-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Instantiate public key crypto primitives #11
Comments
Actually, it is worth discussing whether the VSS/DKG participant public keys should be a different signature scheme instead of BLS, as there probably are not enough participants to justify aggregation. Probably the best approach is to use the same scheme as the ledger, although the keys should be generated separately for use in the DKG. |
Current plan is to also allow BLS12-377 because of future potential for snark composition (likely negligible additional work over BLS12-381; probably a compile-time switch) DKG message signatures will probably be Ed25519 because performance will be much better than BLS signatures for small validator sets (less likely that BLS signature aggregation will offset the pairing cost; please prove me wrong if this is not the case) Key exchange will probably be over BLS12-{377,381} to minimize code duplication; while I had hoped to use x25519 key exchange to leverage existing crates, it is simpler to depend on one curve/dependency and reimplement the DH step. |
Actually, this is not as clear now. It seems possible to implement the BZ03 threshold encryption scheme with Schnorr signatures instead of BLS signatures (basically,
A cash pasta curve also potentially allows recursion/composition, instead of composition with bls12-377. The loss of KZG commitments is a downside as well but the increased performance of a pasta curve may make up for it. |
We have a fairly clear direction now on the threshold encryption scheme and curve selection, with some performance tweaks still needed. However the basic scheme is described and instantiated on BLS12-381, with no major changes anticipated. |
Unlike #10 there is really only one choice for public key primitives, BLS12-381 curve with the described key agreement/encryption/signature schemes. This is mostly dictated by the small number of acceptable choices and also desire to reuse existing trusted setups.
Nevertheless, alternatives should be discussed and choices finalized, and then implementations of primitives written and/or imported from existing crates.
The text was updated successfully, but these errors were encountered: