Gennaro & Goldfeder Key Generation Protocol

bazzilic

10/18/22, 9:16 AM

As I am going through the “Fast Multiparty Threshold ECDSA with Fast Trustless Setup” paper by Gennaro & Goldfeder, 2018, I am stumbled by the key generation protocol (Sect. 4.1, p.10):

In Phase 1, they create a (commitment, decommitment) pair using a commitment scheme. Earlier in the paper, they mention that “in practice one can use any secure hash function H and define the commitment to x as h = H(x, r), for a uniformly chosen r of length λ and assume that H behaves as a random oracle. We use this efficient random oracle version in our implementation” (see p.6, bottom). As I understand, they reduce commitment to an HMAC with a key r. What is the decommitment string in this case? Is it r or is it x? What purpose does decommitment string serve at all?

In Phase 1, the commitment string is broadcast. Then, in Phase 2, the decommitment string is broadcast. As I understand, separation is done so that everybody makes their commitment before seeing anybody's decommitment.

Next sentence: “Let y_i be the value decommitted by P_i”. So does y_i = KGD_i = r?

Next sentence: “The player P_i performs a (t, n) Feldman-VSS of the value u_i, with y_i as the “free term in the exponent”. In your typical polynomial secret sharing (e.g. Shamir), whatever value you are sharing is the free term in the polynomial. So to me this looks like it contradicts itself saying that we are sharing u_i and y_i at the same time. Does “free term in the exponent” not mean the free term of the polynomial? Does Feldman-VSS work differently from Shamir?

Then, “the resulting values x_i are a (t, n) Shamir’s secret sharing of the secret key x = $\sum$_i u_i”. Why? Is this secret key paired to the public key y?

Any comments would be very welcome!

1 + 0

dsa

secret-sharing

commitments

threshold-cryptography

key-generation

Score:1

Crypto

ming alex

10/23/22, 7:29 AM

A general commitment scheme consists of two pharse:

commitment phase: the sender encrypts a message to a commitment value by using one-way function with some random values, such as the coin tosses r in your post. This pharse can make sure that no malicious receiver gain any information about the message.
decommitment phase: the sender should transmit some evidence to prove that the above commitment value is correct.

For example, assuming that we have a secure hash function H(x,r)=H($X·h^r$) where X=$g^x$ as the public key, x is the secret value, r is a random value, then we can generate a commitment C= H($g^x·h^r$). To prove the correctness of commitment value C, the sender should send the decommitment value R= $h^r$ to the receiver with a ZK proof of knowing r, then receiver check whether C = H(X·R) is hold.

The above commitment scheme was just an unsound example. But in my understanding, the $y_i$ maybe the R I thought.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Gennaro & Goldfeder Key Generation Protocol

TH: โปรโตคอลการสร้างคีย์ Gennaro & Goldfeder

RO: Protocolul de generare a cheilor Gennaro și Goldfeder

RU: Протокол генерации ключей Дженнаро и Голдфедера

VI: Giao thức tạo khóa Gennaro & Goldfeder

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.