Federated Distributed Key Generation

TL;DR

This paper introduces Federated Distributed Key Generation (FDKG), a flexible, trust-heterogeneous protocol that improves upon classical DKG by allowing optional participation and local trust structures, suitable for open, large-scale environments.

Contribution

It proposes FDKG, a novel DKG approach inspired by Federated Byzantine Agreement, enabling optional participation, local guardian sets, and single-round generation and reconstruction.

Findings

Ensures correctness, privacy, and robustness under standard PVSS assumptions.

Provides liveness and privacy guarantees based on guardian-set topology.

Achieves efficient communication proportional to n k with at most O(n^2) for reconstruction.

Abstract

Distributed Key Generation (DKG) underpins threshold cryptography in many systems, including decentralized wallets, validator key ceremonies, cross-chain bridges, threshold signatures, secure multiparty computation, and internet voting. Classical ($t$,$n$)-DKG assumes a fixed group of n parties and a global threshold $t$, requiring full and timely participation. When actual participation deviates, the setup must abort or restart, which is impractical in open or time-critical environments where $n$ is large and availability unpredictable. We introduce Federated Distributed Key Generation (FDKG), inspired by Federated Byzantine Agreement, that makes participation optional and trust heterogeneous. Each participant selects a personal guardian set $G_i$ of size $k$ and a local threshold $t$. Its partial secret can later be reconstructed either by itself or by any t of its guardians. FDKG generalizes PVSS-based DKG and completes both generation and reconstruction in a single broadcast round each, with total communication proportional to $n k$ and at most $O(n^2)$ for reconstruction. Our analysis shows that (i) generation ensures correctness, privacy, and robustness under standard PVSS-based DKG assumptions, and (ii) reconstruction provides liveness and privacy characterized by the guardian-set topology {$G_i$}. Liveness holds if no participant $i$ is corrupted together with at least $k-t+1$ of its guardians. Conversely, privacy is preserved unless the corrupted subset is itself reconstruction-capable.