DKG Share Recovery

DKG in a few lines

Each node \(i\):

  • has a private polynomial \[f_i(x) = a_0 + ... + a_{t-1}x^{t-1}\]
  • From that get the public poly \[F_i(x) = f_i(x) * G\]
  • generate shares for others \[s_{i,j} = f_i(j)\]
  • then sum each share it receives (from QUALified participants) + its own:
    • final share is \[s_i = \sum_j s_{j,i}\]
    • final public polynomial \[F(x) = \sum_i F_i(x)\]

Adding a new one

new recipient public key \[P = xP\]
each node must:

  • verify that it has a share corresponding to public polynonial (with DLEQ?)
  • multiply its share \(s_i\) by the Lagrange coefficient of the new indiex \(k\) such that when aggregation happens, the shares will reconstruct to a new share for the index \[k\]
  • encrypt it to the public key of the new recipient

DLEQ(secret, base1, base2)
DLEQ 1: \[DLEQ(s_i, s_iG, F(i))\]
DLEQ w/ Lagrange: \[DLEQ(s_i, L_i(k)P, L_i(k)*F(i))\]

Problem: How can we encrypt verifiably ?

  • Either we use interactions (basically redoing DKG),
  • Either we use SNARK
  • Either .. ?

Recipient must make sure to have all the values of the same QUAL set as in the DKG:

  • verify the DLEQ proof
  • decrypt
  • add all the shares to make its own \[s_k\]
    • It's important it has to be the same set of QUAL participants, no more no less than the one in the original DKG.
Select a repo