finalized dkg notes

notebooks/secret_sharing.ipynb

@@ -25,32 +25,89 @@
     "\n",
     "The problems with this, while admittedly simple and extensible, is that it assumes honesty of the participants (at no point is there an ability to verify partial shares), and further that the shared secret is known singuarly at some point in space-time, both at instantiation of the sharing and at the recovery of the shares. To address these issues, we move beyond to ...\n",
     "\n",
-    "## pedersen DKG\n",
+    "## Feldman's VSS\n",
     "\n",
-    "Now in this [scheme](https://link.springer.com/chapter/10.1007/3-540-46416-6_47), each participant generates coefficients, and the cooperation of participants is what allows for the collective generation of a secret. The public parameters in this setup are a large prime $p$, a generator $g$ of a subgroup of $\\mathbb{Z}_p^\\ast$, and another generator $h$ where no one knows $\\log_g h$. \n",
+    "This is a new approach to secret sharing that addresses the concern that the partials are not verifiable by the council. We again now generate $q(x)$, with $q(0)=a_0$ which is the secret, and transmit to all $i$ participants a partial share $s_i = f(i)$. The dealer also sends a committment $\\{A_k=g^{a_k}\\}_{k=0,t}$, with $g$ a generator of $\\mathbb{Z}_p^\\ast$. This allows for verification (that the partials form a secret) by checking:\n",
+    "$$\n",
+    "g^{s_i}\\stackrel{?}{=}\\prod_{k=0}^t\\left(A_k\\right)^{i^k}\n",
+    "$$\n",
+    "performed in the field (aka mod $p$). If participant $i$ does not satisfy the above, a complaint is made publically against the dealer, who is required to then reveal $s_i$ that satisfy the above, else they're fired! \n",
+    "\n",
+    "The biggest issue is that this protocol leaks $A_0=g^{a_0}=g^{\\rm secret}\\mod p$. However, assume the bad actor knows $t$ or less shares $s_i$ and $g_{a_0}$. They can then compute $\\{A_k\\}_{k=1,t}$ via $A_k=g^{a_k}=\\prod_{i=0}^t(g^{s_i})^{\\lambda_{ki}}$, where $\\lambda$ satisfies $a_k=\\sum_{i=0}^t\\lambda_{ki}f(i)$, which is still not enough to learn about $a_0$ anymore than what you could learn from $g^{a_0}$. \n",
+    "\n",
+    "## pedersen vss\n",
     "\n",
-    "Firstly, each participant $i$ chooses a secret value $a_i\\sim U(0, p)\\in\\mathbb{Z}_p$, as well as a random polynomial $q_i(x)$ of degree $t-1$ in $\\mathbb{Z}_p[x]$:\n",
+    "To address the concern of the secret's secrecy, we move to pedersen dkg. Now in this [scheme](https://link.springer.com/chapter/10.1007/3-540-46416-6_47), each participant generates coefficients, and the cooperation of participants is what allows for the collective generation of a secret. The public parameters in this setup are a large prime $p$, a generator $g$ of a subgroup of $\\mathbb{Z}_p^\\ast$, and another element in the subgroup of $\\mathbb{Z}_p$ generated by $g$, $h$, where no one knows $\\log_g h$. Therefore, the cost of information-theoretic secrecy of the shared secret is the hard assumption that the bad actor, or a cheating dealer, cannot solve the DL problem. \n",
+    "\n",
+    "The dealer generates two random polynomials of degree $t$, $q(x)=\\sum_k a_kx^k,\\tilde{q}(x)=\\sum_k b_kx^k\\in\\mathbb{Z}_p[x]$, with again $q(0)=a_0$ the shared secret. The dealer then transmits to each participant $i$ their share $(s_i=q(i), \\tilde{s}_i=\\tilde{q}(i))$, and broadcasts the values $\\{C_k = g^{a_k}g^{b_k}\\mod p\\}_{k=0,t}$. Verification of the shared secret follows by:\n",
     "$$\n",
-    "q_i(x) = a_i + a_{i1}x + a_{i2}x^2 + \\cdots + a_{i(t-1)}x^{t-1}\n",
+    "g^{s_i}h^{\\tilde{s}_i}\\stackrel{?}{=} \\prod_{k=0}^t\\left(C_k\\right)^{i^k}\\mod p\n",
     "$$\n",
-    "The participant then computes $F_{ij} = ga_{ij}$ for $j\\in[0, t-1]$, and publicly broadcasts $\\{F_ij | j\\in[1, t-1]\\}$ (remembering that we don't send $j=0$ since that is the $i$-th secret.\n",
