Re: [bitcoindev] BIP Draft: "ChillDKG: Distributed Key Generation for FROST"

author: Tim Ruffing <crypto@timruffing.de> 2024-12-19 11:56:40 +0100
committer: bitcoindev <bitcoindev@googlegroups.com> 2024-12-19 03:01:40 -0800
commit: 91fe098a251d3bbac88522ea7cbbd82c52bed836 (patch)
tree: 34312359fe7e62717d641a2a44b2815b11194c82
parent: 97bbe33ffaf79e83592792d7426549ff4d7fc7f5 (diff)
download: pi-bitcoindev-91fe098a251d3bbac88522ea7cbbd82c52bed836.tar.gz
pi-bitcoindev-91fe098a251d3bbac88522ea7cbbd82c52bed836.zip
1 files changed, 266 insertions, 0 deletions
diff --git a/c9/a565f5ad6bb9a23d8d5bf48459786796fb2446 b/c9/a565f5ad6bb9a23d8d5bf48459786796fb2446
new file mode 100644
index 000000000..deb7555e6
--- /dev/null
+++ b/c9/a565f5ad6bb9a23d8d5bf48459786796fb2446
@@ -0,0 +1,266 @@
+Delivery-date: Thu, 19 Dec 2024 03:01:41 -0800
+Received: from mail-qt1-f190.google.com ([209.85.160.190])
+	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+	(Exim 4.94.2)
+	(envelope-from <bitcoindev+bncBDWIFPUA4ICRBCX2R65QMGQENDGRFOA@googlegroups.com>)
+	id 1tOEHk-0000o2-8H
+	for bitcoindev@gnusha.org; Thu, 19 Dec 2024 03:01:40 -0800
+Received: by mail-qt1-f190.google.com with SMTP id d75a77b69052e-46909701869sf14231151cf.0
+        for <bitcoindev@gnusha.org>; Thu, 19 Dec 2024 03:01:39 -0800 (PST)
+ARC-Seal: i=2; a=rsa-sha256; t=1734606093; cv=pass;
+        d=google.com; s=arc-20240605;
+        b=CuWcY5Jp1ur+yE6K+UxtVvS8otsNIWcBJrFl7a8VlF6mmAZ7VhkOs9j2I1VmF/9URf
+         +XmUe3dlU8CpTHU7PE0okriMAPDn6PfGcMz3JyhMmBezSqLJw9vw6hV2MJwkm5tX8Xh9
+         8pExr7TRdW/PJZnlOhQPCINKJF6dDinSvb7tJTpdsNdYEOxWijWnf+zlSINWY+x/1dcG
+         SMiHkOrX0YsggsQ7/tTM6r7+T7DuM57h/blalSMfNIkW6TnGaP/5lguFgzeKhaPasSFd
+         q/e8dSfZnGlN+A0lnT9CAFMImv+rSh63VrzDF3XV2UDSE1CIk49Zz5UG1mxH/0jvelRX
+         PWuA==
+ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
+        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+         :list-id:mailing-list:precedence:mime-version
+         :content-transfer-encoding:references:in-reply-to:date:cc:to:from
+         :subject:message-id:sender:dkim-signature;
+        bh=NTKxaJ9v5Zc3DNRM32jJtQDDfJa7J9WyrPIpJ7nvg50=;
+        fh=zvbgF1puqzQog/keOLvjqXCEylHNi6RzHvORkOAIe+0=;
+        b=fv6Pagy8cujvfWkXyN6amL664aQbw3FPo19dKVTTb1LCmOnjKsNZVcoZPaoGYxKSFd
+         jnuDiOkdKaETNO3mFHSWEfYcvN1sWYIJEW4Mlo0G9k+wQt7yd5V0fxTAx27896r1uJnC
+         hPzk5dOm8JDJLvEXrlQYjk+4WvDmYTDJKGEOHWp4bFQv2WXNSttQ3LEQuT6oNd7p9rDp
+         w0ziw/7xMUx3SKM9Xzg5rXKaFsc82y9bQ/nKAwip7YnsuXnMAeuOX0udEvGxHszA3lcs
+         jX5T18Zx5smwNn9UW37QVBu1Kpl7HFumWTBDDxS5+f0QEVsUo57TKbztGIHG6Wvk22uB
+         QElw==;
+        darn=gnusha.org
+ARC-Authentication-Results: i=2; gmr-mx.google.com;
+       dkim=pass header.i=@timruffing.de header.s=MBO0001 header.b="g6/vKnhW";
+       spf=pass (google.com: domain of crypto@timruffing.de designates 80.241.56.171 as permitted sender) smtp.mailfrom=crypto@timruffing.de;
+       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=timruffing.de
