initial draft of docs #24
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ValarDragon
reviewed
Apr 11, 2021
docs/ferveo.tex.md
Outdated
|
|
||
| ### Curve | ||
|
|
||
| The curve used is BLS12-381. $\mathbb{G}_1$ denotes the prime order subgroup of order $r$ and $\mathbb{F}_r$ is the scalar field of BLS12-381 with prime order $r$. The pairing operation is $e(P,Q) : \mathbb{G}_1 \times \mathbb{G}_2$ \rightarrow \mathbb{G}_T$. The generator of $\mathbb{G}_1$ and $\mathbb{G}_2$ are denoted $G_1$ and $G_2$ respectively. |
There was a problem hiding this comment.
Out of curiousity, why not BLS12-377, that way theres future support for one layer of recursion should a need arise?
There was a problem hiding this comment.
There's some mild convenience in terms of the trusted setup already existing; though given the small size of the polynomials we use, there is no reason we can't actually just include an ongoing trusted setup in the DKG itself.
Are there any other pro/cons to switching the implementation right now? It doesn't seem like a big deal to switch either now or later (depending on if anyone has strong opinions)
There was a problem hiding this comment.
Its not at all a big deal to switch later
Updates TPKE doc
simonmasson
reviewed
Jul 1, 2021
book/src/preliminaries.md
Outdated
| @@ -0,0 +1,11 @@ | |||
| # Preliminaries | |||
|
|
|||
| Ferveo is intended to integrate into an existing framework such as Tendermint, and so the validator set is the natural participant set for Ferveo. Therefore, Ferveo assumes that all \\(n\\) validators have an associated Ed25519 public key identity and have staked some amount of token for the current epoch. Ferveo derives from the staking amounts an associated relative weight $\\(w_i\\). The total weight \\(\sum_i w_i = W\\) is a fixed parameter of the system, determined by a performance tradeoff (higher total weight allows more identities, higher resolution of weights, but larger computation and communication complexity). For performance reasons, $W$ is ideally a power of two. | |||
There was a problem hiding this comment.
Suggested change
| Ferveo is intended to integrate into an existing framework such as Tendermint, and so the validator set is the natural participant set for Ferveo. Therefore, Ferveo assumes that all \\(n\\) validators have an associated Ed25519 public key identity and have staked some amount of token for the current epoch. Ferveo derives from the staking amounts an associated relative weight $\\(w_i\\). The total weight \\(\sum_i w_i = W\\) is a fixed parameter of the system, determined by a performance tradeoff (higher total weight allows more identities, higher resolution of weights, but larger computation and communication complexity). For performance reasons, $W$ is ideally a power of two. | |
| Ferveo is intended to integrate into an existing framework such as Tendermint, and so the validator set is the natural participant set for Ferveo. Therefore, Ferveo assumes that all \\(n\\) validators have an associated Ed25519 public key identity and have staked some amount of token for the current epoch. Ferveo derives from the staking amounts an associated relative weight \\(w_i\\). The total weight \\(\sum_i w_i = W\\) is a fixed parameter of the system, determined by a performance tradeoff (higher total weight allows more identities, higher resolution of weights, but larger computation and communication complexity). For performance reasons, \\(W\\) is ideally a power of two. |
book/src/assumptions.md
Outdated
| Under the asynchronous model, node clocks are not synchronized and messages can be delayed for arbitrary periods of time. | ||
|
|
||
| In practice a weak synchrony assumption is needed to assure liveness. | ||
| Under weak synchrony, the time difference $delay(T)$ between the time a message was sent ($T$) and the time it is received doesn't grow indefinitely over time. |
There was a problem hiding this comment.
Suggested change
| Under weak synchrony, the time difference $delay(T)$ between the time a message was sent ($T$) and the time it is received doesn't grow indefinitely over time. | |
| Under weak synchrony, the time difference \\(delay(T)\\) between the time a message was sent (\\(T\\)) and the time it is received doesn't grow indefinitely over time. |
book/src/assumptions.md
Outdated
| Tendermint works under the partially synchronous model. | ||
| In this model, there exist a point in time (GST - Global Stabilization Time) after which messages are delivered within a specific time bound. | ||
| The GST and time bound are not known in advance. | ||
| Tendermint tolerates a $t$-limited Byzantine adversary, with resilience |
There was a problem hiding this comment.
