[curves] Threshold ECDSA / comparison to Schnorr
Watson Ladd
watsonbladd at gmail.com
Tue Mar 10 08:19:22 PDT 2015
On Mar 9, 2015 2:22 PM, "Trevor Perrin" <trevp at trevp.net> wrote:
>
> Some advances have been made on practical threshold ECDSA by Steven
> Goldfeder et al:
>
>https://freedom-to-tinker.com/blog/stevenag/threshold-signatures-for-bitcoin-wallets-are-finally-here/
>http://www.cs.princeton.edu/~stevenag/threshold_sigs.pdf
>
> Is anyone able to breakdown how this compares to threshold Schnorr?
>http://cacr.uwaterloo.ca/techreports/2001/corr2001-13.ps
>
> In particular: Does Schnorr still hold an advantage in this area, or
> has ECDSA closed the gap? What are the differences with respect to:
> - trust assumptions (trusted setup, robustness to misbehaving parties)
> - communication costs (in particular, # of rounds)
> - computation costs
> - implementation complexity
>
>
> Trevor
>
So I've looked at both papers, and threshold ECDSA is still a lot more
complicated. Threshold Schnorr can directly get any linear sharing
scheme with linear storage cost, while threshold ECDSA requires
enumerating all sets that are allowed.
The other big difference is the threshold ECDSA uses Pailler in
addition to discrete log assumptions, and is much more complicated.
Threshold Schnorr was quite a bit simpler, relying only on discrete
log assumptions in one group.
Sincerely,
Watson Ladd
_______________________________________________
> Curves mailing list
>Curves at moderncrypto.org
>https://moderncrypto.org/mailman/listinfo/curves
More information about the Curves
mailing list