[bitcoin-dev] Multiparty signatures

Erik Aronesty erik at q32.com
Sun Jul 8 14:19:52 UTC 2018


To save space, start with the wiki terminology on schnorr sigs.

Consider changing the "e" term in the schnorr algorithm to hash of message
(elligator style) to the power of r, rather than using concatenation.

I don't think this changes the security.   An attacker would need to know k
to either way to compromise the private key.

This would allow m of n devices to sign a transaction without any of them
knowing a private key at all.

IE: each device can roll a random number as a share and the interpolation
of that is the private key.

The public shares can be broadcast and combines.  And signature shares can
be broadcast and combined.

The net result of this is it really possible for an arbitrary set of
devices to create a perfectly secure public-private key pair set.

At no point was the private key anywhere.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180708/cbdf80dd/attachment.html>


More information about the bitcoin-dev mailing list