362 sats \ 5 replies \ @nerd2ninja 20 Jul 2023 \ on: Frostsnap - Easy, personalized, secure bitcoin multisig for everyone bitcoin
"With FROST you can add or remove signers after key generation while keeping the key the same."
- How?
- How could you justify the idea that such a practice would be secure?
Thanks for the question, here are some thoughts on this topic
Since each secret share of a FROST key is a point (index, secret share) that belongs to a polynomial with some interpolation threshold. A threshold number of parties can each evaluate their share of this joint polynomial at a new participant index.
Parties securely communicate these evaluations to the new party using a repairable threshold scheme, and the new party sums them to receive their secret share. This secret share belongs to the same polynomial and key as the other parties, can sign etc.
Removing a signer involves parties recreating their secret shares and a new polynomial, only this new polynomial retains the same joint-secret (x=0) and thus the same public key.
The removed signer never loses their secret share, only they will now be incompatible with every honest signer who has moved to a new polynomial.
reply
@utxoclub answered the "how" in his comment (the google-able term is "rpoactive secret sharing)
For "how can it be secure" question, you need a quorum of signers to add/remove a signer. So if you have a 3/5 and you want to add a new signer, you need to have 3 of the existing signers. Those three could move all the money anyway.
reply
It's a cool feature - but doesn't this also create a new attack vector?
For example, some parties might be tricked into generating a new quorum/new shares, whereas other parties are still using the old quorum/old shares.
3-of-5 becomes 3-of-4, where 2 shares are stale/invalid:
Party A: share A1
Party B: share B1
Party C: share C2 (tricked)
Party D: share D2 (tricked)
Party E: removed
To mitigate this, I suppose you might want a secure communication channel and a protocol to ensure that either everybody moves to a new set of shares, or no one moves. That and keeping old shares on the devices, just in case. Keeping states is something that you might have to do anyway for the nonces.
reply
rijndael coming in clutch.
reply
That's what he does!
reply