In Shamir's secret sharing, is the secret the coefficent of the first term of the polynomial or where the polynomial crosses the y-axis (x=0)? I heard the latter but perhaps it can be either?

The first term of the polynomial is the x^0 coefficient, which is also the y-intercept :-) For example, say your secret is the number 5 and you want to have a 2/3 split. You randomly generate a polynomial. Lets say its y = 5 + 3x. Then you make three shares where each share is a point (x,y) so if you want to use 1,2,3 for the x coordinates youd have (1,8), (2,11), (3,14). If you take two of those points, maybe the 1 and 3 points and interpolate a line through them, it’ll intercept the y axis at 5, which is what you get if you set x to 0 in y=5+3x. As jesse said, this generalizes upwards: for a t-of-n split, you pick a polynomial of degree t-1, and then you pick n points on the curve. The DKG used in frost is kind of that in reverse: everyone makes their own polynomial and then passes around coefficients to pick a secret that none of them know.

Loved the episode. Listening a second time now. V keen to hear more on this topic. With existing mulitsig, we have to keep a copy of the redeem script or all the xpubs in case one of the keys are lost. If one of the keys of say a 2 of 3 Frost multisig private key is lost, is it possible to have access to spend funds if only have 2 of the private keys and no redeem script or xpub of lost key? Sounds like you can as there is no redeem script? Is that correct?

Fountain

Bitcoin.Review Podcast with NVK & Guests • BR038 - FROST Panel ft. Jesse Posner, Rijndael & Vivek • Listen on Fountain

I'm joined by guests Jesse Posner, Rijndael & Vivek to discuss FROST. Discussion Topics: 00:01:12 Guest introductions 00:01:50 What is FROST? ...

View quoted note →