T-ECDSA: Protocol document#282
Conversation
Previous document contained very detailed technical description which need to be moved to a second stage of this documentation process.
pdyraga
left a comment
pdyraga
left a comment
There was a problem hiding this comment.
Just a quick first pass over the high-level description of phases.
| In this phase signers jointly generate _DSA Key_ which will be used in the Signing | ||
| phase. | ||
|
|
||
| Each signer generates _Secret Key Share_ and _Public Key Share_ which form |
| === Key Generation | ||
|
|
||
| [.lead] | ||
| In this phase signers jointly generate _DSA Key_ which will be used in the Signing |
There was a problem hiding this comment.
which may be used or which is used sounds here better for in my opinion.
| Paillier and broadcasts the encrypted _Secret Key Share_ along with _Public Key Share_ | ||
| to other signers. + | ||
| After receiving all shares, signers combine them to get _ECDSA Key_, consisting of | ||
| _Encrypted Secret Key_ and _Public Key_. |
There was a problem hiding this comment.
Maybe it's worth to add an information that the secret key is encrypted with a threshold Paillier scheme and no single player can decrypt it?
| After receiving all shares, signers combine them to get _ECDSA Key_, consisting of | ||
| _Encrypted Secret Key_ and _Public Key_. | ||
|
|
||
| This phase requires all signers in the group to produce a valid _ECDSA Key_. |
There was a problem hiding this comment.
Actually, it requires all signers to cooperate in order to produce a valid key. If malicious behavior is detected we abort the protocol. There is no threshold for Key-Gen phase - worth mentioning it.
|
|
||
| This phase requires also _ECDSA Key_ which is a result of Key Generation Phase. | ||
|
|
||
| To complete this round just part of signers is required. The number of signers |
| Each signer generates _Secret Key Share_ and _Public Key Share_ which together form | ||
| _ECDSA Key Share_. + | ||
| Since _Secret Key Share_ must always be kept private, signer encrypts it with | ||
| Paillier and broadcasts the encrypted _Secret Key Share_ along with _Public Key Share_ |
There was a problem hiding this comment.
with plaintext Public Key Share ?
| Paillier scheme in a way that no single signer is able decrypt it. | ||
|
|
||
| This phase requires all signers in the group to cooperate to produce a valid | ||
| _ECDSA Key_.+ |
|
|
||
| This phase requires also _ECDSA Key_ which is a result of Key Generation Phase. | ||
|
|
||
| To complete this round just part of signers is required. The minimum number of signers |
There was a problem hiding this comment.
Comma after To complete this round?
|
|
||
| === Setup | ||
|
|
||
| ==== Master Public Key |
There was a problem hiding this comment.
Master Public Key looks like an orphan here. We already have: Output: Commitment Master Public Key as an output of the Setup round.
There was a problem hiding this comment.
I wanted to have a subsection here for Master Public Key generation, in case we would do more things under the === Setup section.
There was a problem hiding this comment.
Maybe if we don't plan to do anything more under the === Setup section, let's remove it. WDYT?
There was a problem hiding this comment.
I vote for leaving it here, so we know that this part is about Master Public Key
|
|
||
| //- | ||
|
|
||
| . Each signer computes a set of parameters and calculates a commitment to these |
There was a problem hiding this comment.
Maybe we can just name those parameters explicitly here and say they are used to compute the final signature? Not going deep into details.
| . Each signer computes hash of _Signature Factor Public_ parameter. | ||
|
|
||
| . Signers jointly decrypt _Encrypted Signature Unmask_ with Paillier, so each signer | ||
| receives just a part of _Signature Unmask_. |
There was a problem hiding this comment.
Actually, they receive partial decryptions, not a part of Signature Unmask. There is a difference - partial decryption is not like a public key share for instance.
| ^|_Signature.S_ partial decryption. | ||
| |=== | ||
|
|
||
| . Signer validates received _Sign Round 6 Messages_. + |
There was a problem hiding this comment.
Are they really validated? I think we need to add some validation, per https://github.com/keep-network/keep-core/issues/246 but it's not covered in the Gennaro's paper and we are not currently doing it.
There was a problem hiding this comment.
Same as in other rounds we're checking a number of messages we've received.
pdyraga
left a comment
pdyraga
left a comment
There was a problem hiding this comment.
Left a few comments. This looks good for me but I'd like to have an opinion of someone not involved in the T-ECDSA.
Having the protocol documented, we should now start with another section describing what are the potential threats to each phase / round.
|
|
||
| This phase requires also _ECDSA Key_ which is a result of Key Generation Phase. | ||
|
|
||
| To complete this round, just part of signers is required. The minimum number of signers |
There was a problem hiding this comment.
this round
Which round? Did you mean phase?
|
|
||
| ^|`signerID` | ||
| ^|`string` | ||
| ^|Signer's ID |
There was a problem hiding this comment.
I am not sure if it makes sense to include signerID here. I see two reasons for that:
- Now it's only
signerIDbut it will becomesenderIDandreceiverIDwhen we'll merge the setup PR signerID/senderID/receiverID- all of them are related to transport layer and matching messages together. I think we should focus only on T-ECDSA-specific parameters.
Thoughts?
There was a problem hiding this comment.
Yeah it's unnecessary. I was documenting the code too much, but it's more about describing the protocol.
|
|
||
| D(_encryptedSecretKeyShare_) = _secretKeyShare_ | ||
|
|
||
| where _q_ is an order and _g_ is a generator point of an Elliptic Curve |
There was a problem hiding this comment.
... and D is a Decrypt function of a Paillier scheme?
There was a problem hiding this comment.
I was wondering if D() is obvious or not. It's better to describe it :)
| **** | ||
| + | ||
| _Public Key Share_ is published with a decommitment key used in a previous round | ||
| to produce commitment to _Public Key Share_ value. |
There was a problem hiding this comment.
