Identifiable Abort

[jfdreis]

Feature request

You mention in the README file that the identifiable abort (IA) feature is not fully supported. At Nillion, we are interested in integrating this feature in the 3+1 protocol version.

Q1: Are you already working on this? Otherwise, we would like to contribute.

Implementation details

We've looked into the code and it seems that most of the ZK-protocols are already implemented together with the blame option, allowing to have some degree of IA. According to the docs, there are two ways to request a signature:

1. Running cggmp21::signing, which ends up calling signing_n_out_of_n and runs the whole signing protocol at once,
2. or through the chain of operations generate_presignature -> issue_partial_signature -> combine.

To support IA following option 1, we would need to include 3 new zkps ($\Pi^{mul}$, $\Pi^{mul*}$ and $\Pi^{dec}$) into paillier-zk repo and integrate them here and here.

Option 2 seems a bit more evolving as we would need to save the transcripts in-between the function calls.

Q.2 Is the above sensible? Are we missing any major blocker?

[maurges]

1. Currently we aren't working on this. Contributions would be appreciated.
2. Cggmp paper describes identifiable abort for both ECDSA pre-signing and ECDSA signing. signing_n_out_of_n does both or one depending on input parameters: both when calling cggmp21::signing and only presigning with generate_presignature - the ECDSA signing is then done in combine not necessarily on the presigning party. To do identifiable abort in combine, you would need to keep presigning transcripts with presignatures, and add a functionality for parties to prove their innocence - this all seems like infrastructure nightmare. Having identifiable abort in parts that don't require transcripts is already fine, so you can go with option number 1.

[survived]

It's a good feature to have, but I don't think we're going to work on it in any near future. It's also something that is difficult to contribute, as it's a massive change, and we'd need the contribution to comply with certain requirements (e.g. that identifiable abort is optional, and when not enabled it doesn't affect performance; code quality; architectural changes need to be discussed in advance), so if you want to volunteer for contribution it would imply that we need to have a lot of discussions before the work can be started, and we'd need to keep in touch after that and review intermediate progress, to make sure that we're all aligned on the feature development.

[survived]

If you want to communicate with us about IA, you can also join our discord room #lockness-contribute:

https://discordapp.com/channels/905194001349627914/1285268686147424388