Security
MPC Cryptography
Assumptions:
- Here we assume authenticated/private channels for the implementation of the protocols: p2p messages cannot be read or manipulated, broadcast messages cannot be manipulated
- No more than t-1 nodes collude
Protocols:
- KeyGen Security: During key generation the protocol guarantees:
- From individual key shares of each party you cannot get single private signing key sk
- As long as no more that t-1 parties collude you cannot get single private signing key sk
- Sign Security: During a signature to be performed by t parties the protocol guarantees:
- From the exchanged transcripts you cannot forge a signature
- From the exchanged transcripts you cannot extract the single private signing key sk
- KeyRefresh Security: Inherits security guarantees from KeyGen. Used for proactive security of secret shares and migration policies.
- Presig: Inherits security guarantees from KeyGen for presig generation and Sign for signature generation with presigs
- Export: Export caller gets its single private signing key in once centralized plase
- Import: The import protocol guarantees:
- As long as the initiator of the import deletes the single private signing key sk the protocol inherits security guarantees from KeyGen
Network Security
Assumptions: Hardcoded correct long term PK of each node known to others with out of bounds channels.
To guarantee the assumptions for authenticated/private channels from the previous section the dkls23-core library can be shipped with a network stack which guarantees:
- end-to-end confidentiality
- end-to-end authentication
Instantiation:
- X25519 ECDH key exchange
- Paiwise ChaCha20-Poly1305 keys
- Different nonces per network direction: one for send one for receive
Risks
- In 2/3 deployments any stakeholder holding two key shares through two different nodes deployed at her control can reconstruct the entire key
- Nodes are lazy: KeyRefresh requests are not authenticated from the library itself