Research of non-identifiable aborts in bnb-chain/tss-lib GG18

[pdyraga]

https://github.com/bnb-chain/tss-lib is battle-tested in v1 and the initial version was audited. The code is based on GG18 paper and the protocol does not offer identifiable aborts.

We need to think about how problematic non-identifiable aborts are for us and if we can find a workaround that is not O(n^2). It should be possible to tell who was inactive (check the library code to confirm!) but it may not be possible to tell who provided corrupted data.

GG18 feels to be the best choice for the first release of the system.

Alternatives are:

https://github.com/coinbase/kryptology/tree/master/pkg/dkg/gennaro is GG20 implementation of a one-round tECDSA with identifiable abort. This sounds sweet but there is no sign of a security audit for this code. Also, it seems some simplifications were made by Coinbase:

From https://github.com/coinbase/kryptology/blob/master/docs/Coinbase_Pseudocode_v5.pdf

This document contains pseudocode for ECDSA threshold signatures based on the recent paper of Gennaro and Goldfeder [4]. The exact details of the protocol presented emerged from conversations with Coinbase as to what best suits their needs (e.g. not necessary to attribute misbehavior to a single server).

There is also a note in the Abstract section of GG20 paper (https://eprint.iacr.org/2020/540.pdf) that says some crucial details in the protocol were fixed along the way. Does the Coinbase implementation include these fixes or not?

https://eprint.iacr.org/2021/060.pdf (CGGMP) is the most recent paper from October 2021 that has some nice features. Notably, the identification of corrupted group members and being able to perform a pre-processing of signing, before the message is known.

We would need to implement this protocol ourselves and given the risk, starting with GG18 and upgrading to CCGMP after some time feels to be the safest option.