Suggested change
| Tendermint tolerates a $t$-limited Byzantine adversary, with resilience | |
| Tendermint tolerates a \\(t\\)-limited Byzantine adversary, with resilience |
book/src/assumptions.md
Outdated
|
|
||
| #### Ferveo | ||
| Ferveo's model and resilience will be the most restrictive of the above: | ||
| $n \ge 3t+1$ under the partially synchronous mode. |
There was a problem hiding this comment.
Suggested change
| $n \ge 3t+1$ under the partially synchronous mode. | |
| \\(n \ge 3t+1\\) under the partially synchronous mode. |
book/src/assumptions.md
Outdated
| Ferveo's model and resilience will be the most restrictive of the above: | ||
| $n \ge 3t+1$ under the partially synchronous mode. | ||
|
|
||
| In addition, the assumption that $2W/3$ weight of validators are not malicious means that they honestly follow the protocol. This excludes honest-but-curious behavior, such as engaging in out-of-band collusion outside of the protocol, which will be addressed later. |
There was a problem hiding this comment.
Suggested change
| In addition, the assumption that $2W/3$ weight of validators are not malicious means that they honestly follow the protocol. This excludes honest-but-curious behavior, such as engaging in out-of-band collusion outside of the protocol, which will be addressed later. | |
| In addition, the assumption that \\(2W/3\\) weight of validators are not malicious means that they honestly follow the protocol. This excludes honest-but-curious behavior, such as engaging in out-of-band collusion outside of the protocol, which will be addressed later. |
book/src/fastkzg.md
Outdated
|
|
||
| The ideal scenario is that the fewest possible number of VSS instances are used, and everyone computationally prioritizes the same instances (so there are fewer VSS instances that consume computation time and are left unused) | ||
|
|
||
| Since we need at least dealer total weight $p+1$ of VSS instances to finish, the dealer identities can be sorted by their weight such that the $\ell$ highest weighted dealers sum to total weight at least $p+1$ and $\ell$ is minimized. |
There was a problem hiding this comment.
Suggested change
| Since we need at least dealer total weight $p+1$ of VSS instances to finish, the dealer identities can be sorted by their weight such that the $\ell$ highest weighted dealers sum to total weight at least $p+1$ and $\ell$ is minimized. | |
| Since we need at least dealer total weight \\(p+1\\) of VSS instances to finish, the dealer identities can be sorted by their weight such that the \\(\ell\\) highest weighted dealers sum to total weight at least \\(p+1\\) and \\(\ell\\) is minimized. |
book/src/fastkzg.md
Outdated
|
|
||
| Since we need at least dealer total weight $p+1$ of VSS instances to finish, the dealer identities can be sorted by their weight such that the $\ell$ highest weighted dealers sum to total weight at least $p+1$ and $\ell$ is minimized. | ||
|
|
||
| In the optimistic phase, if there are no faults that prevent these $\ell$ VSS instances from being finalized, and no disputes against those dealers, then these VSS instances are used in the DKG. This can be confirmed by $W-t-f$ weight signing a message indicating the optimistic phase succeeded along with the resulting public key. Since BLS signature aggregation can be used, this consumes $O(\log m)$ on-chain storage. |
There was a problem hiding this comment.
Suggested change
| In the optimistic phase, if there are no faults that prevent these $\ell$ VSS instances from being finalized, and no disputes against those dealers, then these VSS instances are used in the DKG. This can be confirmed by $W-t-f$ weight signing a message indicating the optimistic phase succeeded along with the resulting public key. Since BLS signature aggregation can be used, this consumes $O(\log m)$ on-chain storage. | |
| In the optimistic phase, if there are no faults that prevent these \\(\ell\\) VSS instances from being finalized, and no disputes against those dealers, then these VSS instances are used in the DKG. This can be confirmed by \\(W-t-f\\) weight signing a message indicating the optimistic phase succeeded along with the resulting public key. Since BLS signature aggregation can be used, this consumes \\(O(\log m)\\) on-chain storage. |
book/src/fastkzg.md
Outdated
|
|
||
| ### Pessimistic phase | ||
|
|
||
| Assume the optimistic phase does not succeed before a timeout period expires. Then the DKG enters the pessimistic phase where an arbitrary set of VSS instances of total weight at least $t$ can be used for DKG. The nodes should initiate additional VSS instances in order of decreasing weight of dealers to again minimize the total number of VSS instances that need to be dealt, and also to minimize the number of VSS instances a node spends computation to verify but remain unused. Every time a timeout period expires, more nodes should begin dealing VSS instances. |
There was a problem hiding this comment.
