kyber
kyber copied to clipboard
dedis
Broadcast of polynomials commitments in VSS/DKG
Hello! According to the original papers, a dealer of the VSS/DKG schemes has to broadcast polynomials commitments (Deal.Commitments in Kyber). In Kyber, these commitments are encrypted together with deals. So a malicious party can send different deals (given from different polynomials) to different parties. For Rabin's DKG, it will be revealed in the second phase. But in the original version, this would have been revealed in the first phase and the party would not have got into the QUAL set. Maybe I missed something, why did you change this "broadcast rule"?
Hi,
You are right, good eye! However, let me add in some context:
- Unfortunately, Pedersen DKG requires synchronous communication model with a broadcast channel. That is very hard to do in practice: reliable broadcast or consensus / blockchain. In the case where we don't have this broadcast channel, the attacker can still send any commitment in the clear to any party, not necessarily the same, leading back to the same case as here. Nevertheless, you are probably right we should still expose it in the API as an uncrypted field in the Deal.
- Due to this limitation of the model, we/I plan to hopefully move towards an asynchronous DKG which use a relaxed network model. In that case, there's not gonna be any need to rely on the attacker correctly broadcasting any values.
Gonna open up an issue for revealing the commitment. Thanks !
@SK0M0R0H Just want to flag out here that I've rewrote a new DKG library and I've put that public commitment in the clear now; it's on a fork of kyber though. https://github.com/drand/kyber/blob/master/share/dkg/structs.go#L97
