real-or-random
commented
8 months ago Quoting myself from #5, since the same applies here:
my thinking is that I want to keep the scope of this particular document limited to the actual cryptographic questions, for which we can make use of our expert knowledge. So I'd be hesitant to specify a concrete encoding method (e.g., bech32 or how many bits the int should have). But yeah, I agree, other standards that build on top will be necessary if we want interoperability... What you bring up are important questions, I just don't think they should be answered in this BIP (and that I want to be involved).
A BIP for some variant of ECIES for secp256k1 seems like a good idea in general.
Right, the encryption (which is anyway needed for the shares, indepedently of any backup) could be a separate BIP. It will be a small BIP then, but that's probably a good thing. I want to work on this soon, and may keep it in the current document first, but we could certainly move it to a separate document later.
LLFourn
jonasnick
So imagine that before generating a FROST key you first ask your frost member device for a backup of its static secret key as a bech32 string or seed words etc. What can we do with this and is it worth specifying in this document?
Any secret data that the device obtains in the future (i.e. key shares) could be encrypted to some key derivable from the backup. The encryption can be stored any place (please not tx witness) and retrieved later even if the device is destroyed through the backup. This has the advantage over share backups (#5) that you have only to do it once and all shares obtains by this device will be recoverable in the future assuming you can get your hands on a backup of them.
As an alternative to encrypted backups, parties could retrieve the key generation transcript, and then from the backup be able to re-generate and re-extract their key shares from the transcript (h/t @real-or-random). This would be advantageous since you could backup one thing for all the parties (but it would be a bigger backup).
My intuition here is that in terms of encrypted backups it doesn't seem like there is any distinguishing feature of them in this setting. They can be used any time there's secret stuff you're going to get but what to retrieve later so I think it would be nice to mention this approach but maybe it's fine to leave this to the application layer or another BIP. I'm sure a specification for this could be used elsewhere. A BIP for some variant of ECIES for secp256k1 seems like a good idea in general.