Hmm... I am not sure. Decommitment key is not used to produce a commitment. Rather, as a result of calling commitment function, we get both commitment string and decommitment key.
There was a problem hiding this comment.
In our implementation of a commitment generation we're taking a random value r and we are using it in commitment computation commitment = g^digest + he^r.
|
|
||
| D(_encryptedSecretKeyFactorShare_) = _secretKeyFactorShare_ | ||
|
|
||
| D(_secretKeyMultipleShare_) = η * D(_secretKey_) |
There was a problem hiding this comment.
and what is η here? secretKeyFactorShare?
|
|
||
| //- | ||
|
|
||
| . Each signer computes _Encrypted Signature_ value which next they jointly decrypt. |
There was a problem hiding this comment.
What if we mention which parameters are used to compute Encrypted Signature?
| signing. + | ||
| The value is calculated by a signer for each peer signer and send to them. | ||
| The peer signer have to use received value when calculating a commitment for given | ||
| signer. |
There was a problem hiding this comment.
It should be rather:
Commitment master public key is generated by each signer individually and sent to all other peer signers.
When generating a commitment that will be sent to some verifier, it's required to use that verifier's commitment master public key.
Shadowfiend
left a comment
Shadowfiend
left a comment
There was a problem hiding this comment.
Couple more thoughts; I like this organization a lot better!
| [.lead] | ||
| _Commitment Master Public Key_ is a value needed for commitment generation. | ||
| This setup needs to be performed before each of two phases: key generation and | ||
| signing. + |
There was a problem hiding this comment.
In general I think we're going paragraph-heavy throughout the content here. It feels like this and the next bit can be the same paragraph without any problems. Thoughts?
There was a problem hiding this comment.
I just wanted to have a general description as [.lead] and more details in next paragraph. But yes, I can fit it all into one paragraph which will be lead.
| Output:: | ||
| * _Commitment Master Public Key_ for each peer signer | ||
|
|
||
| //- |
There was a problem hiding this comment.
It feels like it would be good to have an explicit heading for these rather than the //- trick; perhaps Description or Procedure?
|
|
||
| //- | ||
|
|
||
| . A signer generates _Commitment Master Public Key_ for each peer signer and publishes it to them in _CommitmentMasterPublicKeyMessage_: |
There was a problem hiding this comment.
Though “publish” implies in the clear, it may be good to clarify whether this needs to be confidential or not.
There was a problem hiding this comment.
Actually the implementation changed a little. A signer calculates one Commitment Master Public Key and broadcasts it to all other peer signers. The value is not confidential.
| the plaintext _ECDSA Public Key Share_ to other signers. + | ||
| After receiving all shares, signers combine them to get the _ECDSA Key_, consisting | ||
| of the _Encrypted ECDSA Private Key_ and the _ECDSA Public Key_. | ||
| The _ECDSA Private Key_ is created by combining the Paillier-encrypted _ECDSA |
There was a problem hiding this comment.
This feels like maybe it should be a numbered list? I'm unclear on the relationship between this section and the one after the “Output” block; both seem to describe the protocol, but they describe different components of it. Should they be combined somehow?
There was a problem hiding this comment.
This remained from the previous version of the document where phases were described separately from rounds. Much of information here duplicates those in rounds. I combined the two parts.
| This setup needs to be performed before each of two phases: key generation and | ||
| signing. + | ||
| The value is calculated by a signer for each peer signer and send to them. | ||
| The peer signer have to use received value when calculating a commitment for given |
There was a problem hiding this comment.
“has to use the received value…” “for a given…”
| Paillier and this encrypted value is published along with Zero Knowledge Proof | ||
| Π~i~, which states that: | ||
| + | ||
| **** |
There was a problem hiding this comment.
This defines a sidebar, which means technically it's outside of the flow of text. It may make more sense to use a standard ==== block, perhaps with a custom role like [proof]?
There was a problem hiding this comment.
Good point. For now I used [NOTE] role. It can be updated later if we want use some custom formatting.
|
It's ready for a next round, gents! |
Shadowfiend
left a comment
Shadowfiend
left a comment
There was a problem hiding this comment.
One tiny note, and let's also go ahead and merge master. Then I'm good to go 
|
Thank you @Shadowfiend and @pdyraga for your valuable comments! |
pdyraga
left a comment
pdyraga
left a comment
There was a problem hiding this comment.
Just three small comments, the rest looks very good.
| |Decommitment key for _ECDSA Public Key Share_ | ||
|
|
||
| |`secretKeyProof` | ||
| |`zkp.DsaPaillierKeyRangeProof` |
There was a problem hiding this comment.
zkp.DsaPaillierKeyRangeProof -> zkp.EcdsaPaillierKeyRangeProof
| |Decommitment key for a commitment to _ECDSA Private Key Factor Share_ and _ECDSA Private Key Multiple Share_ | ||
|
|
||
| |`secretKeyFactorProof` | ||
| |`zkp.DsaPaillierSecretKeyFactorRangeProof` |
There was a problem hiding this comment.
zkp.DsaPaillierSecretKeyFactorRangeProof -> zkp.EcdsaPaillierSecretKeyFactorRangeProof
|
|
||
| |`signatureFactorShareCommitment` | ||
| |`commitment.MultiTrapdoorCommitment` | ||
| |Commitment to parameters from <<sign_round_3>> |
There was a problem hiding this comment.
Maybe we should be explicit here? Commitment to signature factor public share and signature unmask share ?
|
@pdyraga updates are ready |
|
I am good to go 👍 Waiting for a green light from @Shadowfiend |
3 participants
Documentation for T-ECDSA Protocol.
Main focus on:
Based on flowdock thread