Threshold Cryprography
Threshold Secret Sharing(TSS)
This sections borrows from Binance
Threshold cryptography or TSS is used in this case to secure wallets for shakesco users.
Rather than having a single private key that can be exploited by an attacker with adequate
resources and time, the system distributes shares of this private key a
to n
parties
where t+1
parties can provide a valid signature for any computation they want to achieve, in
this case signing wallet transactions. The system is somehow similar to traditional Multisig
but with advantages:
- Transactions don’t reveal the
t+1
parties that signed - One signature is produced for verification
- Due to reason 2 above nodes don’t have to go through extra computation to validate signature
To have a secure system we employ TLS-AEAD (Transport Layer Security-Advanced Encryption with Associated Data). Participants can be sure that any output by the TSS system is end-to-end encypted.
📓 Note: To make this user friendly at the start, user stores an encrypted share on a remote server and the other encrypted share is sent to their device. In the future, they will decide the m-of-n structure that they want to employ.
The following are the steps to produce shares between parties:
Key Generation
With no trusted dealer n
parties can produce shares of private key a
encrypt and store them locally and any t+1
parties can produce a valid signature. The system must ensure that the n
parties have the same public key P
but different secret shares a
n
. The system guarantees that no share will be leaked to any eavesdropper and that the public key is a function of the secret shares a
n
Signing
When users want to perform computation,in this case signing, only t+1
can participate to produce a valid signature. The parties don’t have to reconstruct the shares in order to produce a valid signature unlike what is observed in Shamir Secret Sharing. This introduce an attack vector we avoided with distbuted key generation above, single point of failure. The system guarantees that during this computation the t+1
parties learn nothing about a
n
and the output sig
can be verified by the public key P
.
Resharing
In case any of the n
participants is compromised the participants can reshare their secret shares and get new ones. Old shares will be made invalid and they can use the new shares for future computations. This is a naive approach and we believe proactive refresh is better. We are working on it!