Applied Crypto: Introducing Noninteractive Distributed Key Generation
NIDKG applies advanced cryptography, including encryption with forward secrecy and noninteractive zero-knowledge proofs.
By Jens Groth, Team Lead, Research | DFINITY
The Internet Computer — a revolutionary blockchain computer created by a network of independent data centers running an advanced decentralized protocol — enables developers, organizations, and entrepreneurs to build and deploy secure applications and autonomous software programs. Unlike typical cloud-based or distributed architectures, which operate on proprietary infrastructure or a specific hosting service, the Internet Computer blockchain enables software and services run directly on the open internet. The decentralized Internet Computer Protocol (ICP) creates this secure network by implementing advanced cryptography.
In a decentralized, distributed system, various questions arise. At the peer-to-peer level, how do we disseminate artifacts between nodes in this hostile open environment? How can we do it in the most efficient way? How do we define the most appropriate network topology? Then moving up, there is a consensus protocol, where the main issue is to ensure that the correct transactions are verified and processed in the correct order in the absence of a central authority.
At the DFINITY Foundation, there is no distinction between research and development and the blockchain that we’ve created. Our R&D team members regularly implement new technologies and see their ideas applied to practical use. A good example of this implementation at the cryptographic level is the Internet Computer’s noninteractive distributed key generation (NIDKG) protocol — the foundation’s first release of novel, core cryptography.
Introducing Noninteractive DKG
The end user of an application or service that is running on the Internet Computer interacts with canister smart contracts, and does not directly see the advanced cryptography that is used to build this blockchain. The Internet Computer defines a simple and clean interface specifying how canisters operate, enabling a software ecosystem where different apps can communicate and use each other’s APIs.
Digging a little bit deeper reveals the usage of digital signatures, through which the Internet Computer certifies and authenticates outputs. Digital signatures were part of the dawn of modern cryptography, appearing in the pioneering works of Diffie-Hellman and RSA in the late 1970s.
End users and canisters talking to other canisters need information to be certified. On the Internet Computer, though, canisters are hosted on subnets, which are run by collections of nodes around the globe. So the nodes have to run a distributed protocol to agree on and sign the Internet Computer’s output. Threshold signatures enable nodes on a subnet to collaboratively sign data. If enough nodes cooperate, they can sign. A few malicious nodes, on the other hand, cannot deviate and sign unauthorized messages.
So far, so good — but there’s a twist. On the Internet Computer, the set of nodes that run a subnet will evolve. Nodes can join and leave their respective subnets. Depending on the demands and requirements of the network, the desired security level, available capacity at data centers, random hardware failures, and so on, the set of nodes running a subnet changes over time — meaning that the group of threshold signers evolves over time.
The impact of this is that continuing to generate, register, and distribute new public keys with nodes in flux within a subnet would be logistically complicated. As an alternative solution, key management is greatly simplified if the same subnet can always be referenced by a static public key, even as the nodes comprising the subnet are in flux.
Fortunately, public key preservation has a cryptographic solution, and it is possible to reshare secret keys. With these secret key resharing schemes, the set of signers that participate in the threshold signature scheme can transfer the ability to threshold sign to another set of signers. Existing key resharing schemes have many benefits, but they come with a limitation: they are interactive, raising issues with asynchrony. If a message from a node is missing, it is unclear if the message is merely delayed or if the node has crashed or has been compromised.
The DFINITY R&D team has invented a new noninteractive key resharing protocol. Each of the old signers only needs to broadcast a single message to the new signers. To ensure that this is done securely, many concepts from advanced cryptography are utilized, including encryption with forward secrecy and noninteractive zero-knowledge proofs. Because it is noninteractive, the way the key resharing protocol operates is ideal for an asynchronous environment, and the benefits include key preservation. Throughout the lifetime of a subnet, it is known by a single public key, and the other parties on the Internet Computer do not have to keep track of changing public keys.
Looking at the different phases of key management of a subnet, the protocol first applies to initial key generation. The Internet Computer can use the NIDKG protocol to start a new subnet and give the initial nodes a threshold signing key, without the initial nodes having to be involved in the setup process. The nodes simply learn that they have been assigned to a subnet, deduce their secret share of the signing key, and start running the subnet.
While the subnet is running, the distributed key resharing protocol is used to enroll new joining nodes. A long enrollment process isn’t needed, as the subnet simply leaves encrypted key material to the joining nodes.
What is expected to happen most frequently is for a set of nodes to give themselves the resharing of the secret key, which may sound counterintuitive since the nodes already have the threshold signing key. But the idea emerges from the concept of proactive security.
The problem is that nodes may be compromised over time. Imagine a subnet that’s run by the same nodes over a certain length of time, which gives an attacker a window of time during which they may somehow learn a node’s threshold share of the signing key. Proactive security offers a solution by continuing to refresh the threshold shares of the signing key, meaning the nodes reshare the secret to get a new threshold secret sharing of the signing key. Afterwards, they delete their old shares, meaning that even if an attacker learns some shares from every single node over time, as long as only a minority of shares for any given epoch is known at any given time, the threshold signing key is still secure.
NIDKG is one of many innovations spearheaded by DFINITY’s R&D team in pursuit of the Internet Computer’s grand vision to renew the creative capacity of the web — a vision that is steadily becoming a public reality. We look forward to welcoming developers to explore the capabilities of the network and create the apps and services of the future.
Join our developer community and start building at forum.dfinity.org.
