TKeeper logoTKeeperGitHub
Let's talk
Menu
For partnersDocumentationGitHub

Fundamentals

How We Minimized the Attack SurfaceWhat is Threshold CryptographyByzantine ResilienceKey Refresh

Fundamentals

Key Refresh: Why Long-Haul Attacks Fail

How proactive resharing keeps threshold systems safe against slow, cumulative compromise.

Quick take: key shares that never change give attackers time. Key Refresh removes that time advantage.

In static security systems, time works against defenders.

If a secret key is split into shares and distributed across nodes, but those shares never change, an attacker does not need instant compromise. They can collect material gradually over weeks or months.

This is exactly what proactive security is meant to prevent. In threshold cryptography, that control is implemented as Key Refresh (also called resharing).

Key Refresh updates all active shares without changing the underlying secret.

The Attack Path: Compromise Over Time

Consider a standard tt-of-nn threshold setup with nn keeper nodes and quorum requirement tt.

A realistic long-window attack can look like this:

  1. The attacker compromises one keeper and extracts one share.
  2. Threshold is not reached, so the secret is still safe. Nothing obvious breaks.
  3. Later, the attacker compromises a second keeper.
  4. Later again, they compromise a third keeper.

In a static system, once the attacker accumulates tt shares, they can reconstruct the key even if those shares were stolen at different times.

The Defense: Key Refresh

Key Refresh invalidates this strategy.

After a refresh, every keeper receives a new share generation, and previous shares become mathematically unusable.

Two properties are critical:

  1. The secret does not change. Public key identity and target private secret remain the same, so external systems do not need reconfiguration.
  2. Cross-generation shares do not combine. A share from "Epoch 1" is incompatible with shares from "Epoch 2".

This forces a much harder attacker requirement: compromise tt nodes within the same refresh window.

Why This Works (Shamir Intuition)

In Shamir-based schemes, secret SS is the constant term of a polynomial P(x)P(x) of degree t1t-1, so S=P(0)S = P(0).

Each keeper stores one point: yi=P(i)y_i = P(i).

Any tt points reconstruct the polynomial and therefore recover P(0)P(0).

During refresh, the system moves from one valid polynomial to another while preserving the same secret point at x=0x=0.

So the curve changes, but the protected secret remains fixed.

A point from the old curve and points from the new curve do not belong to one consistent polynomial set. Mixing generations fails.

Business Impact

This removes the "slow breach" playbook.

If refresh runs every hour, or after each critical operation, the attacker window collapses to that interval.

They must compromise tt keepers in one short window. Compromising one now and another later is no longer enough because old shares have already expired from quorum usefulness.

Bottom Line

Key Refresh continuously resets attacker progress without rotating the external key identity or pausing service.

It is one of the strongest controls for protecting high-value key infrastructure under persistent threat.