Documentation
¶
Overview ¶
Package dkg implements distributed FROST-style key generation over the curve. No trusted dealer is required: every party samples its own secret polynomial f_i, broadcasts Pedersen commits to the coefficients, and privately delivers f_i(j) to every other party j. Each party j then sums the received shares to form its own share of the joint master secret s = Σ_i f_i(0).
Protocol (3 logical rounds; one round-trip pair if pipelined):
Round 1:
Each party i samples a random polynomial f_i of degree (t-1) and
a matching blinding polynomial r_i. It broadcasts Pedersen
commits C_{i,k} = c_{i,k}·G + r_{i,k}·H to every coefficient.
Round 2 (private):
Each party i sends (share_{i→j}, blind_{i→j}) = (f_i(j), r_i(j))
to every party j over an authenticated channel.
Round 3 (verify + aggregate):
Each party j checks every received (share_{i→j}, blind_{i→j})
against the commitment vector C_i. On success, j computes its
final share s_j = Σ_i share_{i→j} and the joint group public key
X = Σ_i C_{i,0} - r_aggregate·H. Equivalently, X = (Σ_i f_i(0))·G,
obtained by aggregating the constant-term commits and subtracting
the aggregate blinding factor (which the parties recover via a
second Pedersen-style commitment opening).
In this implementation we follow the simpler "Pedersen commit to public coefficients of f_i alone" path: instead of (G, H)-Pedersen commits with a blinding polynomial, every party broadcasts commitments to the public coefficient images A_{i,k} = c_{i,k}·G. Verification is then share_{i→j}·G ?= Σ_k j^k · A_{i,k}, which is the canonical Feldman VSS check. The Pedersen scheme is reserved for the resharing path where blinding is required to avoid leaking constant-term scalar information across rounds.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidThreshold = errors.New("dkg: threshold must satisfy 1 <= t <= n") ErrInvalidPartyCount = errors.New("dkg: need at least 2 parties") ErrInvalidPartyID = errors.New("dkg: party ID out of range") ErrMissingData = errors.New("dkg: missing share or commitment data") )
Errors returned by the dkg package.
Functions ¶
func Run ¶
func Run(c primitives.Curve, n, t int, randSource io.Reader) (map[int]*threshold.KeyShare, *threshold.GroupKey, error)
Run is a single-process driver that runs all n parties through Round 1 and Round 2 and returns the per-party KeyShare set + the resulting GroupKey. It is the in-process integration test path; in a distributed deployment, each party runs its Session locally and exchanges Round1Output messages over the wire.
Returns one *threshold.KeyShare per party (1-indexed), all sharing the same GroupKey pointer.
Types ¶
type Round1Output ¶
type Round1Output struct {
// Commits[k] = c_{i,k}·G — public Feldman commitment to the k-th
// coefficient of f_i.
Commits []primitives.Point
// party j.
Shares map[int]primitives.Scalar
}
Round1Output is the data a party produces in Round 1.
type Session ¶
type Session struct {
// contains filtered or unexported fields
}
Session tracks the state of one DKG run for a single party.
func NewSession ¶
func NewSession(c primitives.Curve, partyID, n, t int) (*Session, error)
NewSession initializes a DKG session for the given party.
func (*Session) Round1 ¶
func (d *Session) Round1(randSource io.Reader) (*Round1Output, error)
Round1 samples the party's secret polynomial f_i, computes the public Feldman commitments to its coefficients, and the shares f_i(j) for every recipient.
Uses crypto/rand by default. Pass a deterministic source for KAT replay.
func (*Session) Round2 ¶
func (d *Session) Round2( receivedShares map[int]primitives.Scalar, receivedCommits map[int][]primitives.Point, ) (primitives.Scalar, primitives.Point, error)
Round2 verifies received shares against the senders' commitments and produces this party's final aggregated share + the joint group public key X = Σ_i A_{i,0}.
receivedShares maps sender party ID i → f_i(this party's ID). receivedCommits maps sender party ID i → that sender's Feldman commitment vector.
Returns:
- aggregateShare s_j = Σ_i f_i(j)
- groupPublicKey X = Σ_i A_{i,0}
On any verification failure, returns the offending sender's ID in the wrapped error.
Source Files