Threshold Signatures

[Raycoms]

Hi,

I've been digging into the code for the past week but I couldn't find if you're actually using the threshold signature scheme.

I couldn't find the distribution of the partial signatures and the methods to compute it is actually empty:

void compute() override {}

Am I missing something?

[Determinant]

"Partial" signatures are distributed via votes.

Please check the paper -- at the time of writing the paper, there wasn't a fast and reliable threshold signature library available.

So we "crippled" our evaluation to use a set of secp256k1 signatures without actually saving the extra O(n) cost and this is why compute() is empty because no extra computation is needed to "aggregate" the signatures. While it is still correct, it should be improved by offering a version that supports something like BLS. The abstract classes (with the method like compute() as you mentioned) and templates were left for this purpose.

The scheme of signature is expected to be modular and replaceable part of HotStuff, as the protocol treats it as a black box.

While I do plan to add the support as it is easy to do, it is mostly a matter of whether there is such a robust and fast open-sourced library available. Feel free to discuss your discovery and recommendations. But in the meanwhile, everyone is encouraged to contribute to this repo by adding the additional support of using some practical threshold signature library.

[Raycoms]

Oh sorry, I didn't mean partial signatures but partial keys instead. But your answer includes that too.

So you do distribute the complete set of votes instead of actually sending a single signature and you also verify the complete set of signatures on reception at each replica too for this purpose.

[Determinant]

That's correct if you use HotStuffSecp256k1, which is the only one available for now. There should be more options here https://github.com/hot-stuff/libhotstuff/blob/master/include/hotstuff/hotstuff.h#L310

[Raycoms]

I am working on preparing code to integrate BLS signatures. However I'm a bit confused about the difference between "PartCert" and "QuorumCert" and SigSecp256k1.

I believe SigSecp is a single signature and QuorumCert is the complete list of signatures that is necessary (at least k out of n). However, what is PartCert?

I couldn't find either where PartCert would store any signatures.

[Raycoms]

While I am on it.

For this I'll need two more things:

a) I need a place to generate all signatures centrally and distribute them including the master public key. b) I need a place to store the master public key.

Where would the best place for this be?

void HotStuffBase::start to generate and ReplicaConfig to store a pointer to it?

[Raycoms]

In general it seems everything is very tied in with the existing signature scheme. It's loaded from file, it needs the certificate etc. As far as I can see it is not very "blackbox" atm at all.

[Raycoms]

More comments.

/*** end HotStuff protocol logic ***/
void HotStuffCore::on_init(uint32_t nfaulty) {

    config.nmajority = config.nreplicas - nfaulty;
    b0->qc = create_quorum_cert(b0->get_hash());
    //b0->qc->compute();
    b0->self_qc = b0->qc->clone();
    b0->qc_ref = b0;
    hqc = std::make_pair(b0, b0->qc->clone());
}

Why is there a compute on the quorum cert if we don't even have a quorum at that point yet?