// s_i is the secret share for that party
hk = BLAKE3-KDF(s_i)
a = random()
(d_i, e_i) = BLAKE3-KEYED(hk, ssid || m || a)
You could probably also just use s_i directly instead of deriving a hashing key, and then using a keyed hash. My reasoning for doing it this way is that a common principle in crypto is to use a key or secret for one purpose.
Fixes #38.
The final formula I ended up deciding on was:
You could probably also just use
s_idirectly instead of deriving a hashing key, and then using a keyed hash. My reasoning for doing it this way is that a common principle in crypto is to use a key or secret for one purpose.