1

I have a blockchain wallet with a single signature wallet, is there a way of making this wallet "multi-signature"? F.e can we use some secret sharing scheme to distribute the single private key among custodians? What I need in the end is to make several users control access to a single wallet.

Solon
  • 113
  • 3

2 Answers2

2

(Responding to Squeamish Ossifrage) Threshold signatures do not require any single member to reconstruct the whole secret. Ideally each party produces a partial signature and only when they are all combined is the signature valid.

Douglas R. Stinson, Reto Strobl - Provably Secure Distributed Schnorr Signatures and a (t, n) Threshold Scheme for Implicit Certificates

This enables a pre-determined group to share a single schnorr identity without changing the verification side of the protocol. Any subset of $k$ members may collaborate to sign a common message. The secret sharing is verified and the dealer cannot cheat. The co-signers cannot be tricked by their peers.

MuSig: n-of-n threshold schnorr via aggregation

MuSig also doesn't change the verification side. A group is derived from the list of all public keys required to sign the common message. With only two-rounds of communication, the group produces the signature.

Crypto conditions: off-chain contracts resolving to minimal proofs of execution

Crypto-conditions are a form of multi-sig contract that doesn't attempt to aggregate any identities. Instead it uses hash commitments to commit to some boolean circuit. I.e. A contract may require "either Alice, or both Bob and Carol", or any arbitrary logic. The contract is a single hash. The proof of execution reveals only the relevant branches. The contract is valid if all leaves are valid and all intermediate steps have appropriate thresholds.

ANY-k is implemented as k-of-n. OR/ANY as 1-of-n. AND/ALL as n-of-n. A fullfillment may be either a hash-lock that is just a revealed symmetric secret key, or a signing public key whose corresponding secret signs the transaction that it approves.

Any irrelevant (or dead/unresolved) branches are truncated to a single hash commitment; enabling an arbitrarily large contract to resolve to a minimal proof.

Conclusion

I believe it would be worth implementing all of these. Notably $(t,n)$ enables a group to divide their signing right such that no single, or fewer-than-t subset may impersonate the group. N-of-N MuSig enables opportunistic groups to compress the crypto-condition contracts, which can describe any boolean circuits - not just subsets or all.

bonus: BLS is signature scheme that supports aggregation of many distinct-signatures. But this is not schnorr-friendly and does not work with any curves not explicitly designed to be pairing-friendly.

Community
  • 1
cypherfox
  • 1,442
  • 8
  • 16
0

In principle, yes, if you destroy the inputs to the secret-sharing scheme—but the moment any one party assembles all the shares to make a signature, that party has the unilateral power to make signatures until you destroy that party. So the party who reassembles the secret is a single point of eternal failure every time you need to make a signature.

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230