[bitcoin-dev] Multiparty signatures

Erik Aronesty erik at q32.com
Mon Jul 9 04:29:02 UTC 2018

Because it's non-interactive, this construction can produce multisig
signatures offline.   Each device produces a signature using it's own
k-share and x-share.   It's only necessary to interpolate M of n shares.

There are no round trips.

The security is Shamir + discrete log.

it's just something I've been tinkering with and I can't see an obvious

It's basically the same as schnorr, but you use a threshold hash to fix the
need to be online.

Just seems more useful to me.

On Sun, Jul 8, 2018, 10:33 PM Pieter Wuille <pieter.wuille at gmail.com> wrote:

> On Sun, Jul 8, 2018, 19:23 Erik Aronesty via bitcoin-dev <
> bitcoin-dev at lists.linuxfoundation.org> wrote:
>> Pretty sure these non interactive sigs are more secure.
> Schnorr signatures are provably secure in the random oracle model assuming
> the discrete logarithm problem is hard in the used group.
> What does "more secure" mean? Is your construction secure with weaker
> assumptions?
> --
> Pieter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180709/364d4561/attachment.html>

More information about the bitcoin-dev mailing list