redjubjub icon indicating copy to clipboard operation
redjubjub copied to clipboard

Published 20 hours ago verified publisher icon ZcashFoundation

Participant identifiers for DKG

Open chelseakomlo opened this issue 3 years ago • 0 comments

The FROST paper assumes that all participants in the DKG have some unique identifier, without saying how this identifier is determined. While a PKI would be able to provide one such option, in a decentralized setting, we don't want to assume such infrastructure.

Instead, at the beginning of the DKG, we will have all participants perform the following step to generate their identifiers:

participant_i = H(g^(s_i)) || "some domain separator" )

Here, s_i is the secret chosen by the participant while performing the DKG. During the first round of the DKG, when all participants send commitments to each other, they can also send their identifiers.

We might want to additionally think about verification to ensure that the owner of s_i actually corresponds to this identifier, and is not masquerading as another participant. It might be enough that all participants derive each other identifiers in the second round of the DKG, after performing the VSS verification step.

chelseakomlo avatar Apr 09 '21 17:04 chelseakomlo