[bitcoin-dev] Multiparty signatures

Erik Aronesty earonesty at gmail.com
Sun Jul 8 18:23:45 UTC 2018


You don't have to treat the hash as a group member for the purposes of
signing.

Everything else about the algorithm works the same.

This just enables signatures to be computed much more simply.

On Sun, Jul 8, 2018, 11:32 AM Tim Ruffing via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:

> Hi Erik,
>
> On Sun, 2018-07-08 at 10:19 -0400, Erik Aronesty via bitcoin-dev wrote:
> > Consider changing the "e" term in the schnorr algorithm to hash of
> > message (elligator style) to the power of r, rather than using
> > concatenation.
>
> How do you compute s = x*e if e is an element of group G?
> (Similar question: How do you verify if e is element of G?)
>
> Are you aware of
>  http://cacr.uwaterloo.ca/techreports/2001/corr2001-13.ps ?
> This is a threshold signature scheme for Schnorr signatures, so what
> you want is possible already with Schnorr signatures.
>
> Best,
> Tim
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180708/d7a9e8b4/attachment-0001.html>


More information about the bitcoin-dev mailing list