nikkolasg
commented
4 years ago Hi,
You are right, good eye! However, let me add in some context:
- Unfortunately, Pedersen DKG requires synchronous communication model with a broadcast channel. That is very hard to do in practice: reliable broadcast or consensus / blockchain. In the case where we don't have this broadcast channel, the attacker can still send any commitment in the clear to any party, not necessarily the same, leading back to the same case as here. Nevertheless, you are probably right we should still expose it in the API as an uncrypted field in the Deal.
- Due to this limitation of the model, we/I plan to hopefully move towards an asynchronous DKG which use a relaxed network model. In that case, there's not gonna be any need to rely on the attacker correctly broadcasting any values.
Gonna open up an issue for revealing the commitment. Thanks !
SK0M0R0H
Robingoumaz
Hello! According to the original papers, a dealer of the VSS/DKG schemes has to broadcast polynomials commitments (Deal.Commitments in Kyber). In Kyber, these commitments are encrypted together with deals. So a malicious party can send different deals (given from different polynomials) to different parties. For Rabin's DKG, it will be revealed in the second phase. But in the original version, this would have been revealed in the first phase and the party would not have got into the QUAL set. Maybe I missed something, why did you change this "broadcast rule"?