add a readme file #3
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| # SSV Distributed Key Generation Spec | ||
|
|
||
| ## Introduction | ||
| This repository contains spec of distributed key generation (DKG) used in SSV. Based on verifiable secret sharing, DKG allows a set of *n* operators to generate a **BLS** key share for each operator, such that a BLS private key can only be used when threshold *t* out of *n* operators agree. | ||
|
|
||
| --- | ||
|
|
||
| ## Functionalities | ||
| Operations are initiated by an initiator, and executed by operators. An initiator can initiate: | ||
|
|
||
| ### Init | ||
| When a init message is sent to the operators, all operators participate and run a DKG ceremony to create key shares. A DKG ceremony asks each operator to verifiably share locally generated secrets with other operators, and combine secret shares from all operators to derive its own BLS key share. After the ceremony, each operator generates a **Result** with a **SignedProof** (see below) for verification. Proofs are referred to when an initiator asks for re-sign or reshare. | ||
|
|
||
| ### Re-sign | ||
| In the case where the nonces of a DKG ceremony is not correct, to prevent replay attack, the initiator sends re-sign messages for operators to create new signatures with correct nonces without generating new key shares. | ||
|
There was a problem hiding this comment. It is creating new key-shares, though. The procedure only changes the There was a problem hiding this comment. Also, the signature part is |
||
|
|
||
| ### Reshare | ||
| When the set of operators changed (including change of size and change of operators), a reshare is initiated to generate new key shares among the new operators. This process requires participation from *t* old operators and all new operators. | ||
|
|
||
| --- | ||
|
There was a problem hiding this comment. Add the following here (or wherever you see fit) Security AssumptionsAll messages are authenticated using the initiator's and operators' public key. InitThe initiator is fully trusted. Meaning it won't deviate from protocol. But it can have faults (go, up and down). Re-signThe initiator is not trusted. It may try to fool the operators into resigning with the wrong secret shares, owner and nonce. Also since in the resign operation the ReshareThe initiator is not trusted. It may try to fool the operators into resharing with the wrong secret shares. Or resharing without permission. |
||
|
|
||
| ## Validations | ||
| In a DKG ceremony, each message sent between the initiator and the operators are validated by the operators such that: | ||
| - The message is signed by the sender, preventing spoofing attacks. | ||
| - Where replay attacks are possible, a valid nonce is included to ensure the message is fresh (otherwise **Re-sign**). | ||
| - The message is in the same scope, i.e., the message is regarding the same ceremony, the same set of operators and it is in the correct stage as the receiver expects. | ||
|
|
||
| --- | ||
|
|
||
| ## Result and Proof struct | ||
| After execution of init, re-sign and reshare, a **result** is returned by the operators as an important validation for the completion of the ceremony. | ||
| ```go | ||
| type Result struct { | ||
| // Operator ID | ||
| OperatorID uint64 | ||
| // RequestID for the DKG instance (not used for signing) | ||
| RequestID [24]byte `ssz-size:"24"` | ||
| // Partial Operator Signature of Deposit data | ||
| DepositPartialSignature []byte `ssz-size:"96"` | ||
| // SSV owner + nonce signature | ||
| OwnerNoncePartialSignature []byte `ssz-size:"96"` | ||
| // Signed proof for the ceremony | ||
| SignedProof SignedProof | ||
| } | ||
| ``` | ||
|
|
||
| In a **result**, the **SignedProof** is a **Proof** with a signature. A **Proof** contains: | ||
| ```go | ||
| type Proof struct { | ||
| // the resulting public key corresponding to the shared private key | ||
| ValidatorPubKey []byte `ssz-size:"48"` | ||
| // standard SSV encrypted share | ||
| EncryptedShare []byte `ssz-max:"512"` | ||
| // the share's BLS pubkey | ||
| SharePubKey []byte `ssz-size:"48"` | ||
| // owner address | ||
| Owner [20]byte `ssz-size:"20"` | ||
| } | ||
| ``` | ||
| *ValidatorPubKey*, *EncryptedShare*, and *Owner* are to identify information of the validator and the operator in SSV network, the *SharePubKey* is computed by the operator after the DKG ceremony using the obtained secret share as the private key. | ||
|
There was a problem hiding this comment. likely it's me failing to understand, but:
|
||
|
|
||
| **Proof**s are published by the initiator after the DKG ceremony. All **Proof** from a ceremony together validates the completion of this ceremony. they can make sure: | ||
| - Partial signatures of operators are publically verifiable using the *SharePubKey* in the **proof**. If an operator created invalid partial signatures, the network is able to identify and potentially take further action. | ||
|
There was a problem hiding this comment. How could one verify this? I have a |
||
| - An operator knows its peers have completed the protocol locally and has a secret share ready to use. It prevents the case where some operators failed to derive their secret shares while others are unaware. | ||
| - The initiator refers to a completed valid DKG ceremony when initiating **Re-sign** and **Reshare**. Operators are able to identify and verify the corresponding ceremony when receiving requests from the initiator. | ||
|
|
||
|
|
||
| --- | ||
|
|
||
| ## Testing | ||
| The tests are located in the `testing/` folder. To run tests, use: | ||
| ```shell | ||
| go generate ./... | ||
| ``` | ||
| then: | ||
| ```shell | ||
| go test testing | ||
| ``` | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
provide a formula for "t out of n"?