Suppose $n$ parties where $t$ are honest want to perform a distributed key generation protocol. There are many existing schemes. In the simpler setting where all $n$ parties must be online, otherwise the protocol aborts, does the following simplified scheme suffice?
- Each party $i$ samples $x_i \gets \mathbb{Z}_p$
- Compute $X_i \gets g^{x_i}$
- Create a zero-knowledge proof for discrete logarithm relation on $(x_i, X_i)$, call this proof $\sigma_i$
- Broadcast $(X_i, \sigma_i)$
- Upon receiving $n$ messages, verify the proof and compute the public key as $pk \gets \sum_i X_i$
Encryption is performed using ElGamal. Then, to do distributed decryption for a ciphertext $c$, parties just broadcast the result of ElGamal decryption and then aggregate the result to obtain the final plaintext. Clearly the adversary could stop the honest parties from learning the plaintext by not sending his part of the decryption. But other than that, would this be a secure DKG protocol if I don't want to support an arbitrary threshold?
