[curves] Threshold ECDSA / comparison to Schnorr

[Tim Ruffing]

On Tuesday 10 March 2015 15:15:37 Tony Arcieri wrote:
> What is the advantage of "fancy" threshold signature schemes? I'm really
> not seeing it aside from the space savings.

As already pointed out, the threshold scheme could have the property that signatures and public keys are indistinguishable from the ordinary  signature scheme, i.e.,  an observer cannot tell that you use threshold signatures. On the other hand you lose accountability, because you cannot blame the signer for wrongdoing.

The previous blog post provides some motivation (using Bitcoin as an example):
> Our method for achieving joint control has significant benefits over
> Bitcoin’s “multi-signature” transactions. With multi-signatures, each
> party’s signature is published to the block chain, whereas threshold
> signatures allow participants to privately create a single signature which
> is indistinguishable from ordinary Bitcoin signatures. You can think of our
> solution as “stealth multi-signatures.” This improves anonymity and
> confidentiality while keeping transactions a constant size, reducing fees
> and providing flexibility to scale to an arbitrary number of parties.
https://freedom-to-tinker.com/blog/stevenag/new-research-better-wallet-security-for-bitcoin/ 

If threshold signatures are worth the hassle probably depends on your needs. For Bitcoin, I buy the anonymity argument. Only few transactions use the "multi-signature" feature. So you blend in the crowd much better if you do not use this feature.

Tim