Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

inv-tshare: Threshold (re-)sharing protocol #542

Merged
merged 74 commits into from
Oct 16, 2024
Merged

inv-tshare: Threshold (re-)sharing protocol #542

merged 74 commits into from
Oct 16, 2024

Conversation

naure
Copy link

@naure naure commented Jul 20, 2024
edited by emmorais
Loading

This PR implements the Tshare protocol, which is responsible for transforming additive shares into Shamir shares. Beyond, a non-interactive transformation is provided to compute a t-out-of-t share, such that participants can obtain new shares that can be used in the remaining phases of the protocol.

In particular, Tshare works as follows:

Input:

  • The threshold t of parties needed to reconstruct the shared secret.
  • The auxiliary information for encryption.
  • Optionally, an existing n-out-of-n share to be converted to t-out-of-n. Otherwise, a random secret is generated.

Rounds 1:

  • Each participant generates a random polynomial of degree threshold - 1.
    • Alternatively, set an existing additive share as the constant term.
  • Each participant commits to their polynomial and a Schnorr proof.

Rounds 2:

  • Each participant decommits the public form of their polynomial and Schnorr proofs.

Rounds 3:

  • Each participant shares a private evaluation of the polynomial with each of the other participants.

Output:

  • The public commitment to the shared polynomial. It is represented in coefficients form in the exponent (EC points). The constant term corresponds to the shared value. This can be used to evaluate the commitment to the share of any participant.
  • The private evaluation of the shared polynomial for our participant. t of those can reconstruct the secret.

@naure naure requested review from becgabri and emmorais July 20, 2024 11:04
@naure naure marked this pull request as draft July 20, 2024 11:19
@naure naure force-pushed the inv-tshare branch 2 times, most recently from 2b475e7 to dc7fe6b Compare July 20, 2024 11:34
emmorais and others added 21 commits October 9, 2024 13:32
@emmorais
Remove commented code
c578fc9
@emmorais
Minor adjustments
6550a2b
@emmorais
Add chain_code to keygen output
fa1c8c5
@emmorais
Add shift to signature generation
703bc57
@emmorais
Improve error message
1d3a030
@emmorais
Refactor expect expression
22496d2
@emmorais
Refactor repeated code
37c8ebe
@emmorais
Refactor the hash calculation
387dae7
@emmorais
Distributed chain code finished and included in the transcript
1afb305
@emmorais
Remove unnecessary copyright
81dfbd4
@emmorais
If CKD fails, try again with incremented counter
0160e10
@emmorais
Introduce auxiliary macro to xor 256 bits
4cd32aa
@emmorais
Replace keccak by hmac512
29cd712
@emmorais
Introduce first unit test from test vectors
ce5541e
@emmorais
Child derivation key unit test from test vectors
8357a0a
@emmorais
Clippy
d9576c6
@emmorais
Use CKDOutput instead of tuple
0825068
@emmorais
Retry master key generation on failure
3946c17
@emmorais
Merge branch 'main' into inv-tshare
aaa33ad
@emmorais
Fmt
e5102ab
@emmorais
Typo
ab5a265
becgabri
becgabri requested changes Oct 10, 2024
View reviewed changes
Copy link

@becgabri becgabri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The schnorr proof should be over each parties final output key (so the share they generated for themselves plus the shares they received from other parties). To me it looks like the proof is just over my_private_share unless I'm missing something, which is entirely possible.

src/tshare/participant.rs Outdated Show resolved Hide resolved
becgabri
becgabri reviewed Oct 16, 2024
View reviewed changes
Copy link

@becgabri becgabri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! Thanks for making the changes and for the code comments. I think the last thing that needs to be changed if I'm not mistaken is the confidential channel used to transmit the private shares. Once that is done we can close the ticket (or we could do that as a separate ticket if it's preferable)

src/tshare/participant.rs Show resolved Hide resolved
becgabri
becgabri approved these changes Oct 16, 2024
View reviewed changes
Copy link

@becgabri becgabri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remembered we said we would address the final issue in a new ticket so I'm approving this one.

@becgabri becgabri merged commit 80fe0d0 into main Oct 16, 2024
2 checks passed
@becgabri becgabri deleted the inv-tshare branch October 16, 2024 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@becgabri becgabri becgabri approved these changes

@emmorais emmorais emmorais approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@naure @becgabri @emmorais