Threshold Encryption
Decentralized Key Generation (DKG)
The DKG mechanism in Neo X enables a fully decentralized key generation process among consensus members. Before each epoch change, the upcoming consensus group must successfully complete a DKG round to establish a new threshold public-private key pair. This process ensures that no single participant controls the decryption or signing capabilities.
DKG Process
Each DKG round consists of three key steps:
Share – The next consensus group generates distributed secret shares and a global public key, where is the number of Neo X consensus nodes.
Reshare – The current consensus group (if available) transfers the previous round’s secret to the next group.
Recover (Optional) – If up to secret shares are lost, the remaining shares reconstruct the secret to complete the transition.
Starting from v0.3.0, the DKG module automates the entire process, except for setting up the initial Anti-MEV keystore with a secret passphrase.
Share Phase
Each participant executes the following steps:
Take a random polynomial as their local secret, where (the threshold for consensus).
Compute where and share them with corresponding participants, where is the index of different participants of
Share
.Accept all from other participants as , where is the index of receiver, and compute to get the final secret key.
Generating the Global Public Key
The global public key is generated using Publicly Verifiable Secret Sharing (PVSS):
Each participant uploads within his PVSS to the KeyManagement contract.
The contract verifies each PVSS and computes as the global public key.
A well-constructed PVSS includes:
as the sender’s local secret commitment.
as a pair of commitments for a random scalar .
as the commitment share messages.
The KeyManagement contract validates , and verifies scalar . Recipients validate their received shares using .
Reshare Phase
Each participant executes the following steps:
Regenerate his local secret while preserving the constant term .
Follow the step 2 and 3 in the Share phase, but send the shares to the next consensus group.
The KeyManagement contract ensures , preserving the global public key unchanged and preventing leakage of the original secret shares.
Recover Phase (Optional)
If some secret shares are lost, the remaining consensus members help restore them:
The current consensus group forwards all received shares from the lost index to its successor.
The recipient reconstructs the original local secrets using Lagrange interpolation.
Security Note:
Recover
exposes at most of the original secrets, so it is only allowed when the index is confirmed absent fromReshare
.
Threshold Public Key Encryption (TPKE)
Neo X's DKG enables a Threshold Public Key Encryption (TPKE) scheme, ensuring that encrypted transactions can only be decrypted if at least consensus nodes cooperate. This mechanism is crucial for preventing premature exposure of transaction details.
Neo X TPKE utilizes the BLS12-381 curve, encoding any secret to for encryption and any message to for signature generation.
Encryption
For a given secret message , the encryption process follows these steps:
A random point point is chosen as a seed to generate an AES key. The encrypted ciphertext is computed as .
To ensure security, a random scalar is selected to encrypt as
where:
is a random scalar,
is the global public key.
The final encrypted message , which is broadcasted across the network, consists of .
Decryption
To recover the original , the Neo X consensus network must decrypt to recover . The decryption process follows:
Each CN computes and shares , where:
is the commitment of the random scalar ,
is the local secret key.
Since validator indices (DKG indices) are publicly known within Neo X Governance, these shares can be aggregated and solved using a Vandermonde matrix.
Once the seed is recovered, the original message can be decrypted using AES.
Signature
For a given message , Neo X generates a signature through the following process:
The message is encoded to as
A signature share is computed as where is the local secret key.
After collecting enough broadcasted shares, CNs aggregate and get the final signature with Vandermonde matrix in the same way as TPKE decryption.
Last updated