Suggested change
| Assume the optimistic phase does not succeed before a timeout period expires. Then the DKG enters the pessimistic phase where an arbitrary set of VSS instances of total weight at least $t$ can be used for DKG. The nodes should initiate additional VSS instances in order of decreasing weight of dealers to again minimize the total number of VSS instances that need to be dealt, and also to minimize the number of VSS instances a node spends computation to verify but remain unused. Every time a timeout period expires, more nodes should begin dealing VSS instances. | |
| Assume the optimistic phase does not succeed before a timeout period expires. Then the DKG enters the pessimistic phase where an arbitrary set of VSS instances of total weight at least \\(t\\) can be used for DKG. The nodes should initiate additional VSS instances in order of decreasing weight of dealers to again minimize the total number of VSS instances that need to be dealt, and also to minimize the number of VSS instances a node spends computation to verify but remain unused. Every time a timeout period expires, more nodes should begin dealing VSS instances. |
book/src/fastkzg.md
Outdated
|
|
||
| Assume the optimistic phase does not succeed before a timeout period expires. Then the DKG enters the pessimistic phase where an arbitrary set of VSS instances of total weight at least $t$ can be used for DKG. The nodes should initiate additional VSS instances in order of decreasing weight of dealers to again minimize the total number of VSS instances that need to be dealt, and also to minimize the number of VSS instances a node spends computation to verify but remain unused. Every time a timeout period expires, more nodes should begin dealing VSS instances. | ||
|
|
||
| In the pessimistic phase, as soon as $W-t-f$ weight of VSS instances finalize (as determined by ready signatures with no disputes and dealer finalization), then the first sufficient subset of finalized VSS instances is used for the DKG, as determined by the order that the finalization messages are posted. |
There was a problem hiding this comment.
Suggested change
| In the pessimistic phase, as soon as $W-t-f$ weight of VSS instances finalize (as determined by ready signatures with no disputes and dealer finalization), then the first sufficient subset of finalized VSS instances is used for the DKG, as determined by the order that the finalization messages are posted. | |
| In the pessimistic phase, as soon as \\(W-t-f\\) weight of VSS instances finalize (as determined by ready signatures with no disputes and dealer finalization), then the first sufficient subset of finalized VSS instances is used for the DKG, as determined by the order that the finalization messages are posted. |
book/src/fastkzg.md
Outdated
|
|
||
| ### Debiasing the final key | ||
|
|
||
| The approach of Neji et al can be used to debias the final key. The public key $[s] H_1$ is the sum of all finalization values $[S(0)] H_1$ for all successful VSS instances, and the shared secret key is sharewise sum of all VSS shares. |
There was a problem hiding this comment.
Suggested change
| The approach of Neji et al can be used to debias the final key. The public key $[s] H_1$ is the sum of all finalization values $[S(0)] H_1$ for all successful VSS instances, and the shared secret key is sharewise sum of all VSS shares. | |
| The approach of Neji et al can be used to debias the final key. The public key \\([s] H_1\\) is the sum of all finalization values \\([S(0)] H_1\\) for all successful VSS instances, and the shared secret key is sharewise sum of all VSS shares. |
ggkitsas
suggested changes
Jul 1, 2021
|
|
||
| ## Fast subgroup checks | ||
|
|
||
| All subgroup checks of membership in the subgroup \\(\mathbb{G}_1\\) and \\(\mathbb{G}_2\\) are performed as described in https://eprint.iacr.org/2019/814.pdf for performance reasons. |
There was a problem hiding this comment.
Suggested change
| All subgroup checks of membership in the subgroup \\(\mathbb{G}_1\\) and \\(\mathbb{G}_2\\) are performed as described in https://eprint.iacr.org/2019/814.pdf for performance reasons. | |
| All subgroup checks of membership in the subgroup \\(\mathbb{G}_1\\) and \\(\mathbb{G}_2\\) are performed as described in [here](https://eprint.iacr.org/2019/814.pdf) for performance reasons. |
| All subgroup checks of membership in the subgroup \\(\mathbb{G}_1\\) and \\(\mathbb{G}_2\\) are performed as described in https://eprint.iacr.org/2019/814.pdf for performance reasons. | ||
| ## Hashing | ||
|
|
||
| Let \\(\operatorname{H}_{\mathbb{G}}: \{0,1\}^* \rightarrow \mathbb{G}\\) be the hash to curve function into the group \\(\mathbb{G}\\) as specified in RFC https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/ |
There was a problem hiding this comment.
