1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
|
Delivery-date: Thu, 19 Dec 2024 03:01:41 -0800
Received: from mail-qt1-f190.google.com ([209.85.160.190])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDWIFPUA4ICRBCX2R65QMGQENDGRFOA@googlegroups.com>)
id 1tOEHk-0000o2-8H
for bitcoindev@gnusha.org; Thu, 19 Dec 2024 03:01:40 -0800
Received: by mail-qt1-f190.google.com with SMTP id d75a77b69052e-46909701869sf14231151cf.0
for <bitcoindev@gnusha.org>; Thu, 19 Dec 2024 03:01:39 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1734606093; cv=pass;
d=google.com; s=arc-20240605;
b=CuWcY5Jp1ur+yE6K+UxtVvS8otsNIWcBJrFl7a8VlF6mmAZ7VhkOs9j2I1VmF/9URf
+XmUe3dlU8CpTHU7PE0okriMAPDn6PfGcMz3JyhMmBezSqLJw9vw6hV2MJwkm5tX8Xh9
8pExr7TRdW/PJZnlOhQPCINKJF6dDinSvb7tJTpdsNdYEOxWijWnf+zlSINWY+x/1dcG
SMiHkOrX0YsggsQ7/tTM6r7+T7DuM57h/blalSMfNIkW6TnGaP/5lguFgzeKhaPasSFd
q/e8dSfZnGlN+A0lnT9CAFMImv+rSh63VrzDF3XV2UDSE1CIk49Zz5UG1mxH/0jvelRX
PWuA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:mime-version
:content-transfer-encoding:references:in-reply-to:date:cc:to:from
:subject:message-id:sender:dkim-signature;
bh=NTKxaJ9v5Zc3DNRM32jJtQDDfJa7J9WyrPIpJ7nvg50=;
fh=zvbgF1puqzQog/keOLvjqXCEylHNi6RzHvORkOAIe+0=;
b=fv6Pagy8cujvfWkXyN6amL664aQbw3FPo19dKVTTb1LCmOnjKsNZVcoZPaoGYxKSFd
jnuDiOkdKaETNO3mFHSWEfYcvN1sWYIJEW4Mlo0G9k+wQt7yd5V0fxTAx27896r1uJnC
hPzk5dOm8JDJLvEXrlQYjk+4WvDmYTDJKGEOHWp4bFQv2WXNSttQ3LEQuT6oNd7p9rDp
w0ziw/7xMUx3SKM9Xzg5rXKaFsc82y9bQ/nKAwip7YnsuXnMAeuOX0udEvGxHszA3lcs
jX5T18Zx5smwNn9UW37QVBu1Kpl7HFumWTBDDxS5+f0QEVsUo57TKbztGIHG6Wvk22uB
QElw==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@timruffing.de header.s=MBO0001 header.b="g6/vKnhW";
spf=pass (google.com: domain of crypto@timruffing.de designates 80.241.56.171 as permitted sender) smtp.mailfrom=crypto@timruffing.de;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=timruffing.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1734606093; x=1735210893; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:mime-version:content-transfer-encoding:references
:in-reply-to:date:cc:to:from:subject:message-id:sender:from:to:cc
:subject:date:message-id:reply-to;
bh=NTKxaJ9v5Zc3DNRM32jJtQDDfJa7J9WyrPIpJ7nvg50=;
b=euJ8UMqcpNRQgseSIbkE+Y6TJT0XQdu8jYo5D4gd/mW/BhpzZmKhyowIQgsEDfMpo0
KeM5FszxAwMbeG1OGdpI5hbJl7jNULWEfc8zjx7a5ExUoBPeOrYmYMXIrt7TaBaoOHd3
o5DCm20Lif2iqkmVEzh7DiOxeVC19gNi2Xy+SAM3N97g/Dk0X73fsKVxK7amfizSyFQt
MPG/0ISK7Kmeh4Pzm7pY1jUgNmrH4VC8bb+R7HN5XlQRilwkn7R+E3DDtmTNrJGcmyWA
13Eoz9BgT7uWaa7Lg8D7upTkJBE1GP2qaa3y+W5fugrOUJyAJBOAjOy1h0M7qzcitScz
hduw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1734606093; x=1735210893;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:mime-version:content-transfer-encoding:references
:in-reply-to:date:cc:to:from:subject:message-id:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=NTKxaJ9v5Zc3DNRM32jJtQDDfJa7J9WyrPIpJ7nvg50=;
b=E1soK81DHZk93OzSLCH+mLcPglyqflPn37e08KECRLRqQwNk9bcRTsuzjOFq64qZQI
8HqxDsbUDHQzZEukKvdURNw7nXzlPL3BniO0fnQpd2qjpSRMLPrxL33sW03GCuvwEaN8
zFdgULZ+Hj0My6btmnlKGvsA2vv/0ZQNhv7FEF4XYF+b3VCVCM1EWe8wm/t36Ooe3MPs
9UsXqCLIkR9HCl2nnAZsnPl+m+8hzc67UKn5K5KZMf8ikkH61RSjzIzwHWlhlz4tf38D
kb295ztbcObuIYGdxEKztwJBhkJ9XOzzSsDUuYyiE0dwjjniRQLCw0Lvua4ITvIALjEh
2sXw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCX0uFyKjAnP+L1ufV8ofUdOANoY1eda2+mEMdx5CAppGc4AnKRezTxHpexomEs06Zq2qEHgB+vfk8wv@gnusha.org
X-Gm-Message-State: AOJu0Yyke2AgD9bfRY80zoxjcLXfgNhY37/V6xgEh2Dyc2HQO5e2PmTS
AJGN+p3JkPXHe48eTXpYKuf56r3ijJRFjpilkkzKpPZdX3CaqHUL
X-Google-Smtp-Source: AGHT+IFhiFARlFlyMtXjJddj7Aovm7G5+xnvWIEOhhPeqJr9CXiE3nEH+0nPYKQnqoPiPNn6mE8ZKQ==
X-Received: by 2002:a05:622a:345:b0:467:5454:57b4 with SMTP id d75a77b69052e-46908ed0541mr101521851cf.49.1734606093076;
Thu, 19 Dec 2024 03:01:33 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:ac8:7c46:0:b0:466:8f66:abeb with SMTP id d75a77b69052e-46a3b177514ls13428591cf.1.-pod-prod-09-us;
Thu, 19 Dec 2024 03:01:30 -0800 (PST)
