Skip to content

DKG: Consider Golden one-round DKG #584

Description

@mratsim

https://eprint.iacr.org/2025/1924.pdf

Benedikt Bűnz, Kevin Choi, and Chelsea Komlo

Abstract. In this work, we present Golden, a non-interactive Distributed
Key Generation (DKG) protocol. The core innovation of Golden is how
it achieves public verifiability in a lightweight manner, allowing all par-
ticipants to non-interactively verify that all other participants followed
the protocol correctly. For this reason, Golden can be performed with
only one round of (broadcast) communication. Non-interactive DKGs are
important for distributed applications; as parties may go offline at any
moment, reducing rounds of communication is a desirable feature.
Golden outputs Shamir secret shares of a field element sk ∈ Zp to all
participants, and a public key PK = g^{sk} that is a discrete-logarithm
commitment to sk. Further, the security of Golden requires only the
hardness of discrete-logarithm assumptions, and so can be used over any
elliptic curve where these assumptions hold.
Golden is more efficient than prior related schemes in both bandwidth and
computation. For 50 participants, Golden requires only 223 kb bandwidth
and 13.5 seconds of total runtime for each participant, in comparison to
ElGamal-based non-interactive DKG, which requires 27.8 MB bandwidth
and 40.5 seconds runtime per participant.
As a building block, we define a new exponent Verifiable Random Function
(eVRF). Our eVRF uses a non-interactive key exchange (NIKE) as a
building block to derive a Diffie-Hellman shared secret key, and proves
correctness of this key with respect to the corresponding Diffie-Hellman
public keys. Within Golden, participants use this eVRF in a pairwise
manner to generate a one-time pad to encrypt Shamir secret shares to
their respective recipients while ensuring public verifiability. As such,
Golden avoids the use of public-key encryption schemes such as ElGamal,
Paillier, or class groups, departing from prior schemes in the literature.
Finally, our eVRF may be of independent interest to settings where
publicly-verifiable encryption is desirable.

Figures using BLS12-381

Image Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions