Key rotation
The DKG required network participants to rotate their shared private signing keys in an effort to keep the network secure. On a new session, the new authorities (from validators or collators) are selected and the next authorities are selected.
- These next authorities run keygen protocol discussed above and output a new group keypair on-chain,
denoted
next_dkg_public_key
. - The current authorities (having already run this process in the step before) see this event and if it is time
to refresh, they begin to sign the
next_dkg_public_key
with their key, thedkg_public_key
. - The signature from the active keypair of the next keypair is posted on-chain.
- Once this signature is posted, anyone can propagate it.
- Any relayer.
- Any user who wants to update the governor of their contract.
Key rotation flow
The on-chain keys are rotated every session. This is done so that the DKG validators and network validators are aligned and new validators can leave and join as desired. At the end of the session's target period, the Tangle runtime triggers the process to generate a new key. A new distributed key generation protocol executes with the next on-chain authorities. These authorities then work together to generate a new key. The active (current) authorities then sign the newly generated key with a threshold signature and post it on-chain to complete a successful key rotation.