Proof of correct construction of a private key in distributed cryptography

Question

In an exponential ElGamal encryption scheme where the key generation is done in a distributed way among $n$ trustees we have that each trustee $i$ (where $1 \leq i \leq n$):

1. Selects a private key share $x_i \in \mathbb{Z}_q^{\star}$.
2. Computes a public key share $h_i = g^{x_i} \mbox{ mod } p$, where $g$ is the generator of the group.

Then, the public key of the cryptosystem is computed as $h=h_1 \cdot \ldots \cdot h_n \mbox{ mod } p$, while the secret key of the cryptosystem can be considered to be $x=\sum_{i=1}^n x_i$. Clearly, with this setting all shares $x_i$ of the secret key will be needed in order to decrypt any ciphertext, and thus no individual trustee is able to decrypt ciphertexts on his own.

Among some other things not relevant to my question, we usually have that every trustee $i$ is asked to prove that $h_i$ was correctly constructed (that is, $x_i= \log_g h_i$). This is usually proved by means of a Schnorr proof of knowledge. The goal of asking the trustee to prove such thing is, as I've read in the literature, to prevent the trustee from constructing his public key share $h_i$ as a function of the public key of the other trustees.

My question is: what would be the dangers of doing so? That is, what could a trustee gain by constructing $h_i$ as a function of the public key of the other trustees, if he still doesn't know the private key which would allow him to decrypt ciphertexts on his own?

Answer 1

Here's what can happen if you don't do this verification:

Suppose Alice, Bob and company generate their public key shares honestly, $h_2, h_3, ..., h_n$

Now, Snidely Whiplash (who is also a trustee) is the last to contribute his share, he selects a private key $x_{evil}$ and computes $h_{evil} = g^{x_{evil}}$. However, instead of sharing $h_{evil}$ as his share, he computes $h_1 = h_{evil} \cdot ( h_2 \cdot h_3 \cdot ... \cdot h_n)^{-1}$, and provides $h_1$ as his share.

Then, when we compute the public key, we get $h = h_{evil} \cdot ( h_2 \cdot h_3 \cdot ... \cdot h_n)^{-1} \cdot h_2 \cdot h_3 \cdot ... \cdot h_n = h_{evil}$

Hence, Snidely is able to decrypt any message encrypted with this public key, without the help from anyone else.

Asking Snidely (and everyone else) to prove that they know the discrete log of their share prevents this, because Snidely does not know the value of $log_g h_1$