Back to

Package dkg

Latest Go to latest

The highest tagged major version is v3.

Published: Jan 25, 2019 | License: MPL-2.0 | Module:


Package dkg implements the protocol described in "Secure Distributed Key Generation for Discrete-Log Based Cryptosystems" by R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. DKG enables a group of participants to generate a distributed key with each participants holding only a share of the key. The key is also never computed locally but generated distributively whereas the public part of the key is known by every participants. The underlying basis for this protocol is the VSS protocol implemented in the share/vss package.

The protocol works as follow:

1. Each participant instantiates a DistKeyShare (DKS) struct.
2. Then each participant runs an instance of the VSS protocol:
  - each participant generates their deals with the method `Deals()` and then
   sends them to the right recipient.
  - each participant processes the received deal with `ProcessDeal()` and
   broadcasts the resulting response.
  - each participant processes the response with `ProcessResponse()`. If a
   justification is returned, it must be broadcasted.
3. Each participant can check if step 2. is done by calling
`Certified()`.Those participants where Certified() returned true, belong to
the set of "qualified" participants who will generate the distributed
secret. To get the list of qualified participants, use QUAL().
4. Each QUAL participant generates their secret commitments calling
 `SecretCommits()` and broadcasts them to the QUAL set.
5. Each QUAL participant processes the received secret commitments using
 `SecretCommits()`. If there is an error, it can return a commitment complaint
 (ComplaintCommits) that must be broadcasted to the QUAL set.
6. Each QUAL participant receiving a complaint can process it with
 `ProcessComplaintCommits()` which returns the secret share
 (ReconstructCommits) given from the malicious participant. This structure
 must be broadcasted to all the QUAL participant.
7. At this point, every QUAL participant can issue the distributed key by
 calling `DistKeyShare()`.


type ComplaintCommits

type ComplaintCommits struct {
	// Index of the Verifier _issuing_ the ComplaintCommit
	Index uint32
	// DealerIndex being the index of the Dealer who issued the SecretCommits
	DealerIndex uint32
	// Deal that has been given from the Dealer (at DealerIndex) to this node
	// (at Index)
	Deal *vss.Deal
	// Signature made by the verifier
	Signature []byte

ComplaintCommits is sent if the secret commitments revealed by a peer are not valid.

func (*ComplaintCommits) Hash

func (cc *ComplaintCommits) Hash(s Suite) []byte

Hash returns the hash value of this struct used in the signature process.

type Deal

type Deal struct {
	// Index of the Dealer in the list of participants
	Index uint32
	// Deal issued for another participant
	Deal *vss.EncryptedDeal

Deal holds the Deal for one participant as well as the index of the issuing Dealer.

NOTE: Doing that in vss.go would be possible but then the Dealer is always
assumed to be a member of the participants. It's only the case here.

type DistKeyGenerator

type DistKeyGenerator struct {
	// contains filtered or unexported fields

DistKeyGenerator is the struct that runs the DKG protocol.

func NewDistKeyGenerator

func NewDistKeyGenerator(suite Suite, longterm kyber.Scalar, participants []kyber.Point, t int) (*DistKeyGenerator, error)

NewDistKeyGenerator returns a DistKeyGenerator out of the suite, the longterm secret key, the list of participants, and the threshold t parameter. It returns an error if the secret key's commitment can't be found in the list of participants.

func (*DistKeyGenerator) Certified

func (d *DistKeyGenerator) Certified() bool

Certified returns true if at least t deals are certified (see vss.Verifier.DealCertified()). If the distribution is certified, the protocol can continue using d.SecretCommits().

func (*DistKeyGenerator) Deals

func (d *DistKeyGenerator) Deals() (map[int]*Deal, error)

Deals returns all the deals that must be broadcasted to all participants. The deal corresponding to this DKG is already added to this DKG and is ommitted from the returned map. To know to which participant a deal belongs to, loop over the keys as indices in the list of participants:

for i,dd := range distDeals {

This method panics if it can't process its own deal.

func (*DistKeyGenerator) DistKeyShare

func (d *DistKeyGenerator) DistKeyShare() (*DistKeyShare, error)

DistKeyShare generates the distributed key relative to this receiver It throws an error if something is wrong such as not enough deals received. The shared secret can be computed when all deals have been sent and basically consists of a public point and a share. The public point is the sum of all aggregated individual public commits of each individual secrets. the share is evaluated from the global Private Polynomial, basically SUM of fj(i) for a receiver i.

func (*DistKeyGenerator) Finished

func (d *DistKeyGenerator) Finished() bool

Finished returns true if the DKG has operated the protocol correctly and has all necessary information to generate the DistKeyShare() by itself. It returns false otherwise.

func (*DistKeyGenerator) ProcessComplaintCommits

func (d *DistKeyGenerator) ProcessComplaintCommits(cc *ComplaintCommits) (*ReconstructCommits, error)

ProcessComplaintCommits takes any ComplaintCommits revealed through ProcessSecretCommits() from other participants in QUAL. It returns the ReconstructCommits message that must be broadcasted to every other participant in QUAL so the polynomial in question can be reconstructed.

func (*DistKeyGenerator) ProcessDeal

func (d *DistKeyGenerator) ProcessDeal(dd *Deal) (*Response, error)

