Threshold Encryption

Decentralized Key Generation (DKG)

The DKG mechanism in Neo X enables a fully decentralized key generation process among consensus members. Before each epoch change, the upcoming consensus group must successfully complete a DKG round to establish a new threshold public-private key pair. This process ensures that no single participant controls the decryption or signing capabilities.

DKG Process

Each DKG round consists of three key steps:

  1. Share – The next consensus group generates nn distributed secret shares and a global public key, where nn is the number of Neo X consensus nodes.

  2. Reshare – The current consensus group (if available) transfers the previous round’s secret to the next group.

  3. Recover (Optional) – If up to ff secret shares are lost, the remaining 2f+12f+1 shares reconstruct the secret to complete the transition.

Starting from v0.3.0, the DKG module automates the entire process, except for setting up the initial Anti-MEV keystore with a secret passphrase.

Share Phase

Each participant executes the following steps:

  1. Take a random polynomial f(x)=a0+a1x+a2x2++at1xt1f(x) = a_0 + a_1x + a_2x^2 + \dots + a_{t-1}x^{t-1} as their local secret, where t=2f+1t = 2f+1 (the threshold for consensus).

  2. Compute f1,f2,...,fnf_1,f_2,...,f_n where fi=f(i)f_i=f(i) and share them with corresponding participants, where ii is the index of different participants of Share.

  3. Accept all fif_i from other participants as f1(i),f2(i),...,fn(i)f_1(i),f_2(i),...,f_n(i), where ii is the index of receiver, and compute si=fis_i=\sum f_i to get the final secret key.

Generating the Global Public Key

The global public key is generated using Publicly Verifiable Secret Sharing (PVSS):

  1. Each participant uploads F(x)=f(x)G1F(x)=f(x)G_1 within his PVSS to the KeyManagement contract.

  2. The contract verifies each PVSS and computes S=i=1nFi(0)S=\sum_{i=1}^n F_i(0) as the global public key.

A well-constructed PVSS includes:

  • F(x)=f(x)G1F(x)=f(x)G_1 as the sender’s local secret commitment.

  • rG1,rG2rG_1,rG_2 as a pair of commitments for a random scalar rr.

  • F=(F(1),F(2),...,F(n))F=(F(1),F(2),...,F(n)) as the commitment share messages.

The KeyManagement contract validates F(1),F(2),...,F(n)F(1),F(2),...,F(n), and verifies scalar rr. Recipients validate their received shares using e(r1f(i),g2)=e(F(i),r2)e(r_1f(i),g_2)=e(F(i),r_2).

Future Enhancement: Zero-Knowledge Proofs (ZKPs) will be integrated to enhance encryption verification.

Reshare Phase

Each participant executes the following steps:

  1. Regenerate his local secret f(x)=a0+a1x+a2x2++at1xt1f'(x)=a_0+a'_1 x+a'_2 x^2+ \dots +a'_{t-1}x^{t-1} while preserving the constant term a0a_0.

  2. Follow the step 2 and 3 in the Share phase, but send the shares to the next consensus group.

The KeyManagement contract ensures F(0)=F(0)F(0)=F'(0), preserving the global public key unchanged and preventing leakage of the original secret shares.

Recover Phase (Optional)

If some secret shares are lost, the remaining consensus members help restore them:

  1. The current consensus group forwards all received shares fif_i from the lost index ii to its successor.

  2. The recipient reconstructs the original local secrets using Lagrange interpolation.

Security Note: Recover exposes at most ff of the original secrets, so it is only allowed when the index ii is confirmed absent from Reshare.

Threshold Public Key Encryption (TPKE)

Neo X's DKG enables a Threshold Public Key Encryption (TPKE) scheme, ensuring that encrypted transactions can only be decrypted if at least 2f+12f+1 consensus nodes cooperate. This mechanism is crucial for preventing premature exposure of transaction details.

Neo X TPKE utilizes the BLS12-381 curve, encoding any secret to G1G_1 for encryption and any message to G2G_2 for signature generation.

Encryption

For a given secret message msgmsg, the encryption process follows these steps:

  1. A random point G1G_1 point PP is chosen as a seed to generate an AES key. The encrypted ciphertext is computed as C1=AES(Hash(P),msg)C_1=AES(Hash(P), msg).

  2. To ensure security, a random scalar rr is selected to encrypt PP as C2=P+rSC_2=P+rS

    where:

    • rr is a random scalar,

    • SS is the global public key.

  3. The final encrypted message CC, which is broadcasted across the network, consists of C=(C1,C2)C=(C_1,C_2).

Decryption

To recover the original msgmsg, the Neo X consensus network must decrypt C1C_1 to recover PP. The decryption process follows:

  1. Each CN computes and shares siRs_iR, where:

    • RR is the commitment of the random scalar rr,

    • sis_i is the local secret key.

  2. Since validator indices (DKG indices) are publicly known within Neo X Governance, these shares can be aggregated and solved using a Vandermonde matrix.

  3. Once the seed PP is recovered, the original message msgmsg can be decrypted using AES.

Signature

For a given message msgmsg, Neo X generates a signature through the following process:

  1. The message is encoded to G2G_2 as Q=HashToG2(msg)Q=HashToG2(msg)

  2. A signature share is computed as siHs_iH where sis_i is the local secret key.

  3. After collecting enough broadcasted shares, CNs aggregate and get the final signature with Vandermonde matrix in the same way as TPKE decryption.

Last updated