commonware_cryptography::bls12381

Module dkg

Source
Expand description

Distributed Key Generation (DKG) and Resharing protocol for the BLS12-381 curve.

This crate implements a Distributed Key Generation (DKG) and Resharing protocol for the BLS12-381 curve. Unlike many other constructions, this scheme only requires participants to publicly post shares during a “forced reveal” (when a given dealer does not distribute a share required for a party to recover their secret). Outside of this reveal, all shares are communicated directly between a dealer and recipient over an encrypted channel (which can be instantiated with https://docs.rs/commonware-p2p).

The DKG is based on the “Joint-Feldman” construction from “Secure Distributed Key Generation for Discrete-Log Based Cryptosystems” (GJKR99) and resharing is based on the construction provided in “Redistributing secret shares to new access structures and its applications” (Desmedt97).

§Protocol

The protocol has two types of participants: the arbiter and contributors. The arbiter serves as an orchestrator that collects commitments, acks, complaints, and reveals from contributors and replicates them to other contributors. The arbiter can be implemented as a standalone process or by some consensus protocol. Contributors are the participants that deal shares and commitments to other contributors in the protocol.

Because the target use case for this protocol is a blockchain, the protocol is designed to maintain a 2f + 1 threshold over 3f + 1 participants across any reshare (including reshares with a changing contributor set) where 2f + 1 contributors are online and honest (although the threshold can be arbitrarily configured). To achieve this, the protocol sacrifices responsiveness and instead relies on “timeouts” that all online and honest contributors are expected to communicate within. To provide a “feeling” of responsiveness, the protocol can be implemented with block height-based timeouts over an optimistically responsive protocol.

Whether or not the protocol succeeds in a given round (i.e. 2f + 1 participants are not online and honest), all contributors that do not adhere to the protocol will be identified and returned. If the protocol succeeds, the contributions of any contributors that did not adhere to the protocol are excluded (and still returned). It is expected that the set of contributors would punish/exclude “bad” contributors prior to a future round.

§Arbiter

§[Phase 0] Step 0: Collect Commitments

In the first phase, the arbiter collects randomly generated commitments from all contributors. If the arbiter is instantiated with a polynomial (from a previous DKG/Reshare), it will enforce all generated commitments are consistent with said polynomial. The arbiter, lastly, enforces that the degree of each commitment is threshold - 1.

Any contributors that do not submit a commitment before the timeout or submit an invalid commitment are disqualified.

If there are not at least threshold valid commitments (or previous.degree + 1 commitments in resharing), the arbiter will abort the protocol.

§[Phase 0] Step 1: Distribute Valid Commitments

After the Phase 0 timeout, the arbiter sends all valid commitments to all qualified contributors (this can be implemented as a read operation on a blockchain and does not actually need to be a network message).

§[Phase 1] Step 2: Collect Acks and Complaints

After distributing valid commitments, the arbiter will listen for acks and complaints from qualified contributors. An “ack” is a message indicating that a given contributor has received a valid share from a dealer (does not include encrypted or plaintext share material). A “complaint” is a signed share from a given dealer that is invalid (signing is external to this implementation). If the complaint is valid, the dealer that sent it is disqualified. If the complaint is invalid (it is a valid share), the recipient is disqualified. Because all shares must be signed by the contributor that generates them and this signature is over the plaintext share, there is no need to have a “justification” phase where said contributor must “defend” itself.

Any commitments without at least threshold - 1 acks (dealers don’t need to ack their own commitment) are disqualified. Contributors that are missing more than (threshold - 1)/2 shares (on commitments with at least threshold - 1 acks) are disqualified (revealing this many shares could allow an adversary to reconstruct the secret).

If there are not at least threshold valid commitments (or previous.degree + 1 commitments in resharing), the arbiter will abort the protocol.

§[Phase 1] Step 3 (Optional): Request Reveals

After the Phase 1 timeout, the arbiter will send a request to contributors of any commitments with at least threshold - 1 acks for qualified contributors that have not yet sent an ack for said commitment.

If there are no such requests, the arbiter will proceed directly to step 5 (without waiting for a timeout).

If there are such requests, the arbiter will proceed to step 4.

§[Phase 2] Step 4 (Optional): Collect Reveals

Collect reveals that match any requests from Step 3. If a valid reveal for a commitment is not sent before the timeout or the reveal is invalid, the arbiter will disqualify the commitment.

§[Phase 2] Step 5: Finalize Commitments and Distribute Reveals

After Step 2 (or 4), the arbiter will forward all commitments with at least threshold - 1 acks to all qualified contributors (and any accompanying reveals). The arbtier will then recover the new group polynomial using all valid commitments, if a DKG, or the first threshold commitments (sorted by participant identity), if a reshare.

§Contributor

§[Phase 0] Step 0 (Optional): Generate Shares and Commitment

If a contributor is joining a pre-existing group (and is not a dealer), it proceeds to Step 2.

Otherwise, it generates shares and a commitment. If it is a DKG, the commitment is a random polynomial with degree of threshold - 1. If it is a reshare, the commitment must be consistent with the previous group polynomial. The contributor generates the shares and commitment for Step 1 and sends the commitment to the arbiter.

§[Phase 0] Step 1 (Optional): Distribute Shares

After receiving qualified commitments from the arbiter, the contributor (if qualified) will distribute shares to all other contributors (ordered by participant identity).

§[Phase 1] Step 2: Submit Acks/Complaints

After receiving a share from a qualified contributor, the contributor will send an “ack” to the arbiter if the share is valid (confirmed against commitment) or a “complaint” if the share is invalid.

The contributor will not send an “ack” for its own share (if it is a qualified contributor).

§[Phase 2] Step 3 (Optional): Respond to Reveal Requests

If a contributor receives a “request” from the arbiter to reveal a share, it will do so. Even if it knows it sent said share to said contributor, it is possible that this contributor is malicious and chose not to “ack” it (this should not be a penalty for the contributor that must reveal).

§[Phase 2] Step 4 (Optional): Collect Reveals, Recover Group Polynomial, and Derive Share

If the round is successful, the arbiter will forward the valid commitments and any reveals required to construct shares for the new group polynomial (which shares the same constant term if it is a reshare). Like above, the contributor will recover the group polynomial. Unlike above, the contributor will also recover its new share of the secret (rather than just adding all shares together).

§Example

For a complete example of how to instantiate this crate, checkout commonware-vrf.

Modules§

  • Orchestrator of the DKG/Resharing procedure.
  • Participants in a DKG/Resharing procedure that hold a share of the secret.
  • Stateless operations useful in a DKG/Resharing procedure.
  • Utilities for a DKG/Resharing procedure.

Enums§