ProcessDeal takes a Deal created by Deals() and stores and verifies it. It returns a Response to broadcast to every other participants. It returns an error in case the deal has already been stored, or if the deal is incorrect (see `vss.Verifier.ProcessEncryptedDeal()`).

func (*DistKeyGenerator) ProcessJustification

func (d *DistKeyGenerator) ProcessJustification(j *Justification) error

ProcessJustification takes a justification and validates it. It returns an error in case the justification is wrong.

func (*DistKeyGenerator) ProcessReconstructCommits

func (d *DistKeyGenerator) ProcessReconstructCommits(rs *ReconstructCommits) error

ProcessReconstructCommits takes a ReconstructCommits message and stores it along any others. If there are enough messages to recover the coefficients of the public polynomials of the malicious dealer in question, then the polynomial is recovered.

func (*DistKeyGenerator) ProcessResponse

func (d *DistKeyGenerator) ProcessResponse(resp *Response) (*Justification, error)

ProcessResponse takes a response from every other peer. If the response designates the deal of another participants than this dkg, this dkg stores it and returns nil with a possible error regarding the validity of the response. If the response designates a deal this dkg has issued, then the dkg will process the response, and returns a justification.

func (*DistKeyGenerator) ProcessSecretCommits

func (d *DistKeyGenerator) ProcessSecretCommits(sc *SecretCommits) (*ComplaintCommits, error)

ProcessSecretCommits takes a SecretCommits from every other participant and verifies and stores it. It returns an error in case the SecretCommits is invalid. In case the SecretCommits are valid, but this dkg can't verify its share, it returns a ComplaintCommits that must be broadcasted to every other participant. It returns (nil,nil) otherwise.

func (*DistKeyGenerator) QUAL

func (d *DistKeyGenerator) QUAL() []int

QUAL returns the index in the list of participants that forms the QUALIFIED set as described in the "New-DKG" protocol by Rabin. Basically, it consists of all participants that are not disqualified after having exchanged all deals, responses and justification. This is the set that is used to extract the distributed public key with SecretCommits() and ProcessSecretCommits().

func (*DistKeyGenerator) SecretCommits

func (d *DistKeyGenerator) SecretCommits() (*SecretCommits, error)

SecretCommits returns the commitments of the coefficients of the secret polynomials. This secret commits must be broadcasted to every other participant and must be processed by ProcessSecretCommits. In this manner, the coefficients are revealed through a Feldman VSS scheme. This dkg must have its deal certified, otherwise it returns an error. The SecretCommits returned is already added to this dkg's list of SecretCommits.

func (*DistKeyGenerator) SetTimeout

func (d *DistKeyGenerator) SetTimeout()

SetTimeout triggers the timeout on all verifiers, and thus makes sure all verifiers have either responded, or have a StatusComplaint response.

type DistKeyShare

type DistKeyShare struct {
	// Coefficients of the public polynomial holding the public key
	Commits []kyber.Point
	// Share of the distributed secret
	Share *share.PriShare

DistKeyShare holds the share of a distributed key for a participant.

func (*DistKeyShare) Commitments

func (d *DistKeyShare) Commitments() []kyber.Point

Commitments implements the dss.DistKeyShare interface so either pedersen or rabin dkg can be used with dss.

func (*DistKeyShare) PriShare

func (d *DistKeyShare) PriShare() *share.PriShare

PriShare implements the dss.DistKeyShare interface so either pedersen or rabin dkg can be used with dss.

func (*DistKeyShare) Public

func (d *DistKeyShare) Public() kyber.Point

Public returns the public key associated with the distributed private key.

type Justification

type Justification struct {
	// Index of the Dealer who answered with this Justification
	Index uint32
	// Justification issued from the Dealer
	Justification *vss.Justification

Justification holds the Justification from a Dealer as well as the index of the Dealer in question.

type ReconstructCommits

type ReconstructCommits struct {
	// Id of the session
	SessionID []byte
	// Index of the verifier who received the deal
	Index uint32
	// DealerIndex is the index of the dealer who issued the Deal
	DealerIndex uint32
	// Share contained in the Deal
	Share *share.PriShare
	// Signature over all over fields generated by the issuing verifier
	Signature []byte

ReconstructCommits holds the information given by a participant who reveals the deal received from a peer that has received a ComplaintCommits.

func (*ReconstructCommits) Hash

func (rc *ReconstructCommits) Hash(s Suite) []byte

Hash returns the hash value of this struct used in the signature process.

type Response

type Response struct {
	// Index of the Dealer for which this response is for
	Index uint32
	// Response issued from another participant
	Response *vss.Response

Response holds the Response from another participant as well as the index of the target Dealer.

type SecretCommits

type SecretCommits struct {
	// Index of the Dealer in the list of participants
	Index uint32
	// Commitments generated by the Dealer
	Commitments []kyber.Point
	// SessionID generated by the Dealer tied to the Deal
	SessionID []byte
	// Signature from the Dealer
	Signature []byte

SecretCommits is sent during the distributed public key reconstruction phase, basically a Feldman VSS scheme.

func (*SecretCommits) Hash

func (sc *SecretCommits) Hash(s Suite) []byte

Hash returns the hash value of this struct used in the signature process.

type Suite

type Suite vss.Suite

Suite wraps the functionalities needed by the dkg package

Package Files

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier