[1/4] Document threshold policies and security assumptions #221
Conversation
0xsecaas
changed the title
| **The tuple `(N, f, t)` chosen at key generation is fixed for all subprotocols** | ||
| (keygen → presign/offline → signing → refresh → resharing). | ||
| Any deviation **must be rejected** unless explicitly whitelisted by `SchemeRules`. |
There was a problem hiding this comment.
This cannot be accurate. During resharing we might need to change the threshold
CC: @SimonRastikian @netrome
On a related note, in which cases
There was a problem hiding this comment.
@gilcu3 true (for current implementation).
I should've mentioned in a Planned policy:
once ThresholdPolicy/SchemeRules land ([step 3/4]), the default will be:
(N,f,t)stays fixed unless theSchemeRulesentry for that scheme allows otherwise.
The What (Goal):
Make the constraints explicit and impossible to miss.
The How (Approach):
- Modify APIs so that mismatched thresholds (e.g., refresh with different threshold) are rejected (step 2/4) unless explicitly intended and supported (step 3/4):
- Introduce scheme-specific hardcoded rules over allowable threshold.
There was a problem hiding this comment.
alright, probably in the future PRs then it will make sense. Although also maybe worth asking, do we have a variable for
There was a problem hiding this comment.
Not yet; today we only persist threshold and infer f = t − 1. To allow future schemes where t != f + 1, we should add explicit (N, f, t) metadata (ThresholdMeta) to keys/shares/transcripts and pass f (or at least store it alongside t) so the validator can enforce or relax the relation via SchemeRules.
Updated part of the document: link
There was a problem hiding this comment.
I am still torn by:
**The tuple `(N, f, t)` chosen at key generation is fixed for all subprotocols**
(keygen → presign/offline → signing → refresh → resharing).
I would reduce it to presign/offline → signing → refresh as for keygen and specially resharing we need the ability to change the parameters in the tuple
docs/threshold_policies.md
Outdated
|
|
||
| | Misconfiguration | Failure Mode | | ||
| | ------------------------------------------- | --------------------------------------------------------------------- | | ||
| | `f >= N/3` in DKG | Broadcast assumptions break; safety and liveness lost. | |
There was a problem hiding this comment.
for that type of comparison we should be more precise, as
There was a problem hiding this comment.
There was a problem hiding this comment.
yes, wherever we use fractions and compare them with integers we should be explicit: using floor or ceil
0xsecaas
force-pushed
the
pr_106_1_docs
branch
from
42b2982 to
059ea21
Compare
| ## Persistence Requirement | ||
|
|
||
| All keys, shares, or transcripts that leave the protocol must embed `(N, f, t)` so future API calls can enforce invariants even if the caller did not store them. | ||
|
|
There was a problem hiding this comment.
+Treat this as a `ThresholdMeta` record that every subprotocol must serialize and verify.
+Keep `f` explicit even when `t = f + 1`. The current schemes tie `t` to `f`, but future `SchemeRules` may relax that relation; persisting both prevents silent downgrades if a protocol later allows `t != f + 1`.
|
@0xsecaas is this ready for review again? |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #221 +/- ##
==========================================
+ Coverage 87.92% 88.46% +0.53%
==========================================
Files 41 50 +9
Lines 9046 9733 +687
Branches 9046 9733 +687
==========================================
+ Hits 7954 8610 +656
- Misses 645 673 +28
- Partials 447 450 +3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
gilcu3
left a comment
gilcu3
left a comment
There was a problem hiding this comment.
There are some inaccuracies that we need to agree upon here. Lets follow the conversation in the PR comments
| - **Fault tolerance:** | ||
| `f <= floor(N / 3)` due to asynchronous reliable broadcast. | ||
| - **Threshold:** | ||
| `t = f + 1` (design choice; distinct from `N - f`). |
There was a problem hiding this comment.
what do you mean by "design choice; distinct from N - f"?
There was a problem hiding this comment.
When I say the DKG uses a design choice, I mean its threshold is explicitly set to t = f + 1 because that’s the minimum needed to block f colluding adversaries from recovering the secret.
This is not the same as N - f, which is simply the worst-case count of honest parties.
They differ for a reason: tying t to N - f would force every honest participant to be involved in reconstruction. Using t = f + 1 avoids that—DKG security only depends on resisting f adversaries, not on the total number of honest nodes. It keeps the quorum minimal, avoids accidental assumptions about honesty counts, and gives better liveness under churn.
3 participants
related to #18
related to #57
Part 2/4: Persist and enforce threshold invariants across key refresh APIs
Part 3/4: Implement scheme-specific hardcoded threshold validation
Part 4/4: Mirror threshold validation and checks in MPC repo