reply on: Frostsnap - Easy, personalized, secure bitcoin multisig for everyone \ stacker news ~bitcoin

362 sats \ 5 replies \ @nerd2ninja 20 Jul 2023 \ on: Frostsnap - Easy, personalized, secure bitcoin multisig for everyone bitcoin

"With FROST you can add or remove signers after key generation while keeping the key the same."

How?
How could you justify the idea that such a practice would be secure?

375 sats \ 0 replies \ @utxoclub OP 20 Jul 2023

Thanks for the question, here are some thoughts on this topic

Since each secret share of a FROST key is a point (index, secret share) that belongs to a polynomial with some interpolation threshold. A threshold number of parties can each evaluate their share of this joint polynomial at a new participant index.

Parties securely communicate these evaluations to the new party using a repairable threshold scheme, and the new party sums them to receive their secret share. This secret share belongs to the same polynomial and key as the other parties, can sign etc.

Removing a signer involves parties recreating their secret shares and a new polynomial, only this new polynomial retains the same joint-secret (x=0) and thus the same public key.

The removed signer never loses their secret share, only they will now be incompatible with every honest signer who has moved to a new polynomial.

2120 sats \ 3 replies \ @rijndael 20 Jul 2023

@utxoclub answered the "how" in his comment (the google-able term is "rpoactive secret sharing)

For "how can it be secure" question, you need a quorum of signers to add/remove a signer. So if you have a 3/5 and you want to add a new signer, you need to have 3 of the existing signers. Those three could move all the money anyway.

110 sats \ 0 replies \ @hugohanoi 21 Jul 2023

It's a cool feature - but doesn't this also create a new attack vector?

For example, some parties might be tricked into generating a new quorum/new shares, whereas other parties are still using the old quorum/old shares.

3-of-5 becomes 3-of-4, where 2 shares are stale/invalid: Party A: share A1 Party B: share B1 Party C: share C2 (tricked) Party D: share D2 (tricked) Party E: removed

To mitigate this, I suppose you might want a secure communication channel and a protocol to ensure that either everybody moves to a new set of shares, or no one moves. That and keeping old shares on the devices, just in case. Keeping states is something that you might have to do anyway for the nonces.

121 sats \ 1 reply \ @nerd2ninja 20 Jul 2023

rijndael coming in clutch.

28 sats \ 0 replies \ @utxoclub OP 20 Jul 2023

That's what he does!