# Key Generation

A two-party method can be used to generate a public key for elliptic-curve signing (such as ECDSA or EdDSA). This two-party approach can be used to generate a public key $$Q$$ without either party knowing the private key $$x$$. Here's how it works:

* **Concept of Elliptic-Curve Keys**: The private key $$x$$ corresponds to a public key $$Q$$, defined as $$Q=x⋅G$$, where $$G$$ is the generator of the elliptic-curve group.
* **Objective**: The goal is for party $$1P1$$ to hold a share $$1x1$$, and party $$2P2$$ to hold a share $$2x2$$, with the condition $$2x=x1+x2$$.

**The Process of Two-Party Key Generation**

* **Initial Step**: Each party independently selects a random value: $$1P1$$ chooses $$1x1$$ and computes $$Q1=x1⋅G$$, and $$2P2$$ chooses $$2x2$$ and computes $$Q2=x2⋅G$$.
* **Exchange and Calculation**: $$1P1$$ and $$2P2$$ exchange $$1Q1$$ and $$2Q2$$ respectively, and each then defines $$2Q=Q1+Q2$$. By elliptic-curve properties, $$Q=(x1+x2)⋅G=x⋅G$$, thus generating the public key without exposing $$x$$.

**Addressing Security Concerns**

* **Problem with Initial Approach**: If $$2P2$$ is corrupt, it could bias $$Q$$ by waiting for $$1Q1$$ from $$1P1$$ and then choosing $$2Q2$$ to manipulate $$Q$$.
* **Solution - Commitment Scheme**: To prevent this, $$1P1$$ sends a commitment to $$1Q1$$, essentially a cryptographic "envelope" that hides $$1Q1$$ but binds $$1P1$$ to it. After $$2P2$$ sends $$2Q2$$, $$1P1$$ reveals $$1Q1$$.
* **Ensuring Randomness and Security**: This method ensures that $$1Q1$$ and $$2Q2$$ are chosen independently. If one party is honest, the result is random and secure. Neither party knows $$x$$, as it's only additively shared between them.