diff --git a/book/src/SUMMARY.md b/book/src/SUMMARY.md index ee5181af..4727acee 100644 --- a/book/src/SUMMARY.md +++ b/book/src/SUMMARY.md @@ -8,6 +8,7 @@ - [Initialization](./dkginit.md) - [Publicly Verifiable Secret Sharing](./pvss.md) - [Threshold Encryption Scheme](./tpke.md) + - [Threshold Decryption Variants](./variants.md) # Appendix diff --git a/book/src/variants.md b/book/src/variants.md new file mode 100644 index 00000000..9d4a16e7 --- /dev/null +++ b/book/src/variants.md @@ -0,0 +1,43 @@ +# Threshold Decryption (Variants) + +Threshold decryption can be performed using one of two optional cryptographic strategies a.k.a *variants*: +- Simple +- Precomputed + +The chosen variant dictates the decryption shares returned by nodes and how they should be combined. Either variant can be used +for decryption, and each has its advantages and disadvantages. + + +## Simple + +When decrypting using the *Simple* variant, any arbitrary m-of-n set of nodes (where `m` is the threshold) will each return a simple decryption share, and any +`m` set of decryption shares can be combined to successfully decrypt the encrypted data. Any combination of the `m` simple decryption shares from the `n` nodes. +can be used to obtain the decrypted data. + +This is the case where you can concurrently contact `n` nodes and simply wait until any `m` responds with decryption shares. + +### Advantages +- Any (arbitrary) `m` shares out of `n` can be requested and obtained +- Any singular unresponsive node does not prevent the ability to combine returned `simple` decryption shares +- Only one request round is needed if done concurrently i.e. send `n` request, and wait for `m` replies. + +### Disadvantages +- Since the `m` nodes are arbitrary, combining the decryption shares requires the requester to do a more computationally intensive operation when combining returned decryption fragments. + + +## Precomputed + +When decrypting using the *Precomputed* variant, you will first choose a specific sub-set of `m` nodes from `n` arbitrary m-of-n set of nodes (where `m` is the threshold), +and those specific `m` nodes need to reply with precomputed decryption shares. If any of those `m` nodes do not respond, you will need logic to choose another group of `m` nodes (without any node +that didn't respond). Alternatively, you can switch to using `simple` if the first round of `precomputed` fails. + + +### Advantages +In the happy path: +- faster operation since the requester only contacts `m` nodes (no need for the other (`n`-`m`)), and `m` nodes respond +- since the list of `m` nodes is known, the operation to combine the `m` precomputed decryption shares is less computationally intensive than `simple`, which can work well for a lightweight requester. + + +### Disadvantages +- If the happy case, doesn't happen it ends up being an overall slower operation than `simple`. +- Availability issue - `precomputed` requires failover logic if any of the specific `m` nodes is unresponsive.