Sign_stage6 seems not to do what it's meant to

[DmytroTym]

Hello,

I was going through the library and got stuck at sign_stage6 method of orchestrate.rs. If I understand correctly, it corresponds to this line at page 15 of GG20 (specifically, the zero-knowledge proof part of it):

Each player P_i broadcasts R_i = R^{k_i} as well as a zero-knowledge proof of consistency between R_i and E_i(k_i), which each player sent as the first message of the MtA protocol in Phase 2.

But from the code it seems that we actually prove the statement t times, just with different Fujisaki-Okamoto commitments, and then verify our own proofs instead of broadcasting them. Also, I don't really understand why this stage is called in online stage of signing protocol (paper seems to suggest it can be done offline). Am I missing something?

Thanks!

[omershlo]

Thanks @DmytroTym !!
I agree that on first look something seems odd there.
@nmahendru - can you also take a look ?

[nmahendru]

That looks wrong.. and you are right @DmytroTym . I'll try to put up a pr to fix this.

[DmytroTym]

Great, thanks for the quick response!

[DmytroTym]

I have another question, but don't want to open a separate issue as I am not sure it deserves it. When we do MtAwc for k_i and w_i, the fact that g^{w_i} is public, is used. But in the code of sign/rounds.rs parties do not compute g^{w_i} themselves, but just send their values to each other during the first round. I understand that this is about identifiable aborts, which are not completely implemented anyway. But still, wanted to make sure that in the final version, g^{w_i} should be computed by everyone using public VSS commitments.

[omershlo]

Thanks @DmytroTym your feedback is extremely helpful. We identified this issue as well and it will be resolved in the upcoming PR. please send me an email to omer@zengo.com or ping me in telegram @omershlo - I would like to offer you a reward

[omershlo]

fixed in #130