Shamir's Secret Sharing
Key sharding can function as an alternative to multisig, but after testing we rejected the use of key sharding because it exposes clients to higher security risks.
Key sharding is achieved by splitting a single key into multiple pieces and copies of those pieces, such that some subset of the pieces can be recombined to recover and use the key for a signature and transaction. This key splitting or sharding can be used to provide a similar experience to true multisig.
However, key sharding has many drawbacks that caused us to reject it in favor of multisig.
- Single point of failure - The single private key exists on a single device at creation and it is reconstructed onto a single device in order to sign transactions. If the key is compromised either at creation or during reconstruction, a user’s funds can be stolen.
- No key invalidation - With multisig, the user can invalidate a single lost key and replace it. The other keys can be kept and used with the new key to construct a new multisig setup and set of addresses. With key sharding, all the shards must be replaced whenever one is compromised. This makes rapid recovery from an attack or even just a simple system update difficult. All shards/pieces must be replaced each time there is a change to the setup, where with multisig a client can replace just a single key.
- Poor auditability - If a key is reconstituted from secret shares, it’s not possible to tell which secret shares were used to recreate the key. Whereas with on-chain multisig, the “identity” of each signing key is stored on the blockchain and can be useful for forensic analysis in the case of compromised keys.