Long range security of chain-key ECDSA signatures

The papers cover signature generation quite extensively however, the re-sharing protocol (X-NET or otherwise) have a comparatively light analysis.

Has there been extensive analysis that shows re-sharing does not degrade the security properties?

For example, assume 2f + 1 honest validators at some point in the past who are no longer part of the set of validators. If they did not destroy material used during their tenure as validators including messages from other validators, do they still possess enough information to construct a signature, and/or conduct a new re-sharing ceremony with additional participants?

Hi @wanderingbort, This is a great question!

When the resharing protocol is run, new shares of the secret key are generated. The new shares are incompatible with the previous ones, so only shares from the same resharing epoch could be pooled together to reconstruct the key or to sign.

There are currently 2 main events that result in the participants running the resharing protocol:

  • If the subnet membership changes, when either nodes join or leave the subnet. Old nodes no longer receive new shares of the key.
  • Whenever a node in the subnet rotates its encryption key used in the IDKG protocol.

Regarding the latter: honest nodes periodically rotate their encryption key and erase their old ones. In the next instance of the resharing protocol the new encryption keys will be used to encrypt the shares of the threshold keys. Since encryption keys have a limited lifetime, an adversary that has access to the decryption key of one party can only decrypt shares that were generated in a limited amount of time. This gives the protocol proactive security, which essentially means that the protocol is secure as long as at any point in time not too many parties are corrupt, even though all parties may eventually be corrupt.

assume 2f + 1 honest validators at some point in the past who are no longer part of the set of validators

If the validators were all active members in the subnet at the same time and did not erase their keys, then this the same as assuming there were 2f+1 corrupt parties at one point in time. This is a setting outside what the protocol can guarantee security. However, if out of these parties no more than f were active and corrupt at the same time, then the protocol is still secure, and the key material of those nodes cannot be used to recover the key or compute signatures.

Hope this helps!

1 Like

Thanks for the response.

My best interpretation is that as long as the honest participants are deleting information from older epochs then the protocol is secure from long-range attacks.

If they are not deleting, then that information represents long term dangerous material to the protocol.

Over time, if previously honest participants are corrupted or compromised and have not completely destroyed this data then the protocol cannot guarantee security.

It seems very important to the security of the protocol that the information is completely deleted, is that a fair interpretation?

1 Like