X-Received: by 2002:a05:620a:462a:b0:7b7:342:a0a5 with SMTP id af79cd13be357-7b8638bee47mr895351185a.55.1734606090418;
Thu, 19 Dec 2024 03:01:30 -0800 (PST)
Received: by 2002:a05:620a:1258:b0:7b6:d72a:7c26 with SMTP id af79cd13be357-7b9ab36d14ems85a;
Thu, 19 Dec 2024 02:56:47 -0800 (PST)
X-Received: by 2002:a05:600c:3106:b0:434:effb:9f8a with SMTP id 5b1f17b1804b1-43655368638mr71344395e9.15.1734605805235;
Thu, 19 Dec 2024 02:56:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1734605805; cv=none;
d=google.com; s=arc-20240605;
b=d+yxRa2JlElpNcqRXQpTmrbIDE+y8AZZ5y/gBrUGdXB4MsIq+8Dj1MvdYzXNeFhW5K
eJDCOIeflqY+1PNB1Y4y5ZLYsP2GrHGDQV0l6PR2lSH1MBHtIdhdSG3D/5UCztUVHa9z
6Pp/uq2L5+8CziKX4S/bfvrjGkvWH64iY60SGzmATZTYVOwo1Fd2VwV/UmlZxd1C/rDP
aIDVZvSO4e4nQNF8aJA82SljLa4AFpTJZeq+UKr15XoHZ6o7ALCbkpfViO3T6CWEGED4
P2nTvGE7Rs1UGIYlN79G2T5Y8BXHhndwdgTPqrxnd2GoRKWDxZtmnitbu/vbMRGEzC75
ECbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=mime-version:content-transfer-encoding:references:in-reply-to:date
:cc:to:from:subject:message-id:dkim-signature;
bh=9Y8NrjSpUvFxnv5r48Hqhmd/+XqNlakVs/dTWBQ3hWA=;
fh=Hd0I3ucYZupoUeYOUuUg+pbx9g3zFx09m/1nGvc71Ds=;
b=cZfajI67Em+Fm6/jx55Og+Q2d1XWSZyQTIye0i4qeZQN4fR3xO1ysU50agsHs46wZe
NMUvpAvs41yZDs41hu9nTGQ5DtOTEgzuwQ+sk2Q1lNBYsD/51nejep3fs5m2zi9B7IeL
Y33g+TgpWFns2IApWByy9nkhcjhoSKHWtR8ZrNpk6vPXls3yVY54/qlCkO1JxBTVH/ru
yBiCSFWWnu8b67IOpgHG3IA1OnA5RWd9k87IeRGK41fJcB7QJf01GNZdJk3S24Jp62lk
XGTPIWIY+FkCkq/tPpjTpBz8nXSlvsSgzMT+SvcElMRLjjc9A91vhipaAgasOKgT3lZk
gM1A==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@timruffing.de header.s=MBO0001 header.b="g6/vKnhW";
spf=pass (google.com: domain of crypto@timruffing.de designates 80.241.56.171 as permitted sender) smtp.mailfrom=crypto@timruffing.de;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=timruffing.de
Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org. [80.241.56.171])
by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-43656b01759si806945e9.1.2024.12.19.02.56.45
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 19 Dec 2024 02:56:45 -0800 (PST)
Received-SPF: pass (google.com: domain of crypto@timruffing.de designates 80.241.56.171 as permitted sender) client-ip=80.241.56.171;
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4YDSCt3sjtz9tBx;
Thu, 19 Dec 2024 11:56:42 +0100 (CET)
Message-ID: <17fc9514030108a99c14b66f2e5ef2d28f970593.camel@timruffing.de>
Subject: Re: [bitcoindev] BIP Draft: "ChillDKG: Distributed Key Generation for FROST"
From: Tim Ruffing <crypto@timruffing.de>
To: bitcoindev@googlegroups.com
Cc: Jonas Nick <jonasdnick@gmail.com>
Date: Thu, 19 Dec 2024 11:56:40 +0100
In-Reply-To: <8768422323203aa3a8b280940abd776526fab12e.camel@timruffing.de>
References: <8768422323203aa3a8b280940abd776526fab12e.camel@timruffing.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Original-Sender: crypto@timruffing.de
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@timruffing.de header.s=MBO0001 header.b="g6/vKnhW"; spf=pass
(google.com: domain of crypto@timruffing.de designates 80.241.56.171 as
permitted sender) smtp.mailfrom=crypto@timruffing.de; dmarc=pass
(p=NONE sp=NONE dis=NONE) header.from=timruffing.de
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
We made many changes, improvements, and cleanups to our BIP draft since
our first announcement to this mailing list.=C2=A0From the Changelog:
0.2.0 (2024-12-19): In addition to various readability improvements to
specification and reference implementation, the following major changes
were implemented:
* Fix security vulnerability where the CertEq signature did not cover
the entire message.=20
* Add blame functionality to identify faulty parties, including an
investigation phase.=20
* Make threshold public key Taproot-safe by default. =20
* Let each participant encrypt the secret share intended for
themselves so that it can be decrypted instead of re-derived during
recovery. The encryption is symmetric to avoid the overhead of an
ECDH computation.
The current version of the full BIP draft can be found here:
https://github.com/BlockstreamResearch/bip-frost-dkg
We are still actively looking for feedback of any kind (here or in our
GitHub repo). This includes feedback from potential users and
applications (e.g., wallets). We'd be very interested to hear if our
design decisions and the API fit potential applications, or what can be
improved to make them fit more.
Things still to do include:
* Specifying the wire format
* Adding test vectors
We are in touch with siv2r, the author of a BIP draft for FROST signing
( https://github.com/siv2r/bip-frost-signing ) to keep the proposals in
sync and compatible with each other.
As we want to open a PR to the BIPs repo soon, here's a specific issue
that we'd like to hear the community's and in particular the BIP
editors' opinion on:
Our protocol specification is Python code. It relies on a package
"secp256k1proto", which contains simple prototype operations of basic
buildings block of the protocol that we assume given, e.g., an
implementation of the secp256k1 elliptic curve and BIP340 signatures.
While secp256k1proto is technically not part of the BIP, it will be
necessary to run the reference implementation. We plan to extract this
code into a proper package and make it available via the the Python
Package Index (PyPI). However, we are unsure what this would for files
associated to our BIP in the BIPs repo. These are the possibilities we
considered:
1. Keep a "git-subtree" of secp256k1proto along with the reference
implementation in the BIPs repo.
2. The same as 1., but make it a "git submodule".
3. Only refer to an external package secp256k1proto + version number
(or hash) in the reference implementation, possibly with
descriptions of what the imported functionality does (e.g., if
our reference implementation uses the "+" operator on EC points,
we'd write down that this is supposed to implement point
addition).=C2=A0
Our current thinking is that option 1 is the best. It has the advantage
that the BIPs repo will be fully self-contained and serves as a
definitive archive.=C2=A0
Option 2 is worse in terms of archival. git submodules are not
guaranteed to be included in clones, and we'd need to host the
submodule somewhere else. Moreover, git submodules can be a mess.=C2=A0
Option 3 is possible and keeps the BIPs repo lean, but we believe that
keeping the repo lean should not be a primary concern. Moreover, if we
want to add human-readable descriptions of the functionality we use
from secp256k1proto, the most natural and convenient way do this is via
Python docstrings, but these will require shipping the actual code
(option 1 or 2), since there is no pythonic way to specify just an
interface without its implementations similar to, e.g., C header files.
Best,
Jonas and Tim
On Mon, 2024-07-08 at 22:05 +0200, Tim Ruffing wrote:
> > Jonas Nick and I have been working on a BIP draft for Distributed
Key
> > Generation for FROST Threshold Signatures, which we would like to
> > propose to the community for discussion. The draft contains a
> > description of the design considerations, detailed usage=20
> > instructions,
> > and a reference implementation in Python, which we intend to be the
> > definitive specification. The document and the code currently live=20
> > at:
> >=20
> >
[https://github.com/BlockstreamResearch/bip-frost-dkg](https://github.com/B=
lockstreamResearch/bip-frost-dkg)
> >=20
> > We're looking forward to feedback from the community.
> >=20
> > Things still to do include:
> > =C2=A0* Specifying the wire format
> > =C2=A0* Test vectors
> > =C2=A0* Possibly any extensions currently mentioned as TODO in the draf=
t
> > =C2=A0=C2=A0 (e.g., identifiable aborts)
> > =C2=A0* Extracting the included secp256k1proto as a proper Python
package=C2=A0
> >=20
> > Of course, a BIP for FROST *signing* will also be required to make=20
> > use
> > of FROST, and we know that one is in the works.
> >=20
> > Best,
> > Jonas and Tim
> >
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
17fc9514030108a99c14b66f2e5ef2d28f970593.camel%40timruffing.de.
|
