Thanks a lot for your feedback Pooya. You gave us some food for thought.
* the algorithm seems to be way too long and complicated and it also contains certain steps that require addition of cryptography classes that are not currently present in any of the bitcoin clients and possibly not even in some of the cryptography libraries. for instance i haven't seen Paillier anywhere. so if a wallet wanted to implement this scheme they would have to implement it from scratch. for instance Electrum that relies on python-ecdsa and/or libsec256k1 crypto libraries won't be able to do it since neither one have it. and complicated algorithms are harder to both verify for security and implement without bugs.
The complexity of the algorithm stems from the offline requirement of one of the parties. Usually threshold signature schemes require all parties to be online at the same time and have rounds of multi-party computation: though, that's not the design we want to support.
As for Paillier, we need an additive-homomorphic encryption scheme. Paillier has this property, but we are not bound to Paillier: anything equivalent would be fine (we considered El Gamal, but it does not work well here). If you have any suggestion, please let me know.
The main problem is not the signature aggregation per se, but requiring a threshold of signatures. The answer to the link refers to a draft research paper (
https://datatracker.ietf.org/doc/draft-ford-cfrg-cosi/) that introduces the concept: I am not sure if the research has been completed or if it has been implemented, but it is indeed a great read. Thanks for the pointer.
* the use case of this scheme is very specific and limited since it is adding a certain level of centralization. in any scheme the focus is always on keeping things still decentralized and keeping user in 100% control.
Yes, you're right. I know this is a sensitive subject, but for my experience normal people, sooner or later, often end up losing their keys. And when that happens, they're too scared to deal with crypto anymore. This scheme removes total control, but at the same time allows for recovery. A trade-off geared to the non-tech savvy person, not to the expert.
I like the solution you suggest, but the weak link is still the single key on the backup side (which can be lost or stolen).
although this may be over-kill but i personally like to know that i still have 100% control.
I totally understand. But unfortunately most people are still not familiar with the technology and do stupid mistakes (see Peter Schiff...). There are no perfect solutions on custody for any kind of person.