[cryptophile]

A method to explode a bitcoin private key with SSS into multiple secret parts and use them to collaboratively sign transactions has unfortunately not yet been discovered.

What exists already, though, is something similar. Instead of fitting a polynomial through the points (=secret shares), where the intercept would be the full secret, there is a scheme where the full private key is just the simple multiplication of the secret shares.

From there, the co-signers use Pallier encryption to collaboratively compose the signature without revealing their secret parts to each other. It only works with two co-signers at the moment. Here is a demo:

http://www.jpaulgossip.com/demo/split-key.html

[oleganza]

SSSS is worse than using OP_CHECKMULTISIG because one has to put all the secrets at once on a single machine to produce the final private key. If the machine is compromised, such key can be stolen right away. Using multisig script allows you to have several (possibly compromised) machines sign a transaction independently without ever producing any "master secret".

Here's my suggestion on how to use multisig with blinding so you can lock your bitcoins with N friends and have your financial privacy at the same time: http://oleganza.com/blind-ecdsa-draft-v2.pdf

Prototype for iOS (using my CoreBitcoin objc library): http://github.com/oleganza/blindsignaturedemo

[cryptophile]

Unfortunately, multisig forces you to use the blockchain. There are use cases where you don't want that. SSS, on the other hand, seems too complex to feed back through the ECDSA signing algorithm. In the link above they just use the factors of the private key to distribute as shared secrets. So, your private key cannot be a prime. But then again, ECDSA does not seem to require that from a private key. It's not that using a composite number would make it easier to work your way back to the discrete ECC logarithm ...

[oleganza]

I was replying to your question on how to sign transactions. Multisig is the real and the best solution for this task. Maybe I don't understand the problem with "multisig forces you to use the blockchain". If you sign a bitcoin tx, then sure you need to get it on the blockchain. Or am I missing something?

[cryptophile]

Distributed signing is useful in other contexts too. It does not always have to be bitcoin-related ...

[icebraining]

Why not just use the hybrid approach described in the linked page? Encrypt the bitcoin key with a block cipher, then encrypt that key with SSS.

[cryptophile]

It would be enough to attack the machine holding the decrypted bitcoin key in order to steal the money. So, you still have that dreaded single point of failure problem there.

The security solution consists in forcing the attacker to attack lots of machines and successfully control them in order to steal the money.