mirror of
https://github.com/serai-dex/serai.git
synced 2025-12-09 20:59:23 +00:00
dkg-evrf crate
monero-oxide relies on ciphersuite, which is in-tree, yet we've made breaking changes since. This commit adds a patch so monero-oxide -> patches/ciphersuite -> crypto/ciphersuite, with patches/ciphersuite resolving the breaking changes.
This commit is contained in:
Luke Parker
50
crypto/dkg/evrf/README.md
Normal file
50
crypto/dkg/evrf/README.md
Normal file
@@ -0,0 +1,50 @@
|
||||
# eVRF DKG
|
||||
|
||||
The DKG from the [eVRF paper](https://eprint.iacr.org/2024/397), extended with
|
||||
Verifiable Encryption premised on the same methodology present in the eVRF
|
||||
paper.
|
||||
|
||||
The DDH-premised VRF is used, yet the different instantiation presented in
|
||||
section 6.4 premised on elliptic curve divisors. The one-round threshold DKG
|
||||
presented in section 4.2 is extended, with the following changes:
|
||||
|
||||
- Any threshold of `t` participants may complete the DKG. This allows an
|
||||
adversary to bias the resulting key by choosing the set of participants, yet
|
||||
offers a robust protocol. The caller is able to choose between robustness and
|
||||
a lack of bias by completing the DKG with just `t` messages or by waiting for
|
||||
all `n`. If the caller does opt for robustness, the caller must ensure
|
||||
participants agree on the subset of participants who actually participated.
|
||||
|
||||
- Communication of shares was prior defined as simply sending the share to the
|
||||
relevant participant, with no description of the channel. Now, a pair of
|
||||
ECDHs are performed on the embedded curve occurs (between the sender and the
|
||||
recipient's public key), whose `x` coordinates are summed for a random,
|
||||
uniform value (as an eVRF would). This value is used as a mask to encrypt the
|
||||
communicated secret share, with the zero-knowledge proof proving it's
|
||||
well-formed. This removes the need for a complaint round from the protocol,
|
||||
allowing it to truly complete (with all recipients holding valid shares) in
|
||||
just one round.
|
||||
|
||||
For a gist of the verifiable encryption scheme, please see
|
||||
https://gist.github.com/kayabaNerve/cfbde74b0660dfdf8dd55326d6ec33d7. Security
|
||||
proofs are currently being worked on.
|
||||
|
||||
---
|
||||
|
||||
This library relies on an implementation of Bulletproofs and various
|
||||
zero-knowledge gadgets. This library uses
|
||||
[`generalized-bulletproofs`](https://docs.rs/generalized-bulletproofs),
|
||||
[`generalized-bulletproofs-circuit-abstraction`](https://docs.rs/generalized-bulletproofs-circuit-abstraction),
|
||||
and
|
||||
[`generalized-bulletproofs-ec-gadgets`](https://docs.rs/generalized-bulletproofs-ec-gadgets)
|
||||
from the Monero project's FCMP++ codebase. These libraries have received the
|
||||
following audits in the past:
|
||||
- https://github.com/kayabaNerve/monero-oxide/tree/fcmp++/audits/generalized-bulletproofs
|
||||
- https://github.com/kayabaNerve/monero-oxide/tree/fcmp++/audits/fcmps
|
||||
|
||||
---
|
||||
|
||||
This library supports being run in no-std contexts with `alloc` when the `std`
|
||||
feature (on by default) is disabled. Due to the intensity of the ZK proofs,
|
||||
this isn't recommended, yet may be justified when _verifying_ posted proofs are
|
||||
correct.
|
||||
Reference in New Issue
Block a user