Suggested change
| Let \\(\operatorname{H}_{\mathbb{G}}: \{0,1\}^* \rightarrow \mathbb{G}\\) be the hash to curve function into the group \\(\mathbb{G}\\) as specified in RFC https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/ | |
| Let \\(\operatorname{H}_{\mathbb{G}}: \{0,1\}^* \rightarrow \mathbb{G}\\) be the hash to curve function into the group \\(\mathbb{G}\\) as specified in [this RFC](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/) |
| \\[C = \operatorname{encrypt}(k, M)\\] | ||
| \\[M = \operatorname{decrypt}(k, C)\\] | ||
|
|
||
| Symmetric key encryption and decryption are provided by the ChaCha20Poly1305 (RFC8439) cipher, implemented as the chacha20poly1305 crate. |
There was a problem hiding this comment.
Suggested change
| Symmetric key encryption and decryption are provided by the ChaCha20Poly1305 (RFC8439) cipher, implemented as the chacha20poly1305 crate. | |
| Symmetric key encryption and decryption are provided by the ChaCha20Poly1305 ([RFC8439](https://datatracker.ietf.org/doc/html/rfc8439) cipher, implemented as the chacha20poly1305 crate. |
book/src/tpke.md
Outdated
| 4. Let \\(W = [r] H_{\mathbb{G}_2} (U || V)\\) | ||
| 5. Let \\(k = HKDF\\) | ||
|
|
||
| The public key portion of the ciphertext is \\(U,W)\\) and the derived shared secret is \\(s\\). |
There was a problem hiding this comment.
Suggested change
| The public key portion of the ciphertext is \\(U,W)\\) and the derived shared secret is \\(s\\). | |
| The public key portion of the ciphertext is \\((U,W)\\) and the derived shared secret is \\(s\\). The ciphertext is \\(V\\). |
book/src/tpke.md
Outdated
Comment on lines
11
to
15
| 1. Let \\(r\\) be a random scalar | ||
| 2. Let \\(s = e([r] Y, H)\\) | ||
| 3. Let \\(U = [r] G\\) | ||
| 4. Let \\(W = [r] H_{\mathbb{G}_2} (U || V)\\) | ||
| 5. Let \\(k = HKDF\\) |
There was a problem hiding this comment.
Suggested change
| 1. Let \\(r\\) be a random scalar | |
| 2. Let \\(s = e([r] Y, H)\\) | |
| 3. Let \\(U = [r] G\\) | |
| 4. Let \\(W = [r] H_{\mathbb{G}_2} (U || V)\\) | |
| 5. Let \\(k = HKDF\\) | |
| 1. Let \\(m\\) be the plaintext | |
| 2. Let \\(r\\) be a random scalar | |
| 3. Let \\(s = e([r] Y, H)\\) | |
| 4. Let \\(U = [r] G\\) | |
| 5. Let \\(k = \\(\operatorname{H}_{\ell}(s)\\) | |
| 6. Let \\(V = encrypt(k, m)\\) | |
| 7. Let \\(W = [r] H_{\mathbb{G}_2} (U || V)\\) |
Comment on lines
+25
to
+26
| 1. Check ciphertext validity. | ||
| 2. Let \\(s = e(U, Z)\\) |
There was a problem hiding this comment.
Suggested change
| 1. Check ciphertext validity. | |
| 2. Let \\(s = e(U, Z)\\) | |
| 1. Check ciphertext validity. | |
| 2. Let \\(s = e(U, Z)\\) | |
| 3. Let \\(k = \\(\operatorname{H}_{\ell}(s)\\) | |
| 4. Plaintext is \\(m = decrypt(k, V)\\) |
| @@ -0,0 +1,3 @@ | |||
| # Side Channel Analysis | |||
|
|
|||
| As Ferveo is an online protocol that depends on complex cryptographic primitives, this section will include an analysis of potential side channels where private dta and keys may be leaked. | |||
There was a problem hiding this comment.
Suggested change
| As Ferveo is an online protocol that depends on complex cryptographic primitives, this section will include an analysis of potential side channels where private dta and keys may be leaked. | |
| As Ferveo is an online protocol that depends on complex cryptographic primitives, this section will include an analysis of potential side channels where private data and keys may be leaked. |
|
TSS desciption added ⬆️ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.