On Sat, Jan 18, 2014 at 11:05 AM, Kang <td66bshwu@gmail.com> wrote:
For instance if there aren't enough valid shares then just set RAND = R.
I like this suggestion; thanks.
Could you please confirm these for me?: 1. In your notation x.y = y^{x} mod p.
Sort of - the proposal is to do the arithmetic over an elliptic curve, not in the integers mod a prime. And p is the (prime) order of the point B. But if we wanted to use a multiplicative group and had a prime q = 2p+1, then we would have x.y == y^{x} mod q.
2. We know P_i and that dlog_B(P_i) == s_i from the DKG protocol. This simplifies verification a bit since we don't need to prove that dlog_B(P_i) is a valid (private) keyshare, we already know it is.
Well, yes. But we can check the outcome of the DKG protocol to make sure that the P_i are valid shares of P.
3. The threshold for RAND calculation is the same as the DKG's threshold, not a fraction of whoever's online when the RAND calculation starts.
Yes, the threshold is an integer fixed at the time of keyshare generation.
Lastly what purpose does the Sign_i(...) part serve? If s_i is _only_ known by S_i, and the zero knowledge proof PROOF_i proves that dlog_R(Q_i) == s_i, then the signature seems a little redundant since only S_i could have created Q_i. Maybe I've missed something here.
It's probably true that if the SoK is computed over the entire message then there's no need for a separate signature. The Sign_i part is just there for overengineering principles. -- ------------------------------------------------------------------------ Nicholas Hopper Associate Professor, Computer Science & Engineering, University of Minnesota Visiting Research Director, The Tor Project ------------------------------------------------------------------------