# Key Generation

Generating Secure Elliptic-Curve Keys Without Exposing the Private Key

A two-party method can be used to generate a public key for elliptic-curve signing (such as ECDSA or EdDSA). This two-party approach can be used to generate a public key $Q$ without either party knowing the private key $x$. Here's how it works:

**Concept of Elliptic-Curve Keys**: The private key $x$ corresponds to a public key $Q$, defined as $Q=x⋅G$, where $G$ is the generator of the elliptic-curve group.**Objective**: The goal is for party $1P1$ to hold a share $1x1$, and party $2P2$ to hold a share $2x2$, with the condition $2x=x1+x2$.

**The Process of Two-Party Key Generation**

**Initial Step**: Each party independently selects a random value: $1P1$ chooses $1x1$ and computes $Q1=x1⋅G$, and $2P2$ chooses $2x2$ and computes $Q2=x2⋅G$.**Exchange and Calculation**: $1P1$ and $2P2$ exchange $1Q1$ and $2Q2$ respectively, and each then defines $2Q=Q1+Q2$. By elliptic-curve properties, $Q=(x1+x2)⋅G=x⋅G$, thus generating the public key without exposing $x$.

**Addressing Security Concerns**

**Problem with Initial Approach**: If $2P2$ is corrupt, it could bias $Q$ by waiting for $1Q1$ from $1P1$ and then choosing $2Q2$ to manipulate $Q$.**Solution - Commitment Scheme**: To prevent this, $1P1$ sends a commitment to $1Q1$, essentially a cryptographic "envelope" that hides $1Q1$ but binds $1P1$ to it. After $2P2$ sends $2Q2$, $1P1$ reveals $1Q1$.**Ensuring Randomness and Security**: This method ensures that $1Q1$ and $2Q2$ are chosen independently. If one party is honest, the result is random and secure. Neither party knows $x$, as it's only additively shared between them.

Last updated