Inquiry on Threshold ECDSA Resharing

Thanks to the IPC Foundation for open sourcing the asynchronous, interactive, distributed ECDSA key generation scheme. If I understand correctly, the resharing scheme should allow resharing threshold shares to new sets of nodes (larger or smaller than the previous set) without changing the ECDSA public key.

Do I understand correctly that reshares are produced from products of old shares? I haven’t been able to understand the difference between masked and unmasked resharings, shown here. Are masked and unmasked defined somewhere? Is there an example in the code where a set of shares are reshared to a larger number of shares, where some nodes are new with no previously existing shares?

Thanks!

1 Like

Masked and unmasked appear to be defined here.

A masked dealing is a Pedersen commitment, while an unmasked dealing is a discrete log commitment.

This helps. Still attempting to find an example or understand the protocol for resharing to a larger set of shares with an increased threshold.

1 Like

There was a really great survey paper on this technology … I think resharing is not that complex :

“When [sk] is already a Shamir sharing, the parties
simply generate a zero secret sharing which they add to
the existing secret.”

This is section 4.2.

Thanks, this paper did help improve my understanding of what might be going on, but @victorshoup mentions in this video as well as this post that none of the ECDSA threshold sharing protocols described in that paper satisfied their needs so they designed a new protocol. I couldn’t find a description of the ECDSA threshold protocol that was decided upon.

@Manu mentioned:

The full cryptographic details of the interactive DKG and threshold ECDSA signing will be published in a paper that should appear in the following weeks.

I just found the paper, it came out a couple of weeks ago, here.

This is what I needed to understand what’s going on, and I was able to reproduce resharing to a larger number of nodes. The key insights I was missing were:

  • Lambda values can simply be created with the Random protocol
  • The previous set of dealers can reshare to a larger number of recipients using the same protocol
1 Like