[curves] Threshold ECDSA / comparison to Schnorr

Steven A Goldfeder stevenag at princeton.edu
Sun Mar 15 21:29:47 PDT 2015


> I have one question about these sorts of schemes...
>
> There's a naive approach where you don't attempt to model multisignature
> trust in terms of a single signature, but rather have a whitelisted set of
> keys, and have k / n potential signers produce an individual signature.

Indeed, Bitcoin's built in mutlsig feature takes exactly this approach and
allows for addresses that have multiple associated keys. However, these
addresses are distinguishable from single-key addresses, and also the
information about the access structure being used is published on the block
chain. This has negative implications for privacy and anonymity. See
section 4.3.2 of our paper for a full discussion on this point:
http://www.cs.princeton.edu/~stevenag/threshold_sigs.pdf.

On Mon, Mar 16, 2015 at 12:22 AM, Steven Goldfeder <sgoldfed at gmail.com>
wrote:

> > I have one question about these sorts of schemes...
> >
> > There's a naive approach where you don't attempt to model multisignature
> > trust in terms of a single signature, but rather have a whitelisted set
> of
> > keys, and have k / n potential signers produce an individual signature.
>
> Indeed, Bitcoin's built in mutlsig feature takes exactly this approach and
> allows for addresses that have multiple associated keys. However, these
> addresses are distinguishable from single-key addresses, and also the
> information about the access structure being used is published on the block
> chain. This has negative implications for privacy and anonymity. See
> section 4.3.2 of our paper for a full discussion on this point:
> http://www.cs.princeton.edu/~stevenag/threshold_sigs.pdf.
>
> On Sun, Mar 15, 2015 at 11:29 PM, Tom Ritter <tom at ritter.vg> wrote:
>
>> On the topic of threshold ECC, I'll point to an implementation I ran
>> across recently:
>>
>> https://github.com/cwgit/ximix/tree/master/common/src/main/java/org/cryptoworkshop/ximix/common/crypto/threshold
>>
>> The entire repo seems particularly interesting, but I haven't had time
>> to dig into it closely.  RPC-based mixnet?
>>
>> -tom
>> _______________________________________________
>> Curves mailing list
>> Curves at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/curves
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20150316/551f17fe/attachment.html>


More information about the Curves mailing list