Key Recovery Scheme

The aim of this scheme is to enable 3 players to generate a single public key which can be recovered using any $t$ of $n$ players. It is trustless and anonymous. The scheme can be used for multisig payments which appear on chain as normal payments.

The basic concept relies on the additivity of functions $(f \circ g) (a) = f (a) + g (a)$ , and additive homomorphism of EC points. That way we avoid heavy MPC multiplications and keep the scheme lightweight.

The values $x_{1}, \dots, x_{n}$ are fixed strings known by all players.

Let $⟨ x ⟩ = commit (x)$ denote a hiding pedersen commitment to $x$ .

Constructing the Curve

Each player $i$ constructs their own curves, with the resulting curve being the sum of them all. Given any t points, we can recover the original curve and hence the secret.

Player $i$ creates curve $i$

Player $i$ creates a random curve $C_{i} = Y + a_{0} + a_{1} X + \dots + a_{t - 1} X^{t - 1}$ , and broadcasts commits $A_{0} = ⟨ a_{0} ⟩, \dots, A_{t - 1} = ⟨ a_{t - 1} ⟩$ .

Then player $i$ lifts points $R_{j} = (x_{j}, y_{j}) \in V (C_{i})$ sending each to player $j$ .

Check $R_{j} \in V (C_{i})$

Upon receiving player $j$ receiving $R_{j}$ , they check that $⟨ y_{j} ⟩ + ⟨ a_{0} ⟩ + x_{j} ⟨ a_{1} ⟩ + \dots + x_{j}^{t - 1} ⟨ a_{t - 1} ⟩ = \infty$

Compute Shared Public Key

Let $C = C_{1} + \dots + C_{n}$ , then the secret key (unknown to any player) is: $d = C (0)$ The corresponding public key is: $P = A_{01} + \dots + A_{0 n} = ⟨ C_{1} (0) + \dots + C_{n} (0)⟩ = ⟨ C (0)⟩$

Key Recovery

Let $T \subseteq N$ be the subset $∣ T ∣ = t$ of players recovering the secret key. Reordering as needed, all players in $T$ send their points $R_{j}$ for curves $C_{1}, \dots, C_{n}$ to player 1.

For each curve $C_{i}$ , player 1 now has $t$ points. Using either lagrange interpolation or row reduction, they can recover curves $C_{1}, \dots, C_{n}$ and compute $C = C_{1} + \dots + C_{n}$ .

Then player 1 computes the shared secret $d = C (0)$ .

The DarkFi Book