[bitcoin-dev] Multiparty signatures

Erik Aronesty erik at q32.com
Mon Jul 9 04:29:02 UTC 2018


Because it's non-interactive, this construction can produce multisig
signatures offline.   Each device produces a signature using it's own
k-share and x-share.   It's only necessary to interpolate M of n shares.

There are no round trips.

The security is Shamir + discrete log.

it's just something I've been tinkering with and I can't see an obvious
problem.

It's basically the same as schnorr, but you use a threshold hash to fix the
need to be online.

Just seems more useful to me.


On Sun, Jul 8, 2018, 10:33 PM Pieter Wuille <pieter.wuille at gmail.com> wrote:

> On Sun, Jul 8, 2018, 19:23 Erik Aronesty via bitcoin-dev <
> bitcoin-dev at lists.linuxfoundation.org> wrote:
>
>> Pretty sure these non interactive sigs are more secure.
>>
>
> Schnorr signatures are provably secure in the random oracle model assuming
> the discrete logarithm problem is hard in the used group.
>
> What does "more secure" mean? Is your construction secure with weaker
> assumptions?
>
> --
> Pieter
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180709/364d4561/attachment.html>


More information about the bitcoin-dev mailing list