[tor-dev] A threshold signature-based proposal for a shared RNG

[Kang]

Hello.
So here are my thoughts.

As far as the threat model goes my personal opinion is that it's
fairly safe to assume that the bad guys are static and don't change
during the protocol.
As far as delay goes I'm not sure.

For failure behaviour I think having a single possible fall back value
that can't be influenced by any participants at all seems like the
safest bet.
For instance if there aren't enough valid shares then just set RAND = R.
I'm not sure using the previous consensus's RAND value is a good idea
or not, it depends on how readily available it is from non-directory
sources; we probably don't want to trust the directories to tell us
the backup RAND value if they weren't able to successfully calculate a
primary RAND value.

Could you please confirm these for me?:
1. In your notation x.y = y^{x} mod p.
2. We know P_i and that dlog_B(P_i) == s_i from the DKG protocol. This
simplifies verification a bit since we don't need to prove that
dlog_B(P_i) is a valid (private) keyshare, we already know it is.
3. The threshold for RAND calculation is the same as the DKG's
threshold, not a fraction of whoever's online when the RAND
calculation starts.

Lastly what purpose does the Sign_i(...) part serve?
If s_i is _only_ known by S_i, and the zero knowledge proof PROOF_i
proves that dlog_R(Q_i) == s_i, then the signature seems a little
redundant since only S_i could have created Q_i.
Maybe I've missed something here.