Hierarchical Threshold Signature Scheme in EdDSA
Introduction:
One of references of HTSS is
- A Hierarchical Threshold Signature
- Introduction to Hierarchical Threshold Signature(revised version)
- Example.
Table of Contents:
Implementations:
After the project is cloned, we need to run below commands to initialize/update the sub-modules:
$ make init
If you need to rebuild protobuf, please run below command to install tools and build protobuf.
# Install tools
$ make tools
# Build protobuf
$ make protobuf
Like the classical TSS, HTSS also contains three protocols:
- DKG: Distributed key generation for creating secret shares without any dealer.
- Signer: Signing for using the secret shares to generate a signature.
- Reshare: Refresh the secret share without changing the public key.
Remark:
- Comparing to TSS, each share in HTSS is generated by DKG having difference levels (or called rank). The level 0 is the highest.
- If all levels of shares are zero, then HTSS reduces to the classical TSS. (i.e. In this case, Birkhoff interpolation reduces to Lagrange Interpolation).
- After perform the progress of DKG, each participant will get (x-coordinate, share, rank). Assume that the threshold is 3. Therefore, any three shares (x-coordinate, rank): (x1, n1), (x2, n2), (x3, n3) with n1 <= n2 <= n3 can recover the secret or sign if and only if
n_i <= i-1 for all 1 <= i <= 3. In general, assuming the threshold is t, any t shares (xi,ni) with ni <= nj for all i < j can recover the secret or sign if and only if n_i <= i-1 for all 1 <= i <= t.
Example:
Let threshold = 3, and participants = 4. Assume that the corresponding rank of each shareholder are 0, 1, 1, 2. Then authorized sets in this setting are
- 0, 1, 1
- 0, 1, 2
- 0, 1, 1, 2
The other combinations of shares can not recover the secret (e.g. 1, 1, 2).
DKG:
Use the same DKG in Fast Multiparty Threshold ECDSA with Fast Trustless Setup.
Signer:
Our implementation is FROST: Flexible Round-Optimized Schnorr Threshold Signatures.
EXAMPLE:
In progress...
References:
- FROST: Flexible Round-Optimized Schnorr Threshold Signatures
- Hierarchical Threshold Secret Sharing
- Dynamic and Verifiable Hierarchical Secret Sharing