Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure DKG protocol #5

Open
payvint opened this issue May 30, 2018 · 4 comments
Open

Insecure DKG protocol #5

payvint opened this issue May 30, 2018 · 4 comments

Comments

@payvint
Copy link

payvint commented May 30, 2018
edited
Loading

Do you implement DKG protocol or Joint-Feldman protocol?
I have read an article "Secure Distributed Key Generation for Discrete-Log Based Cryptosystems" by Gennaro Rosario ...
https://link.springer.com/content/pdf/10.1007%2F3-540-48910-X_21.pdf
I have read your code and I think that you have implemented Joint-Feldman protocol(figure 1 in article above).
"An insecure solution for distributed generation of secret keys" - words about Joint-Feldman protocol in this article.
I think that DKG protocol(figure 2 in article above) - is more secure than Joint-Feldman.
"Secure distributed key generation in discrete–log based systems" - words about DKG protocol in this article
@payvint payvint changed the title DKG protocol Insecure DKG protocol May 30, 2018
@perfaram
Copy link
Contributor

perfaram commented Jun 12, 2018
edited
Loading

Not that I understand all the implications of this, but https://hal.inria.fr/hal-00983149v1/document states :

While very efficient (as only one round is needed in the absence of faulty players), this [the Joint-Feldman] protocol is known [41] not to guarantee the uniformity of the resulting public key. Indeed, even a static adversary can bias the distribution by corrupting only two players. Nonetheless, the adversary does not have much control on the distribution of the public key and Pedersen’s protocol can still be safely used in some applications, as noted by Gennaro et al. [42, 43]. For example, it was recently utilized by Cortier et al. [21] in the context of voting protocols.

The question is, do the some applications include whatever dfinity does with this DKG lib, or not ?

For reference :

  • [41] and [43] reference the paper you linked to ;
  • [42] is R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin. Secure applications of Pedersen’s distributed key generation protocol. In CT-RSA ’03, LNCS 2612, pp. 373–390, 2003.
  • [21] is V. Cortier, D. Galindo, S. Glondu, M. Izabachène. Distributed ElGamal à la Pedersen: Application to Helios. In WPES ’13, pp. 131–142, 2013.

@perfaram
Copy link
Contributor

perfaram commented Jun 12, 2018
edited
Loading

Note that there exists a Go implementation of Secure Distributed Key Generation for Discrete-Log Based Cryptosystems here : https://github.com/dedis/kyber/blob/master/share/dkg/rabin/dkg.go

@Daeinar seems to belong both to dfinity (owner of this repo) and to the DEDIS (owner of the repo I just linked to), so he may be well-suited to look into this if he has time, but he's likely already aware of the "issue", if there's actually one.

@wanderer
Copy link
Collaborator

@mahnushm could you take a look at this as well?

@gorgos
Copy link

gorgos commented Aug 25, 2018

I just came across this issue here via Google. The mentioned problem is addressed in the Dfinity Whitepaper.

It is known from [6] that the adversary can bias the distribution of public keys
generated by the Joint-Feldman DKG. However, the bias generally does not weaken
the hardness of the DLP for the produced public key ([6, § 5]). Therefore, with the
simplicity of our protocol in mind, we use the original, unmodied Joint-Feldman
DKG even though variations are available that avoid the bias.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wanderer @gorgos @perfaram @payvint