
threshold - 1.Rounds 2:
Rounds 3:
Output:
tof those can reconstruct the secret.