Closed msgmaxim closed 2 years ago
@msgmaxim do we want to PR this into the design-documentation
repo and close out this issue?
Yeah, I will do that
This is now included in https://github.com/chainflip-io/design-documentation/pull/90, so closing it here.
DKG (Distributed Key Generation)
The protocol is based on Pedersen's distributed key generation scheme (Pedersen, 1991). We acknowledge a potential weakness of the scheme (which allows a malicious party to hand craft
u_i
after having seen the commitments from other players and thus influence the aggregate public keyy
to some degree), however we rely on the result in Gennaro, 2003 proving the scheme nonetheless secure. The alternative would be to introduce an additional round, where parties first commit tou_i
before revealing it.Reliable Broadcast Channel
The original scheme assumed a reliable broadcast channel. We can't make this assumption, so we simulate broadcasting with p2p connections as follows.
P_i
wants to "broadcast" dataD_i
. They distributeD_ij
(presumablyD_i = D_ij
) to all other partiesP_j
(j != i
).P_j
and distributes(i, D_ij)
to all other partiesP_k
(k != j)
P_k
now holds N "votes" for what the value ofD_i
was. If there is a majority agreement,P_k
setsD_i
to that value, other wise the protocol is aborted inP_i
is blamed.Ceremony
Consider a ceremony where
N
parties(P_1, ... P_N)
want to generate a shared secret key that could be reconstructed by anyt
members of the original set.Phase 1: Broadcast commitments and distribute secret shares.
P_i
samples a random secretu_i
and setsy_i = G * u_i
.P_i
generates a sharing polynomialf_i(u)
of degreet-1
such thatf_i(0) = u_i
and splits the private secretu_i
intot
shares by evaluatingf_i(u)
at different non-zero indexesindex_vec = [1..=N]
(according to the Shamir Secret Sharing Scheme).P_i
commits to the coefficients off_i(u)
by multiplying each by the group's generatorG
to obtainC_i
. Note thaty_i = G * f_i(0)
.Communication round: "broadcast"
C_i = commitments
; privately sendSS_ij = secret_shares[j]
to each partyj
Phase 2: Verify broadcast values
C_i
is verified accoring to the "Reliable Broadcast Channel" protocol above.Communication round: send
(i, H_ij)
for eachi
to all partiesPhase 3: Verify secret shares, broadcast results
P_i
verifies the shares sent to them in secret from partyP_j
:If all secret shares received by
P_i
are valid,P_i
broadcastsOK
message to other parites. Otherwise,P_i
broadcasts a complaint against all misbehaving parties.Note: We want a *reliable* broadcast here, so there is no confusion between nodes as to whether a ceremony was successful, and which nodes are misbehaving when it wasn't. Also, we would like to avoid the scenario where an honest party is not told that it is being blamed and doesn't know to respond as a result.
Phase 4: Verify the broadcasting of results
Communication round: send
(i, H_ij)
for eachi
to all partiesPhase 5: Check for complaints
P_i
checks for complaints from other parites. If all messages areOK
, the ceremony is considered to have been performed correctly. If not, we enter the blaming phase.Most of the time we won't need to go beyond this point
P_i
receiving a complaint fromP_j
aboutP_k
means that eitherP_j
orP_k
are misbehaving. There is no way to find out which party is wrong, but there is a way to recover which is outlined below.Phase 6: Response of blamed parties
P_k
is blamed byP_j
, it revealsSS_kj
to all other parties to avoid being reported to SC.Communication round: blamed parties
P_k
"broadcast"SS_kj
for every challengerP_j
.Note: We want a *reliable* broadcast here, so the blamed parties could not avoid getting slashed and still disrupt the protocol (e.g. by only responding to one half of all parties).
P_i
receives a response, it verifies the secret shareSS_kj
(the same way as in Phase 3). If the response is invalid (or the response times out), the party is reported to SC. Otherwise,P_i
sendsSS_kj
to the blaming partyP_j
.Communication round: Each node sends secret share response
SS_kj
to the blaming partyP_j
(for every pair blamer/blameeP_j
/P_k
).P_j
hold the valid share and is able to sign. (Just one correct response is enough, no need for a majority).Random implementation remarks