Goal of this note is to extend $n\text{-out-of-}n$ CGGMP '21 key refresh to $t\text{-out-of-}n$ CGGMP '21
For notation and how keygen works please see: #2
There are two sets of secret values from keygen the $u_i$'s and the $x_i$'s. The $u_i$'s are an $n\text{-out-of-}n$ additive secret sharing of the secret key $x$ and the $x_i$'s are a $t\text{-out-of-}n$ Shamir secret sharing of the secret key $x$.
An attacker that compromises EITHER of these sets of values will learn the secret $x$. We can add to the keygen protocol for each party to delete the $u_i$'s since they are not used in presigning/signing. Things are secure even if one party deletes this toxic waste.
We can refresh the $x_i$'s using Foque-Stern DKR.
fs-dkr-notes.pdf
Another way to key refresh
Let the $t-1$ degree polynomial that can be reconstructed by any $t$ $x_i$'s be $p$.
Each party Feldman VSS shares $0$. So party $i$ receives $p1(i),...,p{i-1}(i), p_{i+1}(i)...p_n(i)$, where each $p_j$ is a random $t-1$-degree polynomial with constant term $0$.
Each party makes its new $x_i := xi + \sum{j} p_j(i) = (p+p_1+...p_n)(i)$. Note $(p+p_1+...+p_n)$ is a $t-1$-degree polynomial with constant term equal to the secret key $x$, as desired. The new $X_i=g^{x_i}$ are now also public. Each party provides a Schnorr proof that it knows $x_i$ (the discrete log of $X_i$).
Goal of this note is to extend $n\text{-out-of-}n$ CGGMP '21 key refresh to $t\text{-out-of-}n$ CGGMP '21
For notation and how keygen works please see: #2
There are two sets of secret values from keygen the $u_i$'s and the $x_i$'s. The $u_i$'s are an $n\text{-out-of-}n$ additive secret sharing of the secret key $x$ and the $x_i$'s are a $t\text{-out-of-}n$ Shamir secret sharing of the secret key $x$.
An attacker that compromises EITHER of these sets of values will learn the secret $x$. We can add to the keygen protocol for each party to delete the $u_i$'s since they are not used in presigning/signing. Things are secure even if one party deletes this toxic waste.
We can refresh the $x_i$'s using Foque-Stern DKR. fs-dkr-notes.pdf
Another way to key refresh
Let the $t-1$ degree polynomial that can be reconstructed by any $t$ $x_i$'s be $p$.
Each party Feldman VSS shares $0$. So party $i$ receives $p1(i),...,p{i-1}(i), p_{i+1}(i)...p_n(i)$, where each $p_j$ is a random $t-1$-degree polynomial with constant term $0$.
Each party makes its new $x_i := xi + \sum{j} p_j(i) = (p+p_1+...p_n)(i)$. Note $(p+p_1+...+p_n)$ is a $t-1$-degree polynomial with constant term equal to the secret key $x$, as desired. The new $X_i=g^{x_i}$ are now also public. Each party provides a Schnorr proof that it knows $x_i$ (the discrete log of $X_i$).