-    "> [!NOTE]  \n",
-    "> In practice, each committment $F_{ij}$ is also multiplied by $hr_{ij}$, where $r_{ij}$ are random values to add entropy to the process.\n",
     "\n",
-    "Then, once everyone has sent the $t-1$ values, everyone computes their shares of their secret polynomial $s_{ij} = q_i(j)$, and sends them and a signature on $s_{ij}$ to participants $1..n$. \n",
+    "As before, complaints against the dealer are made public, and are rectified by the dealer transmitting $(s_i, \\tilde{s}_i)$ satisfying the above lest they face disqualification.\n",
     "\n",
-    "A participant is able to verify that a share received from $j$ is consistent by assuring:\n",
+    "### feldman dkg\n",
+    "\n",
+    "feldman dkg is built on top of the idea's above to create distribution of the process among participants. Each participant $i$ is now a dealer running a version of Feldman vss, and glued together according to the following. .\n",
+    "\n",
+    "Firstly, each participant $i$ chooses a secret value $a_i\\sim U(0, p)\\in\\mathbb{Z}_p$, as well as a random polynomial $q_i(x)$ of degree $t$ in $\\mathbb{Z}_p[x]$:\n",
     "$$\n",
-    "gs_{ji} = \\prod_{k=0}^{t-1}F^{i^k}_{jk}\n",
+    "q_i(x) = a_{i0} + a_{i1}x + a_{i2}x^2 + \\cdots + a_{it}x^t\n",
     "$$\n",
-    "If this fails, then participant $i$ complains publically. If there are complaints, the accused participant must broadcast the correct share (and random value if used). If this fails, they're booted (you're fired!). In this way, we can remove the assumption in Shamir's secret sharing of honesty of the participants, because we can verify when they're lying.\n",
+    "The participant then computes and broadcasts $C_{ij} = g^{a_{ij}}$ for $j\\in[0, t]$\n",
+    "\n",
+    "Then, everyone computes the shares of $1,\\ldots,n$ of their secret polynomial $s_{ij} = q_i(j)$, and sends them secretly to participants $j=1,\\ldots,n$. \n",
     "\n",
-    "Finally, participant $i$ determines their share as $s_i = \\sum_{j=1}^n s_{ji}$, and sign the message. They can also now determine the partials of others. How? Since $\\tilde{q}(x)=\\sum_{i}^nq_i(x)$ satisfies $s_i=\\tilde{q}(i)$, each $s_i$ is a share of $\\tilde{q}(0) = x$ (because of SSS!). The participant $j$ can now see the partial of $i$:\n",
+    "A participant is able to verify that a share received from $j$ is consistent by assuring:\n",
     "$$\n",
-    "gs_i = \\prod_{j=1}^ngs_{ji}\n",
+    "g^{s_{ij}} = \\prod_{k=0}^{t}C^{j^k}_{ik}\n",
     "$$\n",
     "\n",
-    "What might this look like? I'd recommend looking at the implementation [here](https://docs.rs/secret_sharing_and_dkg/latest/src/secret_sharing_and_dkg/pedersen_dvss.rs.html#1-341) for the basics.\n"
+    "If this fails, then participant $i$ complains publically. If there are $t$ complaints against $j$, they're automatically kicked out. If there are less than $t$ complaints, the accused participant must broadcast the correct share (and random value if used). If this fails, they're booted (you're fired!). In this way, we can remove the assumption in Shamir's secret sharing of honesty of the participants, because we can verify when they're lying.\n",
+    "\n",
+    "Finally, participant $i$ determines their share as $s_i = \\sum_{j\\in\\rm qualified} s_{ji}$, and the public key is now $y=\\prod_{i\\in\\rm qualified}C_{i0}$, and the public verification values are $C_k = \\prod_{i\\in\\rm qualified} C_{ik}$. The shared secret value $s$ itself is not computed by anyone since they don't know all the parts, but can be seen as $s=\\sum_i a_{i0}$. \n",
+    "\n",
+    "### pedersen dkg\n",
+    "\n",
+    "We now finally move onto secure distributed key generation that is verified to be secure enough for threshold signaturing (see [this](https://link.springer.com/content/pdf/10.1007/3-540-48910-X_21.pdf)). \n",
