MPC key share rotation
MPC key share rotation is a type of proactive secret sharing, also called key share refresh or key resharing, and was augmented in recent MPC protocol research. It takes old secret shares as input and outputs a new set of secret shares, without altering public key. The old secret shares can be deleted and the new ones can be used in the same way. The idea is to reduce the probability that a malicious party could compromise enough key share parties’ machines to derive the key within certain period of time. Depending on preferred security model, key share refresh may be done periodically or totally automatic.
The algorithm of key share rotation is quite similar to the key share generation. They both work in a distributive way, and both need to apply a secret sharing protocol (say, Shamir Secret Sharing). The critical part is to keep the generated new key shares output the same public key, using either additively or multiplicatively equivalent property. Specifically, those key shares are simply different big integers that are used as inputs to jointly compute a private key also as a big integer (and accordingly a public key as a curve point). Thus the combination of key shares can be adjusted in a way to contributing to a same private key.
Zengo MPC version implemented a kind of key share rotation for 2-party ECDSA (based on Lin17: Fast secure two-party ECDSA signing). See its white-paper Section 4.4 2P-Rotation. The technique is to generate two new shares from old ones by multiplicative operations: x1' = r*x1, x2 = r^(-1)* x2 for random r, thus Q= x1*x2*G = x1'*x2'*G = Q'. This results in re-randomization of secret shares with same public key. Such technique may be extended to multi parties.
CMP protocol proposed another key share rotation algorithm for MPC TSS. UC Non-Interactive, Proactive, Threshold ECDSA. See Section 3.2 Key-Refresh & Auxiliary Information for its periodic refresh mechanism. Specifically for ECDSA it also requires the refresh of ZK proofs.
Thresh-Reshare is a more complex protocol, meaning that the thresh t of MPC can be adjusted and key shares get refreshed after a new threshold secret sharing protocol is performed. On input t′ ≤ n, the secret shares ski are refreshed such that the scheme satisfies a (t′ , n) threshold.
Finally a summary that
MPC key share rotation does not change the actual public key or private key, and
A mix of partial new key shares and partial old key shares won’t expose full private key.