The ERS is a third party that is able to recover a user's private ECDSA signing key under certain circumstances (What these are depends on the library's user.). The ERS has a key pair for encryption, and all participants are configured with the public key. The ERS holds the private key.
Each participant uses the TDSA library (either directly or through a TDSA service) and can call getRecoveryInfo(). This method returns an encryption under the ERS public key of (among others) the following values:
- The keyId
- The participants ECDSA key share
- The root public key
- The master chain code (used to derive public and private ECDSA key pairs from the root public key)
- Some auxiliary data are chosen by the participant which can be used by the ERS, e.g. to associate the data with a specific user.
We call this collection of encrypted data recoveryInfo. All three participants can call this method on their own TDSA library, which results in three recoveryInfos for a given keyId.
What happens with the recoveryInfos is up to the user of our library, but a common use case will probably be to send them all to the client who can back them up and keep them until the need to use the ERS arises.
Once it has been determined that a given keyId should be recovered the client sends all recoveryInfos to the ERS. The ERS decrypts them, checks that they can generate the correct ECDSA private key and if yes, outputs that key.
For a protocol with n participants that can tolerate up to t participants being malicious, we say that the protocol is an honest majority protocol if t < n/2. The current protocol has n = 3 and t = 1.
For the ERS this means that at least two recoveryInfos will be correct. Since the secret shared ECDSA private key can be recovered given t+1 shares, we are guaranteed that the ERS can always recover the private key given two correct recoveryInfos.
The ERS library provides the functionality needed to implement the ERS.
Updated 2 days ago