# Threshold Encryption ## Decentralized Key Generation (DKG) The DKG mechanism in Neo X enables a fully decentralized key generation process among consensus members. Before each epoch change, the upcoming consensus group must successfully complete a DKG round to establish a new threshold public-private key pair. This process ensures that no single participant controls the decryption or signing capabilities. ### DKG Process Each DKG round consists of three key steps: 1. **Share** – The next consensus group generates $$n$$ distributed secret shares and a global public key, where $$n$$ is the number of Neo X consensus nodes. 2. **Reshare** – The current consensus group (if available) transfers the previous round’s secret to the next group. 3. **Recover (Optional)** – If up to $$f$$ secret shares are lost, the remaining $$2f+1$$ shares reconstruct the secret to complete the transition. Starting from [**v0.3.0**](https://github.com/bane-labs/go-ethereum/releases/tag/v0.3.0), the DKG module automates the entire process, except for setting up the initial Anti-MEV keystore with a secret passphrase. #### Share **Phase** Each participant executes the following steps: 1. Take a random polynomial $$f(x) = a\_0 + a\_1x + a\_2x^2 + \dots + a\_{t-1}x^{t-1}$$ as their local secret, where $$t = 2f+1$$ (the threshold for consensus). 2. Compute $$f\_1,f\_2,...,f\_n$$ where $$f\_i=f(i)$$ and share them with corresponding participants, where $$i$$ is the index of different participants of `Share`. 3. Accept all $$f\_i$$ from other participants as $$f\_1(i),f\_2(i),...,f\_n(i)$$, where $$i$$ is the index of receiver, and compute $$s\_i=\sum f\_i$$ to get the final secret key. #### **Generating the Global Public Key** The global public key is generated using Publicly Verifiable Secret Sharing (PVSS): 1. Each participant uploads $$F(x)=f(x)G\_1$$ within his PVSS to the [KeyManagement](/governance/neo-x-system-contracts.md#keymanagement) contract. 2. The contract verifies each PVSS and computes $$S=\sum\_{i=1}^n F\_i(0)$$ as the global public key. A well-constructed PVSS includes: * $$F(x)=f(x)G\_1$$ as the sender’s local secret commitment. * $$rG\_1,rG\_2$$ as a pair of commitments for a random scalar $$r$$. * $$F=(F(1),F(2),...,F(n))$$ as the commitment share messages. The KeyManagement contract validates $$F(1),F(2),...,F(n)$$, and verifies scalar $$r$$. Recipients validate their received shares using $$e(r\_1f(i),g\_2)=e(F(i),r\_2)$$. {% hint style="info" %} **Future Enhancement:** Zero-Knowledge Proofs (ZKPs) will be integrated to enhance encryption verification. {% endhint %} #### **Reshare Phase** Each participant executes the following steps: 1. Regenerate his local secret $$f'(x)=a\_0+a'\_1 x+a'*2 x^2+ \dots +a'*{t-1}x^{t-1}$$ while preserving the constant term $$a\_0$$. 2. Follow the step 2 and 3 in the **Share** phase, but send the shares to the next consensus group. The KeyManagement contract ensures $$F(0)=F'(0)$$, preserving the global public key unchanged and preventing leakage of the original secret shares. #### **Recover Phase (Optional)** If some secret shares are lost, the remaining consensus members help restore them: 1. The current consensus group forwards all received shares $$f\_i$$ from the lost index $$i$$ to its successor. 2. The recipient reconstructs the original local secrets using [**Lagrange interpolation**](https://en.wikipedia.org/wiki/Lagrange_polynomial). > **Security Note**: `Recover` exposes at most $$f$$ of the original secrets, so it is only allowed when the index $$i$$ is confirmed absent from `Reshare`. ## Threshold Public Key Encryption (TPKE) Neo X's DKG enables a Threshold Public Key Encryption (TPKE) scheme, ensuring that encrypted transactions can only be decrypted if at least $$2f+1$$ consensus nodes cooperate. This mechanism is crucial for preventing premature exposure of transaction details. Neo X TPKE utilizes the BLS12-381 curve, encoding any secret to $$G\_1$$ for encryption and any message to $$G\_2$$ for signature generation. ### Encryption For a given secret message $$msg$$, the encryption process follows these steps: 1. A random point $$G\_1$$ point $$P$$ is chosen as a seed to generate an AES key. The encrypted ciphertext is computed as $$C\_1=AES(Hash(P), msg)$$. 2. To ensure security, a random scalar $$r$$ is selected to encrypt $$P$$ as $$C\_2=P+rS$$ where: * $$r$$ is a random scalar, * $$S$$ is the global public key. 3. The final encrypted message $$C$$, which is broadcasted across the network, consists of $$C=(C\_1,C\_2)$$. ### **Decryption** To recover the original $$msg$$, the Neo X consensus network must decrypt $$C\_1$$ to recover $$P$$. The decryption process follows: 1. Each CN computes and shares $$s\_iR$$, where: * $$R$$ is the commitment of the random scalar $$r$$, * $$s\_i$$ is the local secret key. 2. Since validator indices (DKG indices) are publicly known within Neo X Governance, these shares can be aggregated and solved using a [**Vandermonde matrix**](https://en.wikipedia.org/wiki/Vandermonde_matrix). 3. Once the seed $$P$$ is recovered, the original message $$msg$$ can be decrypted using AES. ### Signature For a given message $$msg$$, Neo X generates a signature through the following process: 1. The message is encoded to $$G\_2$$ as $$Q=HashToG2(msg)$$ 2. A signature share is computed as $$s\_iH$$ where $$s\_i$$ is the local secret key. 3. After collecting enough broadcasted shares, CNs aggregate and get the final signature with [Vandermonde matrix](https://en.wikipedia.org/wiki/Vandermonde_matrix) in the same way as TPKE decryption. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://xdocs.ngd.network/security/anti-mev-protection/threshold-encryption-and-dkg.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.