[curves] Threshold ECDSA / comparison to Schnorr

[Trevor Perrin]

On Tue, Mar 10, 2015 at 3:15 PM, Tony Arcieri <bascule at gmail.com> wrote:
> I have one question about these sorts of schemes...
>
> There's a naive approach where you don't attempt to model multisignature
> trust in terms of a single signature, but rather have a whitelisted set of
> keys, and have k / n potential signers produce an individual signature.


It makes sense to benchmark threshold-signing against multi-sigs, but
having good threshold signing would be nice:

 - Wouldn't have to design multi-sigs into every protocol

 - Bandwidth savings (e.g. transmitting m signatures and n public keys
for certificates)

 - Compute savings (e.g. verifying cert chains or secure boot on
low-end devices)

 - Some schemes have additional properties, e.g. proactive schemes let
you redistribute a set of n shares if there's still a secure
threshold, to recover from compromises

 - The anonymity aspect Tim mentioned - how you handle shares /
proactivization could be used to fingerprint parties in an anonymous
setting.


Trevor