Open fjarri opened 1 year ago
rid
, by saving it as init_id
in key shares - a value that is the same for all shares created in a KeyInit run. The question still remains:Can it be replaced by just hashing all the public shares created in KeyInit?
If the answer to this question is yes, there is a follow-up:
Can it be completely removed from KeyInit protocol, seeing as how it is already hashed alongside
u_i
andX_i
which are random?
share_set_id
which is supposed to be updated after each KeyRefresh (but still be the same for every keyshare produced by the refresh). Combined with shared_randomness
it is used where ssid
is used in the paper and (as far as I can tell) includes all the info ssid
includes.
Session IDs and sub-session IDs for the protocols need a review. We need to make sure that:
To be more specific (see Fig 3 for the outline):
The KeyGen protocol (Fig. 5) depends on some unspecified session ID
sid
(which is included in the hashes), and produces a randomrid
value (same for every node). Note thatsid
in the paper includes the curve parameters (which are currently fixed), and the sorted list of party IDs. Would it be enough to just have a randomsid
?The AuxData protocol (Fig. 6) depends on
ssid = sid + rid + [X] + i
where[X]
are the public key shares andi
is the number of the party. But[X]
andi
are included in the hash along withssid
, andrid
already corresponds to the generated[X]
, so I think we can takessid = sid + rid
. But since we may have to run AuxData many times (refreshing the key shares), we probably don't want to use the samessid
every time? Should we just make it entirely random? Or make itssid = sid + rid + nonce
(or a hash thereof), wherenonce
is incremented?The Presigning protocol (Fig. 7) should correspond to the parameters generated in AuxData, so it should depend on
ssid
, and also on somenonce
value (which is denoted\ell
in the paper) because we may run it many times for the same AuxData parameters. Who keeps and increments the nonce? Probably the user should take care of that?