+    "\n",
+    "We now buil don topof the pedersen vss and feldman vss.\n",
+    "\n",
+    "#### Generating s:\n",
+    "\n",
+    "Each player $P_i$ performs a Pedersen-VSS of a random value $z_i$ as a dealer:\n",
+    "1.  $P_i$ chooses two random polynomials $q_i(z), q_i^\\prime(z)$ over $\\mathbb{Z}_q[z]$ of degree $t$:\n",
+    "$$q_i(z) = a_{i0} + a_{i1}z + \\ldots + a_{it}z^t$$\n",
+    "\n",
+    "$$q_i'(z) = b_{i0} + b_{i1}z + \\ldots + b_{it}z^t$$\n",
+    "\n",
+    "Let $z_i = a_{i0} = q_i(0)$. $P_i$ broadcasts $C_{ik} = g^{a_{ik}}h^{b_{ik}} \\mod p$ for $k = 0,\\ldots,t$. $P_i$ computes the shares $s_{ij} = q_i(j), s_{ij}^\\prime = q_i^\\prime(j) \\mod q$ for $j = 1,\\ldots,n$ and sends $s_{ij}, s_{ij}^\\prime$ to player $P_j$.\n",
+    "\n",
+    "3.  Each player $P_j$ verifies the shares he received from the other players. For each $i = 1,\\ldots,n$, $P_j$ checks if\n",
+    "$$g^{s_{ij}}h^{s_{ij}'} = \\prod_{k=0}^t (C_{ik})^{j^k} \\mod p$$ \n",
+    "If the check fails for an index $i$, $P_j$ broadcasts a complaint against $P_i$.\n",
+    "\n",
+    "4.  Each player $P_i$ who, as a dealer, received a complaint from player $P_j$ broadcasts the values $s_{ij}, s_{ij}'$ that satisfy the above.\n",
+    "5.  Each player marks as disqualified any player that either\n",
+    "- received more than $t$ complaints in Step 1b, or\n",
+    "- answered to a complaint in Step 1c with values that falsify the relation above.\n",
+    "  \n",
+    "Each player then builds the set of non-disqualified players QUAL. The distributed secret value $s$ is not explicitly computed by any party, but it equals $s = \\sum_{i \\in QUAL} z_i \\mod q$. Each player $P_i$ sets his share of the secret as $s_i = \\sum_{j \\in QUAL} s_{ji} \\mod q$ and the value $s_i' = \\sum_{j \\in QUAL} s_{ji}' \\mod q$.\n",
+    "\n",
+    "#### Extracting $y = g^s \\mod p$:\n",
+    "\n",
+    "Each player $i \\in QUAL$ exposes $y_i = g^{z_i} \\mod p$ via Feldman VSS:\n",
+    "\n",
+    "1.  Each player $P_i$, $i \\in QUAL$, broadcasts $A_{ik} = g^{a_{ik}} \\mod p$ for $k = 0,\\ldots,t$.\n",
+    "2.  Each player $P_j$ verifies the values broadcast by the other players in QUAL, namely, for each $i \\in QUAL$, $P_j$ checks if\n",
+    "$$g^{s_{ij}} = \\prod_{k=0}^t (A_{ik})^{j^k} \\mod p$$\n",
+    "If the check fails for an index $i$, $P_j$ complains against $P_i$ by broadcasting the values $s_{ij}, s_{ij}'$ that satisfy the relation in part 1 but do not satisfy the relation immediately above.\n",
+    "3.  For players $P_i$ who receive at least one valid complaint, i.e. values which satisfy the equation in part 1 and not the equation above, the other players run the reconstruction phase of Pedersen-VSS to compute $z_i$, $q_i(z)$, $A_{ik}$ for $k = 0,\\ldots,t$ in the clear. For all players in QUAL, set $y_i = A_{i0} = g^{z_i} \\mod p$. Compute $y = \\prod_{i \\in QUAL} y_i \\mod p$.\n",
+    "\n",
+    "What might this look like? I'd recommend looking at the implementation [here](https://docs.rs/secret_sharing_and_dkg/latest/src/secret_sharing_and_dkg/pedersen_dvss.rs.html#1-341) for the basics. The idea is that the reduction of single point failures via the secret generation requires a more secure protocol like pedersen dkg, which allows later steps to be less secure and more efficient, namely by using feldman instead.\n",
+    "\n",
+    "However, [it was shown](https://www.researchgate.net/publication/2558744_Revisiting_the_Distributed_Key_Generation_for_Discrete-Log_Based_Cryptosystems) that using Feldman vss for both stages is actually secure enough when subsequently used in a thresholding signature scheme! This is why cloudflare uses it, and saves them the pain of implementing two different VSS schemes.\n",
+    "\n"
    ]
   }
  ],