simplpedpop: Explain blame internals

README.md

@@ -245,15 +245,15 @@ Our variant of the SimplPedPop protocol then works as follows:
 
 3.  Upon receiving `coms_to_secrets`, `sum_coms_to_nonconst_terms`, and `pops` from the coordinator,
     every participant `i` verifies every signature `pops[j]` using message `j` and public key `coms_to_secret[j]`.
-    If any signature is invalid, participant `i` aborts.
+    If any signature, say the one from participant `j`, is invalid, participant `i` aborts and blames participant `j` for the failure of the session.
 
-    Otherwise, participant `i` sums the components of `coms_to_secrets`,
+    Otherwise, i.e., if all signatures are valid, participant `i` sums the components of `coms_to_secrets`,
     and prepends the sum to the `sum_coms_to_nonconst_terms` vector, resulting in a vector `sum_coms`.
     (Assuming the coordinator performed its computations correctly,
     the vector `sum_coms` is now the complete component-wise sum of the `coms[j]` vectors from every participant `j`.
     It acts as a VSS commitment to the sum `f = f_0 + ... + f_{n-1}` of the polynomials of all participants.)
 
-    To generate a threshold public key with an unspendable [[BIP 341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)] Taproot script path, each participant computes a Taproot tweak `t` for an unspendable script path.
+    To generate a threshold public key with an unspendable [[BIP 341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)] Taproot script path, each participant computes a Taproot tweak `tweak` for an unspendable script path.
     They then add the point `t * G` to `sum_coms[0]`, resulting in a new VSS commitment called `sum_coms_tweaked`.
 
     Participant `i` computes the public share of every participant `j` as follows:
@@ -262,13 +262,26 @@ Our variant of the SimplPedPop protocol then works as follows:
     pubshares[j] = (j+1)^0 * sum_coms_tweaked[0] + ... + (j+1)^(t-1) * sum_coms_tweaked[t-1]
     ```
 
-    Let `secshare` be the sum of VSS shares privately obtained from each participant and Taproot tweak `t`.
+    Let `partial_secshares` be vector of the VSS shares that participant `i` has privately obtained from each participant,
+    and let `secshare = (partial_secshares[0] + ... + partial_secshares[n]) + tweak`.
     Participant `i` checks the validity of `secshare` against `sum_coms_tweaked`
     by checking if the equation `secshare * G = pubshares[i]` holds.
-    (Assuming `secshare` is the sum of the VSS shares created by other participants, it will be equal to `f(i+1)`.)
+    (`secshare` is supposed to be equal to `f(i+1)`.)
 
     If the check fails, participant `i` aborts.
-    Otherwise, participant `i` sets the DKG output consisting of
+    Assuming the coordinator is honest and has sent a correct `sums_com_tweaked` vector,
+    participant `i` knows that some participant contributed a wrong summand to `secshare`,
+    but participant `i` does has insufficient information to single out and blame the faulty participant.
+    In this case, participant `i` can optionally ask the coordinator for a vector `partial_pubshares`:
+    ```
+    partial_pubshares[j] = (i+1)^0 * coms[j][0] + ... + (i+1)^(t-1) * coms[j][t-1]
+    ```
+    With this vector at hand, participant `i` verifies each component of `partial_secshares` individually
+    by checking for which participant `j` the equation `partial_secshare[j] * G = partial_secshares[j]` does not hold.
+    Participant `i` blames this participant `j` .
+
+    Otherwise, i.e., in the successful case that the equation `secshare * G = pubshares[i]` holds,
+    participant `i` sets the DKG output consisting of
     this participant's secret share `secshare`,
     the threshold public key `threshold_pubkey = sum_coms_tweaked[0]`, and
     all participants' public shares `pubshares`.
@@ -283,7 +296,6 @@ Our variant of the SimplPedPop protocol then works as follows:
     Details of the interface of the equality check protocol will be described further below in
     [Subsection "Background on Equality Checks"](#background-on-equality-checks).
 
-
 ### DKG Protocol EncPedPop
 
 (See [`python/chilldkg_ref/encpedpop.py`](python/chilldkg_ref/encpedpop.py).)

python/chilldkg_ref/simplpedpop.py

@@ -288,7 +288,7 @@ def coordinator_step(
     cmsg = CoordinatorMsg(coms_to_secrets, sum_coms_to_nonconst_terms, pops)
 
     sum_coms = assemble_sum_coms(coms_to_secrets, sum_coms_to_nonconst_terms)
-    sum_coms_tweaked, secshare_tweak = sum_coms.invalid_taproot_commit()
+    sum_coms_tweaked, _ = sum_coms.invalid_taproot_commit()
     threshold_pubkey = sum_coms_tweaked.commitment_to_secret()
     pubshares = [sum_coms_tweaked.pubshare(i) for i in range(n)]