real-or-random
commented
1 week ago Not convinced that this helps, but here's an analogy to atomic commit protocols:
Our current protocol is a bit like two-phase commit (where the broadcast by the coordinator is the proposal and the signatures from the participants are the ACKs). Then, adding a round makes a bit like three-phase commit, and the motivation for three-phase commit is precisely to avoid a situation where one participant has committed but noone else will know about this (see https://en.wikipedia.org/wiki/Three-phase_commit_protocol#Motivation).
The assumptions are rather different from what we have (no byzantine failures, every participant has a local write-ahead log = local backup), and so is the way the problematic situation in two-phase commit is resolved (everyone is honest and will eventually respond, so the protocol is not dead forever but just blocks a bit). But I think the core of the problem is remarkably similar.
jonasnick
Conditional agreement is nice, but it doesn't prevent the following bad trace of events:
Outcome: Noone can sign, the money is lost.
(Event 3 means someone wasn't super careful with the backup, but I think it should be a feature of threshold signatures that any t participants should be able to sign, even if some other participant loses their backup.)
This problem doesn't affect all settings: If using the threshold public key involves interaction with all the participants, e.g., in a threshold wallet owned by a single user who looks at all the devices to verify an address before receiving on it, success certificates could be presented and backups made before the address is confirmed by all devices.
But it's certainly a problem in some settings, e.g., mutually distrustful remote participants, where one participant uses public derivation to create an address and send to it.
One could think that it suffices to add another round of signatures, but if that's done naively, then this just postpones the problem one round. We'll need to do more.
The only solution I can think of is this:
Then the trace will look as follows:
This gives you the following property: If you are fully successful, then every other honest participant has a backup of the recovery data. (And if you have the recovery data, you can at least restore everyone to the partly successful state, which suffices to create signatures.)
Sigh. Adding a round and having two states adds complexity that I'd love to avoid, but I currently don't see another solution. And I think it's a real problem; just ignoring it doesn't seem to be a good idea either. For a moment, I thought we could try to keep the additional round and the description of this out of the "official" protocol and explain it only informally. But that's a bit lazy on our side, and I think it makes things just harder for the user and increases the footgun potential.
For completeness, here's a worse variant of this without adding a round or a second certificate:
Then you can at least restore to partial successful from the local backups.
This means that
[^1]: One needs to incorporate this distinction between fully/partly successful in the unforgeability definition, to make sure that the adversary gets a working signing oracle for some participant even if that participant is only partly successful (yet). That's not a fundamental problem, it's just a bit involved. (Note to myself: The reduction in CGRS23 currently extracts the pops from an arbitrary participant; this needs to be changed to the first participant who succeeds partly and thus has received valid pops. This is to ensure that the pops are available before the first signing query, which is crucial for the early aborting strategy in algorithm D*.)