View article

Conventional (M, N)-threshold signature schemes leave users with a painful choice. Setting M= N offers maximum resistance to key compromise. With this choice, though, loss of a single key renders the signing capability unavailable, creating paralysis in systems that use signatures for access control. Lower M improves availability, but at the expense of security. For example, a (3, 3)-multisignature cryptocurrency wallet experiences access-control paralysis upon loss of a single key, but a (2, 3)-multisig allows any two players to collude and steal funds from the third.

In this paper, we introduce techniques that address this impasse by making general cryptographic access structures dynamic. Our schemes permit, eg, a (3, 3)-multisig, to be downgraded to a (2, 3)-multisig if a player goes missing. This downgrading is secure in the sense that it occurs only if a player is provably unavailable.