BIP Draft: "ChillDKG: Distributed Key Generation for FROST"
132 views
Skip to first unread message
Tim Ruffing
Jul 8, 2024, 4:13:31 PM (10 days ago) Jul 8
to bitco...@googlegroups.com
Jonas Nick and I have been working on a BIP draft for Distributed Key
Generation for FROST Threshold Signatures, which we would like to
propose to the community for discussion. The draft contains a
description of the design considerations, detailed usage instructions,
and a reference implementation in Python, which we intend to be the
definitive specification. The document and the code currently live at:
https://github.com/BlockstreamResearch/bip-frost-dkg
We're looking forward to feedback from the community.
Things still to do include:
* Specifying the wire format
* Test vectors
* Possibly any extensions currently mentioned as TODO in the draft
(e.g., identifiable aborts)
* Extracting the included secp256k1proto as a proper Python package
Of course, a BIP for FROST *signing* will also be required to make use
of FROST, and we know that one is in the works.
Best,
Jonas and Tim
Generation for FROST Threshold Signatures, which we would like to
propose to the community for discussion. The draft contains a
description of the design considerations, detailed usage instructions,
and a reference implementation in Python, which we intend to be the
definitive specification. The document and the code currently live at:
https://github.com/BlockstreamResearch/bip-frost-dkg
We're looking forward to feedback from the community.
Things still to do include:
* Specifying the wire format
* Test vectors
* Possibly any extensions currently mentioned as TODO in the draft
(e.g., identifiable aborts)
* Extracting the included secp256k1proto as a proper Python package
Of course, a BIP for FROST *signing* will also be required to make use
of FROST, and we know that one is in the works.
Best,
Jonas and Tim
David A. Harding
Jul 16, 2024, 12:45:28 PM (2 days ago) Jul 16
to Tim Ruffing, bitco...@googlegroups.com
On 2024-07-08 10:05, Tim Ruffing wrote:
> Jonas Nick and I have been working on a BIP draft for Distributed Key
> Generation for FROST Threshold Signatures
Thank you Tim and Jonas! This looks amazing! One quick question; you
> Jonas Nick and I have been working on a BIP draft for Distributed Key
> Generation for FROST Threshold Signatures
write:
> Simple backups: The capability of ChillDKG to recover devices from a
> static seed and public recovery data avoids the need for secret
> per-session backups, enhancing user experience.
By "public recovery data", I assume you mean that security is not
weakened by the data being made public. However, are there any privacy
implications? For comparison, if everyone knows what BIP32 HD path I
use, that doesn't weaken my privacy; but if everyone knows my BIP32
xpub, that pretty much destroys my onchain privacy. Where (if anywhere)
does ChillDKG recovery data fall on this spectrum?
Thanks again!,
-Dave
Jonas Nick
Jul 16, 2024, 1:57:41 PM (2 days ago) Jul 16
to David A. Harding, Tim Ruffing, bitco...@googlegroups.com
Thanks Dave. There are indeed potential privacy implications of the recovery
data because only the secret shares are encrypted. Most importantly, the
recovery data contains in plaintext:
- the long-term "host" public keys of the participants
- the final threshold public key that is the result of the DKG
For example, we could imagine a scenario where a DKG participant puts their
recovery data on a cloud hoster and an adversary is able to obtain it. Then the
adversary could use to contained threshold public key to associate on-chain
transactions with the victim.
However, there's nothing preventing the participants from encrypting the
recovery data before backing it up. We do not specify that encryption in the BIP
because it is an operation local to the participants and does not affect the
communication between them. But now that you mention this, I think we should be
a bit more clear in the BIP (and don't call the recovery data "public"). For
example, it may make sense to use the DKG protocol seed to derive an encryption
key, so you don't have to backup any secret data besides the seed.
data because only the secret shares are encrypted. Most importantly, the
recovery data contains in plaintext:
- the long-term "host" public keys of the participants
- the final threshold public key that is the result of the DKG
For example, we could imagine a scenario where a DKG participant puts their
recovery data on a cloud hoster and an adversary is able to obtain it. Then the
adversary could use to contained threshold public key to associate on-chain
transactions with the victim.
However, there's nothing preventing the participants from encrypting the
recovery data before backing it up. We do not specify that encryption in the BIP
because it is an operation local to the participants and does not affect the
communication between them. But now that you mention this, I think we should be
a bit more clear in the BIP (and don't call the recovery data "public"). For
example, it may make sense to use the DKG protocol seed to derive an encryption
key, so you don't have to backup any secret data besides the seed.
Reply all
Reply to author
Forward
0 new messages