Distributed Key Generation (DKG) lets parties derive a common public key while keeping the signing key secret-shared. UC-secure DKG requires a verifiable-sharing enforcement layer -- classically satisfied via Verifiable Secret Sharing (VSS) and/or commitment-and-proof mechanisms -- for secrecy, uniqueness, and affine consistency. We target the Non-eXportable Key (NXK) setting enforced by hardware-backed key-isolation modules (e.g., TEEs, HSM-like APIs), formalized via an ideal KeyBox (keystore) functionality $\mathcal{F}_{KeyBox}$ that keeps shares non-exportable and permits only attested KeyBox-to-KeyBox sealing. With confidentiality delegated to the NXK boundary, the remaining challenge is enforcing transcript-defined affine consistency without exporting or resharing shares. State continuity rules out rewinding-based extraction, mandating straight-line techniques. We combine (i) KeyBox confidentiality; (ii) Unique Structure Verification (USV), a publicly verifiable certificate whose certified scalar never leaves the KeyBox yet whose public group element is transcript-derivable; and (iii) Fischlin-based UC-extractable NIZK arguments of knowledge in a gRO-CRP (global Random Oracle with Context-Restricted Programmability) model. We construct Star DKG (SDKG), a UC-secure scheme for multi-device threshold wallets where a designated service must co-sign but cannot sign alone, realizing a 1+1-out-of-$n$ star access structure (center plus any leaf) over roles (primary vs. recovery) with role-based device registration. In the $\mathcal{F}_{KeyBox}$-hybrid and gRO-CRP models, under DL and DDH assumptions with adaptive corruptions and secure erasures, SDKG UC-realizes a transcript-driven refinement of the standard UC-DKG functionality. Over a prime-order group of size $p$, SDKG incurs $\widetilde{O}(n\log p)$ communication overhead and $\widetilde{O}(n\log^{2.585}p)$ bit-operation cost.

翻译：分布式密钥生成（DKG）允许多方在保持签名密钥秘密共享的同时推导出公共密钥。UC安全DKG需要可验证共享强制执行层——传统上通过可验证秘密共享（VSS）和/或承诺-证明机制实现——以满足保密性、唯一性和仿射一致性要求。本研究针对由硬件支持密钥隔离模块（如TEE、类HSM API）强制实施的不可导出密钥（NXK）场景，通过理想密钥箱（密钥库）功能$\mathcal{F}_{KeyBox}$进行形式化建模，该功能保持密钥份额不可导出，并仅允许经过认证的密钥箱间密封传输。在将保密性委托给NXK边界后，剩余挑战在于如何在不导出或重新共享密钥份额的情况下强制执行由交互记录定义的仿射一致性。状态连续性排除了基于回溯的提取技术，必须采用直线型技术方案。我们融合了以下三个要素：（i）密钥箱保密性；（ii）唯一结构验证（USV），这是一种公开可验证证书，其认证标量值永不离开密钥箱，但其公共群元素可从交互记录推导；（iii）基于Fischlin框架的UC可提取非交互零知识论证，在gRO-CRP（具备上下文限制可编程性的全局随机预言机）模型中实现。我们构建了星型DKG（SDKG），这是一种适用于多设备门限钱包的UC安全方案，其中指定服务必须参与协同签名但无法单独签名，通过基于角色的设备注册机制，在角色（主用与恢复）上实现了1+1-out-of-$n$星型访问结构（中心节点加任意叶节点）。在$\mathcal{F}_{KeyBox}$混合模型与gRO-CRP模型中，基于DL与DDH假设并支持自适应腐化攻击和安全擦除机制，SDKG在UC框架下实现了对标准UC-DKG功能的交互记录驱动精化。在规模为$p$的素数阶群上，SDKG产生$\widetilde{O}(n\log p)$的通信开销和$\widetilde{O}(n\log^{2.585}p)$的比特运算成本。