[curves] Threshold ECDSA for Bitcoin

Watson Ladd watsonbladd at gmail.com
Fri Mar 28 16:38:28 PDT 2014 

On Fri, Mar 28, 2014 at 6:59 PM, Michael Hamburg <mike at shiftleft.org> wrote:
> Out of curiosity, what’s wrong with the following “obvious” protocol for threshold Schnorr?
>
> The signers have a polynomial share x_i of x.  All the signers in the signing group know who is signing right now, and they know that x = sum a_i x_i, and they know the a_i.  If weeding out bad participants is desired, then each signer’s share [x_i]G of the public key is known to the other group members.
>
> Each signer computes R_i = [k_i]G for a random nonce k_i.  They broadcast commitments to these choices, then broadcast revelations.
>
> Each signer computes R = sum [a_i] R_i, so that effectively r = sum a_i k_i; and c = Hash(R,m).
>
> Each signer creates and broadcasts a mini-sig s_i = c x_i + k_i.  The signature is (R, s = sum a_i s_i).  Since k = sum a_i k_i and x = sum a_i x_i, we have s = cx + k as desired.
>

Nothing is wrong with it: I forgot that Schnorr is k-c*x with c public.

>
> — Mike
>
>
> On Mar 28, 2014, at 3:36 PM, Watson Ladd <watsonbladd at gmail.com> wrote:
>
>> On Fri, Mar 28, 2014 at 6:14 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>> https://freedom-to-tinker.com/blog/stevenag/new-research-better-wallet-security-for-bitcoin/
>>> http://www.cs.princeton.edu/~stevenag/bitcoin_threshold_signatures.pdf
>>>
>>> Apparently based on this:
>>>
>>> http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.67.9913
>>>
>>> I'd be interested to hear how the state-of-the-art in threshold-ECDSA
>>> compares to threshold-Schnorr, if anyone knows.
>>
>> Threshold Schnorr requires computing only a multiplication and an
>> addition. As a result you don't need special tricks: if you have k
>> people out of n who can get the key, 2k-1 can compute the shares of
>> the signature value and reconstruct in the usual manner. This way
>> avoids the inversion and degree reduction protocols entirely.
>>
>> Sincerely,
>> Watson Ladd
>>>
>>>
>>> Trevor
>>> _______________________________________________
>>> Curves mailing list
>>> Curves at moderncrypto.org
>>> https://moderncrypto.org/mailman/listinfo/curves
>>
>>
>>
>> --
>> "Those who would give up Essential Liberty to purchase a little
>> Temporary Safety deserve neither  Liberty nor Safety."
>> -- Benjamin Franklin
>> _______________________________________________
>> Curves mailing list
>> Curves at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/curves
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

More information about the Curves mailing list