We've been using gnosis-safe.io in some internal projects, and it works fine. It's a multi-sign (potentially with security policy support) smart contract that once deployed, can hold assets and accepts transactions with 2-out-of-n. Victor asked if αw supports multi-sig what will it look like.
I think that αW user base is mostly individuals, the ease of use (including easy setup and maintenance) is the priority. Setting up a multi-sig contract and securing it over time requires a vender such as gnosis-safe. A lightweight approach is more feasible.
I had this discussion with 丁晟超 more than 2 years ago. His memo is attached to the end of this message, which mentioned a paper with an off-chain (contract-less) multi-sign method.
Speaking of usability, I wonder if it supports 'direct-use' or 'setupless'. That is if it supports the following use flow:
- Alice has an address book in which there is Bob's public key†.
- Alice, of course, has her own private and public key.
- Without any further communication with Bob, Alice can compute a 2-out-of-2 multi-sig public key with Bob.
- Alice can make arrangements in such a way that cryptocurrency is sent to the address of the multi-sig public key.
- When Alice needs to spend the cryptocurrency held on the address of the multi-sig public key, she can communicate with Bob, once, with the message (the transaction that spends the money), and Bob can complete the multi-sig and broadcast the transaction.
If such usage is acceptable, it would be ideal as it doesn't involve smart contract, therefore not opening up attack surface and the maintenance issue that comes with it.
† (in practices, by knowing Bob's Ethereum address and can observe at least one transaction signed by him, therefore can recover his public key from Ethereum blockchain).
Memo from 丁晟超 Shengchao Ding
I have a quick glance at the paper "Secure Two-party Threshold ECDSA from ECDSA Assumptions" by Doerner et.al, which is published at IEEE S&P 18'. One of the author Eysa Lee also presented this work at TPMPC this year. The fourth author abhi shelat is a professor at Northwestern and a leading researcher in MPC community.
Here's my memos of this paper:
- In theoretical cryptography, there's the result that any multiparty computation function can be computed in two rounds, and two rounds is the bottom bound of round complexity.
- A threshold signature themes can be seen as a multiparty computation functionality. In this view, it seems that a "atomic" threshold signature requires at least two rounds communication. In the real scenario, it is also reasonable. Take the 2-out-of-2 case as an example, Alice makes a request to implement the 2-out-of-2 threshold signature, it sends some information to Bob, and Bob make some information to reply, thus concludes the 2 round.
- This work is not a generic k-out-of n threshold ECDSA case, it deals with the specific 2-out-of-n case, where k=2. The author said it can be extended to k-out-of-n case in TPMPC presentation, but I haven't find how to extend in their paper yet.
- This work achieves the bottom round complexity bound, i.e. there are only 2 rounds during the signing phase. (A "one-time" setup phase needs 5 rounds.)
- The cryptographic assumptions of this work is the same as ECDSA, which previous works don't achieve.
- The scheme is proved to be secure in the Universal Composable Model in the malicious adversary setting.
- Authors make an open source implement in Rust: neucrypt / mpecdsa · GitLab, the experimental results in both LAN and WAN setting can be found in the paper: https://eprint.iacr.org/2018/499.pdf
BTW, 2 other papers regarding this topic:
- Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody, by Yehuda Lindell (Bar-Ilan University) and Ariel Nof (Bar-Ilan University)
- Fast Multiparty Threshold ECDSA with Fast Trustless Setup, by Rosario Gennaro (City College of New York) and Steven Goldfeder (Princeton University)