# Key Recovery Scheme

The aim of this scheme is to enable 3 players to generate a single public key which can be recovered using any $t$ of $n$ players. It is trustless and anonymous. The scheme can be used for multisig payments which appear on chain as normal payments.

The basic concept relies on the additivity of functions $(f∘g)(a)=f(a)+g(a)$, and additive homomorphism of EC points. That way we avoid heavy MPC multiplications and keep the scheme lightweight.

The values $x_{1},…,x_{n}$ are fixed strings known by all players.

Let $⟨x⟩=commit(x)$ denote a hiding pedersen commitment to $x$.

## Constructing the Curve

Each player $i$ constructs their own curves, with the resulting curve being the sum of them all. Given any t points, we can recover the original curve and hence the secret.

### Player $i$ creates curve $i$

Player $i$ creates a random curve $C_{i}=Y+a_{0}+a_{1}X+⋯+a_{t−1}X_{t−1}$, and broadcasts commits $A_{0}=⟨a_{0}⟩,…,A_{t−1}=⟨a_{t−1}⟩$.

Then player $i$ lifts points $R_{j}=(x_{j},y_{j})∈V(C_{i})$ sending each to player $j$.

### Check $R_{j}∈V(C_{i})$

Upon receiving player $j$ receiving $R_{j}$, they check that $⟨y_{j}⟩+⟨a_{0}⟩+x_{j}⟨a_{1}⟩+⋯+x_{j}⟨a_{t−1}⟩=∞$

## Compute Shared Public Key

Let $C=C_{1}+⋯+C_{n}$, then the secret key (unknown to any player) is: $d=C(0)$ The corresponding public key is: $P=A_{01}+⋯+A_{0n}=⟨C_{1}(0)+⋯+C_{n}(0)⟩=⟨C(0)⟩$

## Key Recovery

Let $T⊆N$ be the subset $∣T∣=t$ of players recovering the secret key. Reordering as needed, all players in $T$ send their points $R_{j}$ for curves $C_{1},…,C_{n}$ to player 1.

For each curve $C_{i}$, player 1 now has $t$ points. Using either lagrange interpolation or row reduction, they can recover curves $C_{1},…,C_{n}$ and compute $C=C_{1}+⋯+C_{n}$.

Then player 1 computes the shared secret $d=C(0)$.