top | item 33358454

(no title)

Yes, there are threshold cryptography schemes with "distributed key generation" [1] in which the parties end up holding shares but the full secret is never known to any party. Then, to your point about "the only time they key was known was when the parties reached quorum after the fact": in these schemes, some threshold of the parties can cooperate to compute a function of the secret (e.g. a signature, or a ciphertext) without any of them ever knowing the secret.

FROST is one example of such a threshold scheme, for computing Schnorr signatures: https://eprint.iacr.org/2020/852.pdf

[1] https://en.wikipedia.org/wiki/Distributed_key_generation

discuss

h0h0h0h0111|3 years ago

A similar scheme we use in drand is this: https://www.researchgate.net/publication/225722958_Secure_Di...