Replying to Avatar nick

You can't really take an existing secret key and "join" with that key being your secret share in FROST. Your secret polynomial is only an input to key generation and not what you sign with.

Undertaking key generation with the other parties will give you a secret share that depends on their (and your own) contributions
Avatar
conduition 1y ago 💬 3

Actually bringing your own key is possible, but there are limitations.

A FROST signing share is a polynomial evaluation. If, say, 3 people join together each bringing their own fixed signing shares, there exists some quadratic polynomial that interpolates their shares. However, it's impossible to find a linear (degree-one) polynomial which does the same.

In practice, this means if `n` people BYOK, they can definitely create an `n` of `n` threshold key with FROST. They can then issue new shares to add more people to the FROST group if they wanted, to make it an `n` of `m` threshold.

I'm not sure about the security implications of what a DKG would look like if only SOME keys are fixed and others can be variable. That's a different ball game 😅

Reply to this note

Please Login to reply.

Discussion

Avatar
average_bitcoiner 1y ago

How would one go about discovering the security implications of such a DKG?

Avatar
conduition 1y ago

You sit down, put pencil to paper and work it out!

There is likely a way to do the DKG so that some cosigners have fixed keys and others have fresh random keys. It'd probably just take some clever math and a security proof that malicious cosigners couldnt bias the DKG to do evil stuff like backdoor the group key.

Avatar
average_bitcoiner 1y ago

Lol. Learning cryptography still! Might have to give it a try. Its just math, right?

Avatar
conduition 1y ago 💬 2

Yep! I have some links to some more beginner-friendly ECC stuff here:

https://conduition.io/cryptography/ecc-resources/

Avatar
nick 1y ago

Great point they can just interpolate existing keys, but yes i believe the security is weakened - maybe ok in certain contexts. By omitting the commitment round, you allow for a misbehaving participant to bias the distribution of key generation outcomes by selectively complaining/failing (mentioned in FROST paper sec 2.3).

nostr:npub1l6uy9chxyn943cmylrmukd3uqdq8h623nt2gxfh4rruhdv64zpvsx6zvtg thanks again for these great posts , nostr:npub160t5zfxalddaccdc7xx30sentwa5lrr3rq4rtm38x99ynf8t0vwsvzyjc9 you might be interested in checking them out:

https://conduition.io/cryptography/shamir/

Avatar
conduition 1y ago

My pleasure 😄 i wonder if the DKG could be run securely (incl commitment round) if the participants sampled random evaluations instead of random coefficients when building their keygen polynomial f_i(x)...

Damn, times like now, i really wish nostr had LaTeX support 🥲 stay tuned and maybe i'll write something up for this

Avatar
average_bitcoiner 1y ago

"Securely" does it that have any special meaning in this context? Or just the general computer terminology?

nostr:npub1zswjq57t99f444z6485xtn0vfyjjfu8vqpnyj6uckuyem2446evqnxgc6x worked on an implementation that uses fedimint nodes for DKG. (https://github.com/EthnTuttle/fedimint/tree/nostrmint-cli)

Avatar
conduition 1y ago

nostr:npub1j8d6h8mzvc8f2fvysrf09nlkmn7m2ylj32zl5na4tm5e8fd5dqysrg26k2

nostr:note1pr9682453najqgfrc746pgu6rtntd3ugnyy4srt5cesapnf42nuspfmkpy