Distributed Key Generation (DKG) lets parties derive a common public key while keeping the signing key secret-shared. UC-secure DKG requires a verifiable-sharing enforcement layer -- classically satisfied via Verifiable Secret Sharing (VSS) and/or commitment-and-proof mechanisms -- for secrecy, uniqueness, and affine consistency. We target the Non-eXportable Key (NXK) setting enforced by hardware-backed key-isolation modules (e.g., TEEs, HSM-like APIs), formalized via an ideal KeyBox (keystore) functionality $\mathcal{F}_{KeyBox}$ that keeps shares non-exportable and permits only attested KeyBox-to-KeyBox sealing. With confidentiality delegated to the NXK boundary, the remaining challenge is enforcing transcript-defined affine consistency without exporting or resharing shares. State continuity rules out rewinding-based extraction, mandating straight-line techniques. We combine (i) KeyBox confidentiality; (ii) Unique Structure Verification (USV), a publicly verifiable certificate whose certified scalar never leaves the KeyBox yet whose public group element is transcript-derivable; and (iii) Fischlin-based UC-extractable NIZK arguments of knowledge in a gRO-CRP (global Random Oracle with Context-Restricted Programmability) model. We construct Star DKG (SDKG), a UC-secure scheme for multi-device threshold wallets where a designated service must co-sign but cannot sign alone, realizing a 1+1-out-of-$n$ star access structure (center plus any leaf) over roles (primary vs. recovery) with role-based device registration. In the $\mathcal{F}_{KeyBox}$-hybrid and gRO-CRP models, under DL and DDH assumptions with adaptive corruptions and secure erasures, SDKG UC-realizes a transcript-driven refinement of the standard UC-DKG functionality. Over a prime-order group of size $p$, SDKG incurs $\widetilde{O}(n\log p)$ communication overhead and $\widetilde{O}(n\log^{2.585}p)$ bit-operation cost.

翻译：摘要：分布式密钥生成（DKG）允许各方推导出共同公钥，同时保持签名密钥的秘密共享。UC安全的DKG需要可验证共享强制执行层——通常通过可验证秘密共享（VSS）及/或承诺-证明机制实现——以确保保密性、唯一性和仿射一致性。我们针对由硬件支持的密钥隔离模块（例如TEE、HSM类API）强制执行的不可导出密钥（NXK）场景，该场景通过理想KeyBox（密钥库）功能$\mathcal{F}_{KeyBox}$形式化，该功能保持密钥片不可导出，仅允许认证的KeyBox间密封操作。在保密性委托给NXK边界后，剩余挑战是在不导出或重新共享密钥片的情况下，强制执行由转录定义的仿射一致性。状态连续性排除了基于重绕的提取方法，要求采用直线技术。我们结合了：(i) KeyBox保密性；(ii) 唯一结构验证（USV），一种公开可验证证书，其认证标量永不离开KeyBox，但对应的公开群元素可从转录推导；(iii) 基于Fischlin的全局随机预言机与上下文受限可编程性（gRO-CRP）模型下的UC可提取NIZK知识论证。我们构建了星型DKG（SDKG），一种针对多设备阈值钱包的UC安全方案，其中指定服务必须共同签名但无法单独签名，在角色（主角色与恢复角色）上实现了1+1-out-of-$n$星型访问结构（中心加任意叶子），并支持基于角色的设备注册。在$\mathcal{F}_{KeyBox}$混合模型和gRO-CRP模型中，基于DL和DDH假设（允许适应性腐败和安全擦除），SDKG实现了标准UC-DKG功能的转录驱动细化。在大小为$p$的素数阶群上，SDKG的通信开销为$\widetilde{O}(n\log p)$，比特操作成本为$\widetilde{O}(n\log^{2.585}p)$。