perfaram
commented
6 years ago Not that I understand all the implications of this, but https://hal.inria.fr/hal-00983149v1/document states :
While very efficient (as only one round is needed in the absence of faulty players), this [the Joint-Feldman] protocol is known [41] not to guarantee the uniformity of the resulting public key. Indeed, even a static adversary can bias the distribution by corrupting only two players. Nonetheless, the adversary does not have much control on the distribution of the public key and Pedersen’s protocol can still be safely used in some applications, as noted by Gennaro et al. [42, 43]. For example, it was recently utilized by Cortier et al. [21] in the context of voting protocols.
The question is, do the some applications include whatever dfinity does with this DKG lib, or not ?
For reference :
- [41] and [43] reference the paper you linked to ;
- [42] is
R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin. Secure applications of Pedersen’s distributed key generation protocol. In CT-RSA ’03, LNCS 2612, pp. 373–390, 2003. - [21] is
V. Cortier, D. Galindo, S. Glondu, M. Izabachène. Distributed ElGamal à la Pedersen: Application to Helios. In WPES ’13, pp. 131–142, 2013.
wanderer
gorgos
Do you implement DKG protocol or Joint-Feldman protocol? I have read an article "Secure Distributed Key Generation for Discrete-Log Based Cryptosystems" by Gennaro Rosario ... https://link.springer.com/content/pdf/10.1007%2F3-540-48910-X_21.pdf I have read your code and I think that you have implemented Joint-Feldman protocol(figure 1 in article above). "An insecure solution for distributed generation of secret keys" - words about Joint-Feldman protocol in this article. I think that DKG protocol(figure 2 in article above) - is more secure than Joint-Feldman. "Secure distributed key generation in discrete–log based systems" - words about DKG protocol in this article