[cryptography] Clarify DKG differences

cronokirby · cronokirby · commit 666154273159 · 2026-05-21T12:59:46.000-07:00
Removes a blurb in dkg about how asynchrony is future work,
referencing the current golden impl instead, and adds top level
docs about the two DKG protocols.
diff --git a/cryptography/src/bls12381/dkg.rs b/cryptography/src/bls12381/dkg.rs
@@ -157,17 +157,12 @@
 //! honest players and another block `B_2` to `f + 1` other honest players. Normally, it would only be possible to create one quorum of `2f + 1` (for `B_2`),
 //! however, with `h` other shares revealed another quorum of `2f + h` can be formed for `B_1`.
 //!
-//! #### Future Work: Dropping the Synchrony Assumption for `f` Bounded Reveals?
+//! #### DKG without a synchrony assumption
 //!
-//! It is possible to design a DKG/Resharing scheme that maintains a shared secret where at least `f + 1` honest players
-//! must participate to recover the shared secret that doesn't require a synchrony assumption (`2f + 1` threshold
-//! where at most `f` players are Byzantine). However, known constructions that satisfy this requirement require both
-//! broadcasting encrypted dealings publicly and employing Zero-Knowledge Proofs (ZKPs) to attest that encrypted dealings
-//! were generated correctly ([Groth21](https://eprint.iacr.org/2021/339), [Kate23](https://eprint.iacr.org/2023/451)).
-//!
-//! As of January 2025, these constructions are still considered novel (2-3 years in production), require stronger
-//! cryptographic assumptions, don't scale to hundreds of participants (unless dealers have powerful hardware), and provide
-//! observers the opportunity to brute force decrypt shares (even if honest players are online).
+//! Some protocols achieve one round without synchrony assumptions, by combining
+//! encryption and ZK Proofs. We have an implementation of one such protocol,
+//! [Golden](https://eprint.iacr.org/2025/1924), in [`crate::bls12381::golden_dkg`].
+//! At the moment, that implementation is still experimental.
 //!
 //! ## Handling Complaints
 //!
diff --git a/cryptography/src/bls12381/mod.rs b/cryptography/src/bls12381/mod.rs
@@ -5,6 +5,19 @@
 //! This crate has the following features:
 //!
 //! - `portable`: Enables `portable` feature on `blst` (<https://github.com/supranational/blst?tab=readme-ov-file#platform-and-language-compatibility>).
+//!
+//! # DKG Protocols
+//!
+//! This module exports two DKG protocols:
+//!
+//! - [`dkg`], a two-round synchronous protocol,
+//! - [`golden_dkg`], a one-round asynchronous protocol (currently in ALPHA).
+//!
+//! The tradeoff is that the latter is more complicated, and more computationally
+//! expensive. However, it is less reliant on assumptions about the number of corruptions,
+//! and the single round can be very useful, operationally. At the moment,
+//! the status of our Golden implementation is experimental, so we recommend
+//! using [`dkg`] for now.
 
 pub mod certificate;
 #[cfg(feature = "std")]
