In NIDKG why is it safe if one of the dealers is honest?

I understand about polynomial calculations, but why is it safe if one dealer is an honest polynomial and the other dealer is a random polynomial?
Can’t all dealer be random polynomials?

I am struggling to understand, please help.

1 Like

I am not sure I understood the question correctly, so let me know if the following helps:

Say that we are trying to agree on a random polynomial. Simplifying a bit, our protocol looks like the following:

  • Every dealer commits to a random polynomial.
  • Once we collected at least f+1 commitments from distinct dealers we combine these, resulting in a commitment to the sum of all the polynomials.

However the dealers may not all be honest and they could deviate from the protocol, e.g., the could commit to a polynomial that is not sampled at random. Since our protocol assumes that there may be up to f dishonest dealers, we collect at least f+1 commitments from distinct dealers. This is sufficient to guarantee that at least one of the polynomials comes from an honest dealers, and thus was picked at random. This ensures that when we sum the polynomials/commitments together, the combined polynomial will be also be distributed at random, even if all the other dealers were dishonest.

Hope this helps!


To explain how the terms “honest” and “random” relate to each other. An honest dealer by definition a) takes a random polynomial and b) keeps it secret. Those two things (a and b) come down to the same goal: that the attacker cannot learn the polynomial.

The reason that condition a) is there is the following. An attacker can of course always try to guess the polynomial. That’s astronomically unlikely to be successful, as long as the polynomial is random. If it is not random then the attacker has better chances at guessing which we don’t want to happen.

So to answer your question:

Yes, if all dealers have random polynomials then we are good. They should also keep it secret of course.

In fact, if only one dealer is honest then the whole protocol is still safe. The attacker would have to know all polynomials to be successful.

1 Like