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=googlegroups.com; s=20230601; t=1734606093; x=1735210893; darn=gnusha.org;
+        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+         :list-id:mailing-list:precedence:x-original-authentication-results
+         :x-original-sender:mime-version:content-transfer-encoding:references
+         :in-reply-to:date:cc:to:from:subject:message-id:sender:from:to:cc
+         :subject:date:message-id:reply-to;
+        bh=NTKxaJ9v5Zc3DNRM32jJtQDDfJa7J9WyrPIpJ7nvg50=;
+        b=euJ8UMqcpNRQgseSIbkE+Y6TJT0XQdu8jYo5D4gd/mW/BhpzZmKhyowIQgsEDfMpo0
+         KeM5FszxAwMbeG1OGdpI5hbJl7jNULWEfc8zjx7a5ExUoBPeOrYmYMXIrt7TaBaoOHd3
+         o5DCm20Lif2iqkmVEzh7DiOxeVC19gNi2Xy+SAM3N97g/Dk0X73fsKVxK7amfizSyFQt
+         MPG/0ISK7Kmeh4Pzm7pY1jUgNmrH4VC8bb+R7HN5XlQRilwkn7R+E3DDtmTNrJGcmyWA
+         13Eoz9BgT7uWaa7Lg8D7upTkJBE1GP2qaa3y+W5fugrOUJyAJBOAjOy1h0M7qzcitScz
+         hduw==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=1e100.net; s=20230601; t=1734606093; x=1735210893;
+        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+         :list-id:mailing-list:precedence:x-original-authentication-results
+         :x-original-sender:mime-version:content-transfer-encoding:references
+         :in-reply-to:date:cc:to:from:subject:message-id:x-beenthere
+         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
+         :reply-to;
+        bh=NTKxaJ9v5Zc3DNRM32jJtQDDfJa7J9WyrPIpJ7nvg50=;
+        b=E1soK81DHZk93OzSLCH+mLcPglyqflPn37e08KECRLRqQwNk9bcRTsuzjOFq64qZQI
+         8HqxDsbUDHQzZEukKvdURNw7nXzlPL3BniO0fnQpd2qjpSRMLPrxL33sW03GCuvwEaN8
+         zFdgULZ+Hj0My6btmnlKGvsA2vv/0ZQNhv7FEF4XYF+b3VCVCM1EWe8wm/t36Ooe3MPs
+         9UsXqCLIkR9HCl2nnAZsnPl+m+8hzc67UKn5K5KZMf8ikkH61RSjzIzwHWlhlz4tf38D
+         kb295ztbcObuIYGdxEKztwJBhkJ9XOzzSsDUuYyiE0dwjjniRQLCw0Lvua4ITvIALjEh
+         2sXw==
+Sender: bitcoindev@googlegroups.com
+X-Forwarded-Encrypted: i=2; AJvYcCX0uFyKjAnP+L1ufV8ofUdOANoY1eda2+mEMdx5CAppGc4AnKRezTxHpexomEs06Zq2qEHgB+vfk8wv@gnusha.org
+X-Gm-Message-State: AOJu0Yyke2AgD9bfRY80zoxjcLXfgNhY37/V6xgEh2Dyc2HQO5e2PmTS
+	AJGN+p3JkPXHe48eTXpYKuf56r3ijJRFjpilkkzKpPZdX3CaqHUL
+X-Google-Smtp-Source: AGHT+IFhiFARlFlyMtXjJddj7Aovm7G5+xnvWIEOhhPeqJr9CXiE3nEH+0nPYKQnqoPiPNn6mE8ZKQ==
+X-Received: by 2002:a05:622a:345:b0:467:5454:57b4 with SMTP id d75a77b69052e-46908ed0541mr101521851cf.49.1734606093076;
+        Thu, 19 Dec 2024 03:01:33 -0800 (PST)
+X-BeenThere: bitcoindev@googlegroups.com
+Received: by 2002:ac8:7c46:0:b0:466:8f66:abeb with SMTP id d75a77b69052e-46a3b177514ls13428591cf.1.-pod-prod-09-us;
+ Thu, 19 Dec 2024 03:01:30 -0800 (PST)
+X-Received: by 2002:a05:620a:462a:b0:7b7:342:a0a5 with SMTP id af79cd13be357-7b8638bee47mr895351185a.55.1734606090418;
+        Thu, 19 Dec 2024 03:01:30 -0800 (PST)
+Received: by 2002:a05:620a:1258:b0:7b6:d72a:7c26 with SMTP id af79cd13be357-7b9ab36d14ems85a;
+        Thu, 19 Dec 2024 02:56:47 -0800 (PST)
