[Bitcoin-development] Presenting a BIP for Shamir's Secret Sharing of Bitcoin private keys
Matt Whitlock
bip at mattwhitlock.name
Sat Mar 29 15:01:45 UTC 2014
On Saturday, 29 March 2014, at 7:36 am, Gregory Maxwell wrote:
> On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd <wbl at uchicago.edu> wrote:
> > This is not the case: one can use MPC techniques to compute a
> > signature from shares without reconstructing the private key. There is
> > a paper on this for bitcoin, but I don't know where it is.
>
> Practically speaking you cannot unless the technique used is one
> carefully selected to make it possible. This proposal isn't such a
> scheme I beleieve, however, and I think I'd strongly prefer that we
> BIP standardize a formulation which also has this property.
I too would prefer that, but I do not believe there exists a method for computing a traditional signature from decomposed private key shares. Unless I'm mistaken, the composed signature has a different formula and requires a different verification algorithm from the ECDSA signatures we're using today. Thus, such a scheme would require a change to the Bitcoin scripting language. I specifically did not want to address that in my BIP because changes like that take too long. I am aiming to be useful in the present.
More information about the bitcoin-dev
mailing list