> To me, the goal of crypto was never to remove the need for all trust. Rather, the goal of crypto is to give people access to cryptographic and economic building blocks that give people more choice in whom to trust, and furthermore allow people to build more constrained forms of trust: giving someone the power to do some things on your behalf without giving them the power to do everything.
> Transactions that are computationally impractical to reverse would protect sellers
from fraud, and routine escrow mechanisms could easily be implemented to protect buyers.
Adept Secret Sharing (ADSS) by Bellare, Dai and Rogaway is a significant advance, hope more people consider it in future.
Though I don't think there is many implementations around.
That's a fair call, Shamir's secret sharing is pleasantly simple to use and understand.
Read the paper a while ago now but the scheme is still all fundamentally built on SSS, the auth, error checking and privacy layers are on top, so it's not a complete rework of what currently exists, more just some additions. Quite sure people have written some (perhaps all?) of these extras already in concert with regular secret sharing.
It's like a 'reset trade' button you can press and if most of your guardians approve, then they can reset your pubkey preventing the crypto from leaving your vault?
Sounds like a good idea, and could make people feel a lot more secure with their crypto. Definitely a tradeoff a lot of people would gladly take. You must admit it would be cool as hell to have a physical version of a key to turn simultaneously with your business partner to let your funds flow out somewhere.
This is my only real anxiety with the crypto I hold, and a good solution.
If you ever forget your password (key), you generate a new secret key and you get 3 of the 5 friends to sign it. The new key then replaces your old key.
The problem is that transactions are a one-time, irreversible operation. I wonder if it would be possible to:
a) create wallets with an unchangeable per-transaction spending limit;
b) with the need to have transactions above a set amount to be confirmed after a set amount of time, with an email or other type of messaging sent between first and second confirmation.
(edit): The messaging part is impossible, as the blockchain cannot be aware if the message was actually sent- the miner could say it was and there's no check. But an app could observe the blockchain and notify the wallet owner of the transaction request.
If you just take a key (or phrase) and split it between 5 trusted folks, there's no way to say "a quorum of 3 people must be present to get my key back".
Slight change to the idea above:
- wallet with a daily limit for transactions that don't need a second confirmation a day apart.
- need for a second confirmation one day apart for transactions over said limit.
- "social recovery key" able to immediately bypass all limits.
So for daily use you can set your limit in such a way that you can perform immediate transactions. Bigger transactions (such as all your money) need to be confirmed a second time after 24 hours. During that time, a transaction request is written on the blockchain and can be observed by your wallet app. If someone steals your private key they can only transfer amounts within the daily limit, or trigger a warning by attempting to transfer more. If your private key is stolen, you can use a "social recovery key" that bypasses all limits and can be used to transfer your entire amount to a new wallet. What do you think?
How? Example: Split a secret phrase ("correct horse battery staple") between 4 friends with a quorum of 2.
- Alice: correct
- Bob: horse
- Carol: battery
- Dave: staple
Great! But that's a quorum of 4. How do we reduce it to 2? Each person needs two words:
- Alice: correct horse
- Bob: battery staple
- Carol: correct horse
- Dave: battery staple
But what if Alice and Carol want to get the secret? Or Bob and Dave? Well, each person needs the entire secret.
- Alice: correct horse battery staple
- Bob: correct horse battery staple
- Carol: correct horse battery staple
- Dave: correct horse battery staple
...but now the quorum is 1, and all of them just have a copy of your secret. If you want to be able to have arbitrary quorums, you need cryptography.
Secret: either "a b c d e f g h i j k l" or "a b c d e f g h i j k l m n o p q r s t u v w x"
Participants: Alice, Bob, Carol, Dave
Which parts of the secret does each participant receive? Every combination of participant pairs must be able to recreate the full secret No single participant may have the full secret.
HN won't let me reply to the below comment so I'll copy and paste here:
> It's actually trivially possible [...] for [...] very long (60 words+) passphrases.
It is not. It doesn't matter if your passphrases is 6000 words, you can't have 4 participants with a quorum of 2.
This uses the exact cryptography that I said you'd need. This isn't just "mnemonic phrase split between three person's", it's literally Shamir's Secret Sharing.
Al Bob Car Dav
b: x - x x
c: x x - x
d: x x x -
e: - x x x
f: x - x x
Over time we would have some trustworthy new institutions where people could backup a piece of their key.
But I think it's a whole new set of problems, right?
What if banks end up playing this role? it would be funny haha.
Oh, but wait... That sounds awfully lot like our current fractional reserve banking. Without any of the regulatory oversight and monetary policy aimed to regulate the money supply. Wonder what could go wrong?
I have no choice but to conclude “social sharing” is the Rube Goldberg machine variant of Electrum’s cosigner model, and its primary function is to promote Ethereum.
He says multisig has been very successful for organizations like the Ethereum Foundation, but suggests that it's possible to better for individuals. You are free to choose something that reduces to N-of-M, if you want to trust financial institutions, family/friends, and/or (mostly) yourself.
If I'm understanding what he writes correctly, it's somewhat similar to a "1 OR 4-of-7" multisig concept. Fairly sure this is supported by the Bitcoin protocol, although I don't think any wallets support it. There might be additional options you can implement on Ethereum that might be harder (read: require protocol upgrades) on Bitcoin. Time delays, maximum spend amounts (with exceptions), etc.
Also, I'm not sure why you're calling it the "Electrum cosigner" model. I thought multisig was a feature of the Bitcoin protocol, and not of the Electrum client?
I can’t see any difference between the 4 of 7 countersigners under “social sharing” and the 4 of 7 countersigners in an Electrum cosigner arrangement. In both cases the countersigners are user selectable and can collude to steal your funds. You must place high amounts of trust in the countersigners in both cases, which means it isn’t really going to scale without credible financial institutions becoming involved there.
At a certain point, both protocols evolve into a more egalitarian form of banking, where the “bank” itself is distributed across trusted countersigners.
There is really no practical difference between Electrum’s cosigner model and “social sharing” here. If the entire point of countersigners is to protect stored value against theft, 1 OR N-of-M is purely a liability. It is only a UX upgrade when small amounts of funds are at risk, in which case you could elect to do a 1-of-2 cosigner multisig, anyway.
> Also, I'm not sure why you're calling it the "Electrum cosigner" model. I thought multisig was a feature of the Bitcoin protocol, and not of the Electrum client?
Electrum has shipped this feature since c. 2013, and the author of Electrum deserves recognition for pioneering the field. Granted it’s not surprising to see the prior art — particularly directly competitive, free and open source prior art — going uncited in this context. This type of shameless self-promotion is rampant in the modern cryptocurrency space, and it tends to leave the general public ignorant of legitimate “off-the-shelf” alternatives. It’s analogous to scaremongering against medical cannabis while backhandedly championing an in-house synthetic THC product. Unfortunately the majority of participants in this space are far too blinded by greed to care.
Most attacks against this system could be mitigated by having time-locks on the various assets which begin when the recovery process is started. In particular, if some of your friends are tricked into starting the recovery process, that should be published somewhere (in a pseudonymised form) so you can intervene and get them to stop before the time-lock opens.
Any ideas for a good strategy? Duplication on hardware level?
Sounds like solving for problems created by other problems ...
And it's usually better to hold some kind of currency which can be exchanged all over the world, than Magic Monopoly Money.
It's not magic, it's just cryptography.