+X-Received: by 2002:a05:600c:3106:b0:434:effb:9f8a with SMTP id 5b1f17b1804b1-43655368638mr71344395e9.15.1734605805235;
+        Thu, 19 Dec 2024 02:56:45 -0800 (PST)
+ARC-Seal: i=1; a=rsa-sha256; t=1734605805; cv=none;
+        d=google.com; s=arc-20240605;
+        b=d+yxRa2JlElpNcqRXQpTmrbIDE+y8AZZ5y/gBrUGdXB4MsIq+8Dj1MvdYzXNeFhW5K
+         eJDCOIeflqY+1PNB1Y4y5ZLYsP2GrHGDQV0l6PR2lSH1MBHtIdhdSG3D/5UCztUVHa9z
+         6Pp/uq2L5+8CziKX4S/bfvrjGkvWH64iY60SGzmATZTYVOwo1Fd2VwV/UmlZxd1C/rDP
+         aIDVZvSO4e4nQNF8aJA82SljLa4AFpTJZeq+UKr15XoHZ6o7ALCbkpfViO3T6CWEGED4
+         P2nTvGE7Rs1UGIYlN79G2T5Y8BXHhndwdgTPqrxnd2GoRKWDxZtmnitbu/vbMRGEzC75
+         ECbA==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
+        h=mime-version:content-transfer-encoding:references:in-reply-to:date
+         :cc:to:from:subject:message-id:dkim-signature;
+        bh=9Y8NrjSpUvFxnv5r48Hqhmd/+XqNlakVs/dTWBQ3hWA=;
+        fh=Hd0I3ucYZupoUeYOUuUg+pbx9g3zFx09m/1nGvc71Ds=;
+        b=cZfajI67Em+Fm6/jx55Og+Q2d1XWSZyQTIye0i4qeZQN4fR3xO1ysU50agsHs46wZe
+         NMUvpAvs41yZDs41hu9nTGQ5DtOTEgzuwQ+sk2Q1lNBYsD/51nejep3fs5m2zi9B7IeL
+         Y33g+TgpWFns2IApWByy9nkhcjhoSKHWtR8ZrNpk6vPXls3yVY54/qlCkO1JxBTVH/ru
+         yBiCSFWWnu8b67IOpgHG3IA1OnA5RWd9k87IeRGK41fJcB7QJf01GNZdJk3S24Jp62lk
+         XGTPIWIY+FkCkq/tPpjTpBz8nXSlvsSgzMT+SvcElMRLjjc9A91vhipaAgasOKgT3lZk
+         gM1A==;
+        dara=google.com
+ARC-Authentication-Results: i=1; gmr-mx.google.com;
+       dkim=pass header.i=@timruffing.de header.s=MBO0001 header.b="g6/vKnhW";
+       spf=pass (google.com: domain of crypto@timruffing.de designates 80.241.56.171 as permitted sender) smtp.mailfrom=crypto@timruffing.de;
+       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=timruffing.de
+Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org. [80.241.56.171])
+        by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-43656b01759si806945e9.1.2024.12.19.02.56.45
+        for <bitcoindev@googlegroups.com>
+        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
+        Thu, 19 Dec 2024 02:56:45 -0800 (PST)
+Received-SPF: pass (google.com: domain of crypto@timruffing.de designates 80.241.56.171 as permitted sender) client-ip=80.241.56.171;
+Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202])
+	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
+	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
+	(No client certificate requested)
+	by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4YDSCt3sjtz9tBx;
+	Thu, 19 Dec 2024 11:56:42 +0100 (CET)
+Message-ID: <17fc9514030108a99c14b66f2e5ef2d28f970593.camel@timruffing.de>
+Subject: Re: [bitcoindev] BIP Draft: "ChillDKG: Distributed Key Generation for FROST"
+From: Tim Ruffing <crypto@timruffing.de>
+To: bitcoindev@googlegroups.com
+Cc: Jonas Nick <jonasdnick@gmail.com>
+Date: Thu, 19 Dec 2024 11:56:40 +0100
+In-Reply-To: <8768422323203aa3a8b280940abd776526fab12e.camel@timruffing.de>
