Is it possible to split a key for transaction signing without using multisig?

I am developing a wallet API, but I don't want custodial control of the user's funds. For reasons I won't explain here, I don't want to use multisig.

But I want the advantages of a 2 of 2 multisig. I want the client to sign a transaction, and then send that signed transaction to the server. The server will then finish signing the transaction and push it to the network.

Is this theoretically possible? Does something like this exist yet in practice?

In summary, I want a way for the client and the server to sign a transaction together without either one having the private key.

deweller

Posted 2015-10-08T15:31:11.403

Reputation: 185

If the transactions has more than one input and one (or more) of those is yours. But I doubt that's what you are looking for. For example: it doesn't protect the user against malware or key-theft/loss. And it also doesn't protect you against the user double-spending or sending the funds somewhere where you don't approve (if that was your goal). – Jannes – 2015-10-08T17:35:38.220

Answers

There is a way for you to do so, but it involves something called Threshold Signatures which lets you do most of what you want (n-of-n without multisig). The thing about threshold signatures is that they require at least 2 round trips. That is, A and B have to exchange partial signatures a few times before the signature is valid. For 3-of-3 and higher, you need 3 trips to each person in order to produce a valid sig. Also, threshold signatures haven't really been implemented in any software than the one the Princeton researchers made.

The other method of sort-of doing something like what you want is using Shamir's Secret Sharing. I know Armory implements this for fragmented backups but you can't use the sharded pieces for actually signing, only for recovering the actual private key.

Jimmy Song

Posted 2015-10-08T15:31:11.403

Reputation: 7 067

1Wow. This is why the internet is amazing. Thanks for pointing out threshold signatures. I realize it is untested but this is exactly what I was looking for. I had no idea it existed. – deweller – 2015-10-09T22:08:48.793