Multisig requires smart contracts to counts the number of signatures while Beraji splits a private key into multiple pieces and each party will use its piece to sign the transaction.
Painful for Stateless Infrastructures. The smart contract basically will be granted permission like assets vault/transfer, configs authority, .etc. Thus, in order to execute a transaction with smart contract, the transaction including data, accounts must be stored on-chain. The process is super heavy and unable to scale. Further, if the transaction requires 2 signatures, it seems impossible.
Lack of Composability. Most of protocols are Berajinated to work well with casual wallets. The casual wallet means a wallet with private key. However, smart-contract-based wallets don't have private key and must sign/verify by seeds via a "process of simulation". To make smart-contract-based wallets in multisigs adapt new protocols, the process is really time-taken.
Beraji is just a casual wallet with private key. However, the key isn't hold by any specific party. Instead, the key will be cryptographically splitted into multiple pieces and distributed to the holders. It brings some significant values:
Composability & Scalability. Fully composable/compatible to most of blockchains and protocols.
Security. Cryptographically sign/verify in decentralized fashion.
Cost. Because all signatures were done off-chain, the fee of Beraji is basically zero.
TL;DR. Beraji idea is leveraged by Homomorphic Encryption and Shamir's Secret Sharing.
The master privKey is cryptographically splitted in n child privKeys. Each child privKey will be secretly distributed to a corresponding holder.
To sign a transaction, each holder will independently sign and share his/her signature. After have all signatures, a process will combine these signatures to reconstruct a valid signature of the master privKey.
Send & Confirm the transaction.
These following formulas are the main cryptography foundation that Beraji is based on.
$$ s = r^{-1}(H(m)+R_xPriv) $$
$$ s = r+H(R,Pub,m)Priv $$
$$ Pub = G \cdot Priv $$
$$ E(m) = { c = m + r \cdot Pub, s = r \cdot G } $$
$$ D(c,s,Priv) = { m = c - s \cdot Priv } $$
Let $s$ be the secret in a $t-out-of-n$ Shamir Secret Sharning Scheme.
$$ \begin{align*} r(x){r_i \leftarrow $} &= s + r_1x + ... + r{t-1}x^{t-1} \ SHR(s) &= {s_i}{1..n} \ REC(s{i \in {i..n}_t}) &= s \end{align*} $$
Effective reconstruction:
$$ f(0) = \sum_{i=1}^{t} y_i \prod_{j=1,j \neq i}^{t} \frac{x_j}{x_j-x_i} $$
Beraji is assuming that the execution environment is Honest-but-Curious. In this environment, key holders act correctly following the Beraji protocol. However, they will try to gain advantages to learn the others' secret.
With this assumption, Beraji is secure.
Plus, to precompute the derived keys of holders, they must know who will take part in the signing in advance. In other words, the procotol requires a pre-signing round to commit who will join the process.
pnpm test
[1] Bernstein, Daniel J., et al. "High-speed high-security signatures." International Workshop on Cryptographic Hardware and Embedded Systems. Springer, Berlin, Heidelberg, 2011.
[2] Bernstein, Daniel J., et al. "TweetNaCl: A crypto library in 100 tweets." International Conference on Cryptology and Information Security in Latin America. Springer, Cham, 2014.
[3] Cryptography behind the top 100 Cryptocurrencies. (n.d.). Retrieved November 30, 2022, from http://ethanfast.com/top-crypto.html
[4] ECDSA: Elliptic curve signatures. ECDSA: Elliptic Curve Signatures - Practical Cryptography for Developers. (n.d.). Retrieved November 30, 2022, from https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-messages
[5] Gennaro, Rosario, and Steven Goldfeder. "Fast multiparty threshold ECDSA with fast trustless setup." Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018.
[6] Shamir, Adi. "How to share a secret." Communications of the ACM 22.11 (1979): 612-613.
Beraji © 2023, All Rights Reserved.