Secret sharing

[birr]

Several people want to fund a bitcoin address using an m-of-n secret sharing scheme (shamir's secret sharing, for example).
Question 1
In order to get the address to send funds to, someone has to generate the private key first, and then get the address from the private key, is this true?
Question 2
So how do you enforce a no-peeking rule -- is there a way to prove that the person who owned the computer that generated the address from the private key didn't cheat and copy the private key?

[1714628076]

1714628076

[1714628076]

1714628076

[DannyHamilton]

Several people want to fund a bitcoin address using an m-of-n secret sharing scheme (shamir's secret sharing, for example).
Question 1
In order to get the address to send funds to, someone has to generate the private key first, and then get the address from the private key, is this true?
Question 2
So how do you enforce a no-peeking rule -- is there a way to prove that the person who owned the computer that generated the address from the private key didn't cheat and copy the private key?

Use multiple private keys where each individual uses their own private key that they generated.

Then you can set up a P2SH address (bitcoin address starting with a 3 instead of a 1), that requires m-of-n signatures.

In that case, peeking is no longer relevant, since each individual is expected to have their own key that nobody else has seen.

[andytoshi]

To add to Danny's "here's how to do it properly", the problem that OP mentioned is fundamental to using secret sharing as a mechanism for multisignature transactions. I'm glad that s/he noticed it, because people not-too-infrequently suggest using secret sharing in this way, and the result has much weaker security properties than using Bitcoin's built-in multisig support.