Implementing ECDSA threshold using a secret sharing scheme

misaq saadat

3/14/24, 12:00 PM

My question might be a duplicate but I wasn't able to find a similar question.

I recently developed a wallet-like app and I am trying to implement some MPC features.

I searched a little and even asked ChatGPT about how I can achieve that.

I know how ECdsa and how Shamir’s secret sharing work but I can't find a way to combine their functionalities.

I need functionality similar to this:

n parties have their own private and public keys and agree that create a k-of-n wallet so that any k of them can perform a transaction. They must NEVER share their own private keys with each other but they can sign a transaction hash with their private keys and share the signature with some trusted entity (not other participants, a server for example).

I have many questions:

Is it possible? how could the main wallet public key (and address) be made? I think of some method like this :

wallet-public-key=GeneratePublicKey(array of participants public keys,n,k)
Is the signing mechanism of each party a normal ECdsa signing mechanism that returns R and S?
How can I aggregate signatures and create the final R and S? Should it be a chain of signatures, or each party will sign the same hash?

In this scenario, the main wallet’s private key will never even be constructed. Is it possible? Are there any open-source implementations? Is there any mathematical proof of it?

If it is not possible I can try solution #2: instead of each party keeping its private key, the server can create a key pair as the main wallet. and split the private key with something like Shamir’s secret sharing or any other mechanism. and after that, each party does its own signing without revealing the private or public key. Is it possible? how can I aggregate signatures?

After a lot of prompts with chatGPT, it told me that this process is called threshold ECDSA. and that there are some solutions for it. like MuSig, ECDSA-BP (ECDSA with Batch Parallelism), Threshold BLS, and DKG-based ECDSA. I need to understand what they exactly do. Also, some of them look like they are n-of-n instead of k-of-n

126

1 + 3

elliptic-curves

multiparty-computation

threshold-cryptography

Maarten Bodewes

3/14/24, 12:15 PM

Things like full protocol recommendations are out of scope for this site. So are remarks like " I need to understand what they exactly do." Possibly 2 and 3 could be on topic, but they would be for a specific scheme or protocol I suppose. Maybe a hint in the comments to which scheme fits the use case best is in order though.

fgrieu

3/14/24, 5:09 PM

What you are looking for is a _threshold signature_ or _multisignature_ scheme/protocol, depending on if you want signers to be anonymous or identifiable. I don't know how ECDSA could be the basis of such scheme/protocol for general m-out-of-n (but don't rule out that possibility). I suggest to disregard technical advice given by ChatGTP, and guess that includes "ECDSA-BP" and "DKG-based ECDSA" at least (and wouldn't upvote the question until it's chastised from ChatGTP nonsense).

Rohit Gupta

3/15/24, 3:07 AM

You seem to be trusting ChatGPT a tad too much. It can often be right, but it's mostly waffly, disregards ownership, and is often horribly wrong.

Score:0

Crypto

mti

3/15/24, 12:27 AM

Here is a list of threshold signing protocol implementations, including ones for threshold ECDSA: https://github.com/ZenGo-X/awesome-tss.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Implementing ECDSA threshold using a secret sharing scheme

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.