Tangle Network
Distributed Key Generation

Understanding DKG in Tangle Network

Authority Selection

The authority selection system for DKG authorities uses a simple reputation mechanism for selecting the best set of authorities to participate in the key generation and signing protocols. The integer thresholds for keygen authorities and signing authorities are set and governed on-chain and directly correspond to the number of DKG clients that will participate in either protocols.

For a keygen threshold of n and a signing threshold of t, we take the top-n authorities on chain by reputation. Out of these n keygen authorities, t+1 of them are selected for signing. The keygen set remains fixed over the course of the session, whereas the signing set can change amidst misbehaviours in signing protocol participation.

Reputation Calculation

The pallet-dkg-metadata is responsible for calculating and maintaining the reputation scores of all active validators. Reputation serves as a metric to assess and evaluate the authorities, taking into account the number of valid keygen operations performed by the authority and any reported misbehaviors.

The misbehaviour reporting process is based on an honest-threshold assumption. If DKG authorities misbehave off-chain, any observing authority can submit a report against the offending authority. Once a threshold number of reports are submitted, the offending authority will experience a loss of reputation. The reputation map is used by each DKG authority to ensure that every authority can generate a deterministic signing set for threshold signing protocols. Initially, the signing set consists of the top t DKG authorities according to their reputation.

The formula for updating reputation based on misbehaviour is as follows:


Jailing authorities

For each instance of misconduct that is verified and reported to an authority, the implicated authority will be temporarily suspended or "jailed" for a specific number of sessions. During this suspension, the authority will not be included in the selection process for the authority selection set. This serves as a punitive measure against malicious behaviour. The authority may be reinstated after a predetermined period of time has passed.

Dkg Reputation light

Key rotation

The DKG required network participants to rotate their shared private signing keys in an effort to keep the network secure. On a new session, the new authorities (from validators) are selected and the next authorities are selected.

  1. These next authorities run keygen protocol discussed above and output a new group keypair on-chain, denoted next_dkg_public_key.
  2. The current authorities (having already run this process in the step before) see this event and if it is time to refresh, they begin to sign the next_dkg_public_key with their key, the dkg_public_key.
  3. The signature from the active keypair of the next keypair is posted on-chain.
  4. Once this signature is posted, anyone can propagate it.
    • Any relayer.
    • Any user who wants to update the governor of their contract.

Key rotation flow

The on-chain keys are rotated every session. This is done so that the DKG validators and network validators are aligned and new validators can leave and join as desired. At the end of the session's target period, the Tangle runtime triggers the process to generate a new key. A new distributed key generation protocol executes with the next on-chain authorities. These authorities then work together to generate a new key. The active (current) authorities then sign the newly generated key with a threshold signature and post it on-chain to complete a successful key rotation.

Dkg Rotation light

Misbehaviour Reporting & Reputation

Misbehaviour reporting follows an oracle-based approach. The DKG protocol we utilize has identifiable aborts, meaning it is possible to identify the party misbehaving during the protocol’s execution. While every honest party sees this misbehaviour, it is tricky to identify on-chain, as it would require running the protocol itself on-chain and verifying the misbehaviour proof.

Instead of pushing proofs of misbehaviour on-chain, we utilize a threshold voting-based approach. For a threshold t and offender o, if t parties report the same misbehaviour containing the type of misbehaviour, the round of misbehaviour, and the offending authority, then the party’s reputation reduces according to the function:

reputation(o) = α * reputation(o)

When a good action occurs, such as successfully rotating keys or signing a proposal and submitting it on-chain, the reputation increases according to the function:

reputation(o) = α * reputation(o) + 1,000,000,000