+References: <8768422323203aa3a8b280940abd776526fab12e.camel@timruffing.de>
+Content-Type: text/plain; charset="UTF-8"
+Content-Transfer-Encoding: quoted-printable
+MIME-Version: 1.0
+X-Original-Sender: crypto@timruffing.de
+X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
+ header.i=@timruffing.de header.s=MBO0001 header.b="g6/vKnhW";       spf=pass
+ (google.com: domain of crypto@timruffing.de designates 80.241.56.171 as
+ permitted sender) smtp.mailfrom=crypto@timruffing.de;       dmarc=pass
+ (p=NONE sp=NONE dis=NONE) header.from=timruffing.de
+Precedence: list
+Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
+List-ID: <bitcoindev.googlegroups.com>
+X-Google-Group-Id: 786775582512
+List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
+List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
+List-Archive: <https://groups.google.com/group/bitcoindev
+List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
+List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
+ <https://groups.google.com/group/bitcoindev/subscribe>
+X-Spam-Score: -0.8 (/)
+
+We made many changes, improvements, and cleanups to our BIP draft since
+our first announcement to this mailing list.=C2=A0From the Changelog:
+
+0.2.0 (2024-12-19): In addition to various readability improvements to
+specification and reference implementation, the following major changes
+were implemented:
+ * Fix security vulnerability where the CertEq signature did not cover
+   the entire message.=20
+ * Add blame functionality to identify faulty parties, including an
+   investigation phase.=20
+ * Make threshold public key Taproot-safe by default. =20
+ * Let each participant encrypt the secret share intended for
+   themselves so that it can be decrypted instead of re-derived during
+   recovery. The encryption is symmetric to avoid the overhead of an
+   ECDH computation.
+
+The current version of the full BIP draft can be found here:
+https://github.com/BlockstreamResearch/bip-frost-dkg
+
+We are still actively looking for feedback of any kind (here or in our
+GitHub repo). This includes feedback from potential users and
+applications (e.g., wallets). We'd be very interested to hear if our
+design decisions and the API fit potential applications, or what can be
+improved to make them fit more.
+
+Things still to do include:
+ * Specifying the wire format
+ * Adding test vectors
+
+We are in touch with siv2r, the author of a BIP draft for FROST signing
+( https://github.com/siv2r/bip-frost-signing ) to keep the proposals in
+sync and compatible with each other.
+
+As we want to open a PR to the BIPs repo soon, here's a specific issue
+that we'd like to hear the community's and in particular the BIP
+editors' opinion on:
+
+Our protocol specification is Python code. It relies on a package
+"secp256k1proto", which contains simple prototype operations of basic
+buildings block of the protocol that we assume given, e.g., an
+implementation of the secp256k1 elliptic curve and BIP340 signatures.
