-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to blame the disruptive signing participant? #5
Comments
If we plan on doing these checks, we should also consider additional checks like: which would require the NonceAgg and PartialSigAgg functions to also take MIN_PARTICIPANTS and MAX_PARTICIPANTS as input parameters. |
Participant IDs can be random, in which case If I'm understanding this correctly, with either option, it's the responsibility of the caller of the API to assemble the correct participant identifier list. We should certainly validate the data to the extent possible, but I think the only things we can check are for invalid secp256k1 scalars and duplicates. |
In BIP DKG, participant ids are long-term pubkeys of the participants, but internally (when it comes to Lagrange coefficients), we just use indices 1...n. I think there's some meta issue. With Jesse working on the implementation, Jonas and me working on BIP DKG, and Sivaram working on the signing BIP, it seems we have diverged on some design decisions, and also some of the terminology. We should probably synchronize, but I'm not entirely sure what's the best process. It may be a good idea to wait for Jonas, who is currently out of office. |
Interesting, I'm curious to learn more about how we map from pubkeys to indices. Currently, in the implementation, we pass the pubkey to a hashing function to generate an index hash, and we don't get monotonically increasing integers, but rather randomized hash integers.
Some synchronous time when Jonas is available sounds great. |
What we currently do in BIP DKG is simply to expect the caller to provide an (ordered) list of pubkeys, and the position in the list is the index (where the first index is 1 instead of 0). The caller is free to pre-sort the list if they explicitly don't care about ordering. This is similar to key aggregation in the MuSig2 BIP.
Yeah, this sounds like a great topic for bike shedding. :) IIRC we considered these (tiny) advantages of indices:
The disadvantage of hashing is that the implementer needs to be careful not to use index 0. But we found this risk to be acceptable because it's on the side of the implementation and not pushed to the user. |
Ah, that makes sense. |
In NonceAgg or PartialSigAgg, we can assign blame to a signer in two ways:
Method 1: Index of Invalid Value
Method 2: Participant Identifier
I went with Method 2 because FROST includes the participant identifier parameter, which is absent in MuSig2. However, this approach has the following issue: If the participant identifier list contains invalid ids, we can’t accurately assign blame.
How to fix this?
Option 1: we just assume all the values in the identifier list are valid.
Option 2: we can check for invalid id values inside NonceAgg or PartialSigAgg
cc @jonasnick @real-or-random @jesseposner
The text was updated successfully, but these errors were encountered: