crypto/dkg/evrf/README.md

# eVRF DKG

The DKG from the [eVRF paper](https://eprint.iacr.org/2024/397), extended with
Verifiable Encryption premised on the same methodology present in the eVRF
paper.

The DDH-premised VRF is used, yet the different instantiation presented in
section 6.4 premised on elliptic curve divisors. The one-round threshold DKG
presented in section 4.2 is extended, with the following changes:

- Any threshold of `t` participants may complete the DKG. This allows an
  adversary to bias the resulting key by choosing the set of participants, yet
  offers a robust protocol. The caller is able to choose between robustness and
  a lack of bias by completing the DKG with just `t` messages or by waiting for
  all `n`. If the caller does opt for robustness, the caller must ensure
  participants agree on the subset of participants who actually participated.

- Communication of shares was prior defined as simply sending the share to the
  relevant participant, with no description of the channel. Now, a pair of
  ECDHs are performed on the embedded curve occurs (between the sender and the
  recipient's public key), whose `x` coordinates are summed for a random,
  uniform value (as an eVRF would). This value is used as a mask to encrypt the
  communicated secret share, with the zero-knowledge proof proving it's
  well-formed. This removes the need for a complaint round from the protocol,
  allowing it to truly complete (with all recipients holding valid shares) in
  just one round.

For a gist of the verifiable encryption scheme, please see
https://gist.github.com/kayabaNerve/cfbde74b0660dfdf8dd55326d6ec33d7. Security
proofs are currently being worked on.

---

This library relies on an implementation of Bulletproofs and various
zero-knowledge gadgets. This library uses
[`generalized-bulletproofs`](https://docs.rs/generalized-bulletproofs),
[`generalized-bulletproofs-circuit-abstraction`](https://docs.rs/generalized-bulletproofs-circuit-abstraction),
and
[`generalized-bulletproofs-ec-gadgets`](https://docs.rs/generalized-bulletproofs-ec-gadgets)
from the Monero project's FCMP++ codebase. These libraries have received the
following audits in the past:
- https://github.com/kayabaNerve/monero-oxide/tree/fcmp++/audits/generalized-bulletproofs
- https://github.com/kayabaNerve/monero-oxide/tree/fcmp++/audits/fcmps

---

This library supports being run in no-std contexts with `alloc` when the `std`
feature (on by default) is disabled. Due to the intensity of the ZK proofs,
this isn't recommended, yet may be justified when _verifying_ posted proofs are
correct.
dkg-evrf crate monero-oxide relies on ciphersuite, which is in-tree, yet we've made breaking changes since. This commit adds a patch so monero-oxide -> patches/ciphersuite -> crypto/ciphersuite, with patches/ciphersuite resolving the breaking changes. 2025-08-25 04:49:54 -04:00			`# eVRF DKG`

			`The DKG from the [eVRF paper](https://eprint.iacr.org/2024/397), extended with`
			`Verifiable Encryption premised on the same methodology present in the eVRF`
			`paper.`

			`The DDH-premised VRF is used, yet the different instantiation presented in`
			`section 6.4 premised on elliptic curve divisors. The one-round threshold DKG`
			`presented in section 4.2 is extended, with the following changes:`

			- Any threshold of `t` participants may complete the DKG. This allows an
			`adversary to bias the resulting key by choosing the set of participants, yet`
			`offers a robust protocol. The caller is able to choose between robustness and`
			a lack of bias by completing the DKG with just `t` messages or by waiting for
			all `n`. If the caller does opt for robustness, the caller must ensure
			`participants agree on the subset of participants who actually participated.`

			`- Communication of shares was prior defined as simply sending the share to the`
			`relevant participant, with no description of the channel. Now, a pair of`
			`ECDHs are performed on the embedded curve occurs (between the sender and the`
			recipient's public key), whose `x` coordinates are summed for a random,
			`uniform value (as an eVRF would). This value is used as a mask to encrypt the`
			`communicated secret share, with the zero-knowledge proof proving it's`
			`well-formed. This removes the need for a complaint round from the protocol,`
			`allowing it to truly complete (with all recipients holding valid shares) in`
			`just one round.`

			`For a gist of the verifiable encryption scheme, please see`
			`https://gist.github.com/kayabaNerve/cfbde74b0660dfdf8dd55326d6ec33d7. Security`
			`proofs are currently being worked on.`

			`---`

			`This library relies on an implementation of Bulletproofs and various`
			`zero-knowledge gadgets. This library uses`
			[`generalized-bulletproofs`](https://docs.rs/generalized-bulletproofs),
			[`generalized-bulletproofs-circuit-abstraction`](https://docs.rs/generalized-bulletproofs-circuit-abstraction),
			`and`
			[`generalized-bulletproofs-ec-gadgets`](https://docs.rs/generalized-bulletproofs-ec-gadgets)
			`from the Monero project's FCMP++ codebase. These libraries have received the`
			`following audits in the past:`
			`- https://github.com/kayabaNerve/monero-oxide/tree/fcmp++/audits/generalized-bulletproofs`
			`- https://github.com/kayabaNerve/monero-oxide/tree/fcmp++/audits/fcmps`

			`---`

			This library supports being run in no-std contexts with `alloc` when the `std`
			`feature (on by default) is disabled. Due to the intensity of the ZK proofs,`
			`this isn't recommended, yet may be justified when _verifying_ posted proofs are`
			`correct.`