This package implements a Distributed Key Generation. It builds on the 2-round Pederson DGK and extends it with zero-knowledge proofs to protect against rogue-key attacks, as defined in FROST.

This effectively generates keys among participants without the need of a trusted dealer or third-party. These keys are compatible for use in FROST.

• Pederson introduced the first DKG protocol, based on Feldman's Verifiable Secret Sharing.
• Komlo & Goldberg add zero-knowledge proofs to the Ped-DKG.

• All parties are identified with unique IDs.
• Communicate over confidential, authenticated, and secure channels.
• All participants honestly follow the protocol (they can, nevertheless, identify the misbehaving participant).

Use the same ciphersuite for the DKG and FROST.

In case of an identified misbehaving participant, abort the protocol immediately. If this happens there might be a serious problem that must be investigated. One may re-run the protocol after excluding that participant and solving the problem.

The following steps describe how to run the DKG among participants. For each participant:

1. Run Init()
   • this returns a round 1 package
   • send/broadcast this package to every participant (this might include the very same participant, in which case it should discard it)
2. Collect all the r1 packages from other participants
3. Run Continue() with the collection of r1 packages
   • this returns round 2 packages, one destined to each other participant
   • send these packages to their destined participant
4. Collect all round 2 packages destined to the participant
5. Run Finalize() with the collected round 1 and round 2 packages
   • returns the participant's own secret signing share, the corresponding verification share, and the group's public key
6. Erase all intermediary values received and computed by the participants (including in their states)
7. Optionally, compute the verification keys for each other participant and store them

• Laing and Stinson refine Repairable Threshold Schemes to enable a participant to securely reconstruct a lost share with help from their peers.
• Herzberg et al. propose Proactive Secret Sharing, allowing for shares to be rotated without impact on the secret key.
• Gennaro et al. improve on the Ped-DKG and propose a more robust version called New-DKG.
• Canetti et al. extend New-DKG to make it secure against adaptive adversaries.
• Jarecki and Lysyanskaya present the erasure-free model for threshold schemes secure against adaptive adversaries.