DKG Share Recovery

DKG in a few lines

Each node \(i\):

has a private polynomial \[f_i(x) = a_0 + ... + a_{t-1}x^{t-1}\]
From that get the public poly \[F_i(x) = f_i(x) * G\]
generate shares for others \[s_{i,j} = f_i(j)\]
then sum each share it receives (from QUALified participants) + its own:
- final share is \[s_i = \sum_j s_{j,i}\]
- final public polynomial \[F(x) = \sum_i F_i(x)\]

new recipient public key \[P = xP\]
each node must:

verify that it has a share corresponding to public polynonial (with DLEQ?)
multiply its share \(s_i\) by the Lagrange coefficient of the new indiex \(k\) such that when aggregation happens, the shares will reconstruct to a new share for the index \[k\]
encrypt it to the public key of the new recipient

DLEQ(secret, base1, base2)
DLEQ 1: \[DLEQ(s_i, s_iG, F(i))\]
DLEQ w/ Lagrange: \[DLEQ(s_i, L_i(k)P, L_i(k)*F(i))\]

Problem: How can we encrypt verifiably ?

Recipient must make sure to have all the values of the same QUAL set as in the DKG:

verify the DLEQ proof
decrypt
add all the shares to make its own \[s_k\]
- It's important it has to be the same set of QUAL participants, no more no less than the one in the original DKG.