[SPEC] Presigning and Signing

[akileshtangella]

Presigning and Signing SPEC

Ring-Pedersen Parameters

Unlike in the key refresh presented in the CGGMP '21 paper, FS-DKR does not result in each party having ring-Pedersen parameters. So this is something we have to append to our protocol.

It makes sense to append this to FS-DKR itself. We also need a ZK that the parameters are generated properly:

Presigning and Signing SPECs

The steps for pre-signing and signing are specified clearly in the CGGMP '21 paper.

What is missing from these SPECs

What is missing from these screenshots is how actually to implement the non-interactive zero-knowledge proofs (NIZKs), but this is also given in the paper. So we provide more screenshots.

In pre-signing round 1, we need:

In pre-signing rounds 2 and 3 we additionally need:

In pre-signing round 4, we additionally need:

In signing, we additionally need:

How to make these zero-knowledge proofs non-interactive:

All of the ZKs screenshotted above are three-move protocols. That is, they are interactive. We need to make them non-interactive.

ZKP Checklist

• [x] Implement ring-Pedersen parameter generation and ZKP
• [ ] Implement Paillier Encryption in Range ZKP (enc)
• [ ] Implement Paillier Affine Operation with Group Commitment ZKP (aff-g)
• [ ] Implement Knowledge of Exponent Assumption vs. Paillier Encryption ZKP (log*)
• [ ] Implement Paillier Multiplication ZKP (mul)
• [ ] Implement Paillier Decryption modulo q ZKP (dec)
• [ ] Implement Multiplication Paillier vs Group ZKP (mul*)

[drewstone]

If we are going to need ring pedersen parameters, then we should replace those with the current PDL parameters we're using. AFAIK they are quite similar. Also, we may be able to swap the Ring-pedersen proof with the PDL proof too, unless those params are strictly used as is throughout the protocol.