GG20 DKG Related Issues

[notbdu]

Have been trying to integrate the gg20 dkg implementation into a distributed service and wanted to raise a few things.

• DkgParticipant has no external CTOR a calling lib can use
  • Ended up adding one in our fork
• DkgRound2P2PSend's xij is private and cannot be serialized
  • Ended up exposing this so it can be serialized but feels like its unsafe to share in unencrypted form
• Didn't see any usage of the paillier encryption key in the keygen spec. Does xij needed to be encrypted?
  • It looks like the swingby's forked tss-lib implementation encrypts the share: https://github.com/SwingbyProtocol/tss-lib/blob/668d0061fadf08bf2ba9f7e9287516fc173b6b9c/ecdsa/keygen/round_3.go#L127-L133

[mikelodder7]

Xij can be made public so it can be serialized. You should encrypt everything sent between participants since the paper states its only secure in the presence of a secure channel.

[mvrshvl]

@notbdu Hello! Faced the same problem. Please help, Were you able to make a signer from the DKG result?? In my case, round 3 ends with an error. I will be glad for your help!

func (f *Flow) DKGToSigner(dkg *participant.DkgResult) (*participant.Signer, error) {
    encryptKeys := make(map[uint32]*paillier.PublicKey)
    proofParams := make(map[uint32]*dealer.ProofParams)
    pubShares := make(map[uint32]*dealer.PublicShare)

    cosigners := []uint32{
        f.index,
    }
    // result of 1 round from this player
    r1Bcast := f.R1.GetBcast()

    proofParams[f.index] = &dealer.ProofParams{
        N:  r1Bcast[f.index].Ni,
        H1: r1Bcast[f.index].H1i,
        H2: r1Bcast[f.index].H2i,
    }

    for id, pk := range dkg.ParticipantData {
        encryptKeys[id] = pk.PublicKey
        proofParams[id] = pk.ProofParams

        cosigners = append(cosigners, id)
    }

    for i, point := range dkg.PublicShares {
        pubShares[uint32(i+1)] = &dealer.PublicShare{Point: point}
    }

    field := curves.NewField(f.dkgParticipant.Curve.Params().N)

    share := v1.NewShamirShare(f.index, dkg.SigningKeyShare.Bytes(), field)

    publicShare, err := curves.NewScalarBaseMult(f.dkgParticipant.Curve, share.Value.BigInt())
    if err != nil {
        return nil, err
    }

    return participant.NewSigner(&dealer.ParticipantData{
        Id:         f.index,
        DecryptKey: dkg.EncryptionKey,
        SecretKeyShare: &dealer.Share{
            ShamirShare: share,
            Point:       publicShare,
        },
        EcdsaPublicKey: dkg.VerificationKey,
        KeyGenType:     dealer.DistributedKeyGenType{ProofParams: proofParams},
        PublicShares:   pubShares,
        EncryptKeys:    encryptKeys,
    }, cosigners)
}