Skip to main content


We note nn the number of nodes that have a secret share, and t<nt < n the threshold of the network. Each node ii is identified by their long term public key PiP_i and have a secret key skisk_i.

We call QQ the set of qualified node that have successfully ran the DKG, i.e. each node in QQ have a partial share sis_i corresponding to the distributed secret key ss and public key P=sGP = sG where GG is the generator of the group (without indices means we refer to the "keys of the DKG").

We call the threshold network GTGT as Generalized Threshold.

We call the Lagrange basis polynomials the following:

δj(x)=i,ijxxixjxi\delta_j(x) = \prod_ {i, i \neq j} \frac{x - x_i}{x_j - x_i}

such that δj(xj)=1\delta_j(x_j) = 1 and δj(xi)=0\delta_j(x_i) = 0 with iji ≠ j

When not specified otherwise, we will use a pairing equipped elliptic curve of type III. Namely:

  • There are three groups G1,G2,GT\mathbb{G_1},\mathbb{G_2},\mathbb{G_T} of order qq, with associated generators G1,G2,GtG_1,G_2,G_t.
  • There exists an efficiently computable bilinear map e:G1×G2GTe: \mathbb{G_1} \times \mathbb{G_2} \rightarrow \mathbb{G_T}.
  • We will place the key on the G1\mathbb{G_1} group: P=sG1P = sG_1 but that is not fixed.

Specifically for our current deployment, Medusa uses the bn254 family of curves.