+While secp256k1proto is technically not part of the BIP, it will be
+necessary to run the reference implementation. We plan to extract this
+code into a proper package and make it available via the the Python
+Package Index (PyPI). However, we are unsure what this would for files
+associated to our BIP in the BIPs repo. These are the possibilities we
+considered:
+
+   1. Keep a "git-subtree" of secp256k1proto along with the reference
+      implementation in the BIPs repo.
+   2. The same as 1., but make it a "git submodule".
+   3. Only refer to an external package secp256k1proto + version number
+      (or hash) in the reference implementation, possibly with
+      descriptions of what the imported functionality does (e.g., if
+      our reference implementation uses the "+" operator on EC points,
+      we'd write down that this is supposed to implement point
+      addition).=C2=A0
+
+Our current thinking is that option 1 is the best. It has the advantage
+that the BIPs repo will be fully self-contained and serves as a
+definitive archive.=C2=A0
+
+Option 2 is worse in terms of archival. git submodules are not
+guaranteed to be included in clones, and we'd need to host the
+submodule somewhere else. Moreover, git submodules can be a mess.=C2=A0
+
+Option 3 is possible and keeps the BIPs repo lean, but we believe that
+keeping the repo lean should not be a primary concern. Moreover, if we
+want to add human-readable descriptions of the functionality we use
+from secp256k1proto, the most natural and convenient way do this is via
+Python docstrings, but these will require shipping the actual code
+(option 1 or 2), since there is no pythonic way to specify just an
+interface without its implementations similar to, e.g., C header files.
+
+Best,
+Jonas and Tim
+
+On Mon, 2024-07-08 at 22:05 +0200, Tim Ruffing wrote:
+
+> > Jonas Nick and I have been working on a BIP draft for Distributed
+Key
+> > Generation for FROST Threshold Signatures, which we would like to
+> > propose to the community for discussion. The draft contains a
+> > description of the design considerations, detailed usage=20
+> > instructions,
+> > and a reference implementation in Python, which we intend to be the
+> > definitive specification. The document and the code currently live=20
+> > at:
+> >=20
+> >
+[https://github.com/BlockstreamResearch/bip-frost-dkg](https://github.com/B=
+lockstreamResearch/bip-frost-dkg)
+> >=20
+> > We're looking forward to feedback from the community.
+> >=20
+> > Things still to do include:
+> > =C2=A0* Specifying the wire format
+> > =C2=A0* Test vectors
+> > =C2=A0* Possibly any extensions currently mentioned as TODO in the draf=
+t
+> > =C2=A0=C2=A0 (e.g., identifiable aborts)
+> > =C2=A0* Extracting the included secp256k1proto as a proper Python
+package=C2=A0
+> >=20
+> > Of course, a BIP for FROST *signing* will also be required to make=20
+> > use
+> > of FROST, and we know that one is in the works.
+> >=20
+> > Best,
+> > Jonas and Tim
+> >
+
+
+--=20
+You received this message because you are subscribed to the Google Groups "=
+Bitcoin Development Mailing List" group.
+To unsubscribe from this group and stop receiving emails from it, send an e=
+mail to bitcoindev+unsubscribe@googlegroups.com.
+To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
+17fc9514030108a99c14b66f2e5ef2d28f970593.camel%40timruffing.de.
+
author	Tim Ruffing <crypto@timruffing.de>	2024-12-19 11:56:40 +0100
committer	bitcoindev <bitcoindev@googlegroups.com>	2024-12-19 03:01:40 -0800
commit	91fe098a251d3bbac88522ea7cbbd82c52bed836 (patch)
tree	34312359fe7e62717d641a2a44b2815b11194c82
parent	97bbe33ffaf79e83592792d7426549ff4d7fc7f5 (diff)
download	pi-bitcoindev-91fe098a251d3bbac88522ea7cbbd82c52bed836.tar.gz pi-bitcoindev-91fe098a251d3bbac88522ea7cbbd82c52bed836.zip