[bitcoin-dev] Multiparty signatures

[Erik Aronesty]

> More closely than what?

More closely than musig.

In fact there's no need to distribute the hash at all if you have the first
round, you can leave the schnorr construction... thanks for the feedback.
I literally can't think about this stuff without someone asking questions.

1. For those who asked, the construction from section 7.1 of this paper
describes how to use lagrange interpolation in a group context:
        http://crypto.stanford.edu/~dabo/papers/homprf.pdf

2. Using shamir interpolation is cleaner than the additive multisig

3. Taking your comments into consideration, I think it's possible to remove
the point multiplication instead of a hash and stick to Schnorr "as is",
and still cut out all but one online round:

OK, so this is a new Multisig variant of schnorr with fewer rounds... I
know this is possible, I just needed to have that back and forth... sorry:

For sake of terminology and typing in ascii, I'm using ^ to mean "point
multiplcation"

Each party:

1. Has a public g^x
2. Computes and broadcasts g^k' ... where k' is a random number
3. Computes r = g^k using lagrange interpolation (see
http://crypto.stanford.edu/~dabo/papers/homprf.pdf)
4. Computes H(r || M), as per standard schnorr
5. Computes s' = k' - xe , as per standard schnorr .. except k' is a "share"
6. Publish (s', e)

Verification:

With m of n share-signatures:

1. Use lagrange interpolation on m of n s' shares to get s
2. Standard schnorr verification

- Erik




On Mon, Jul 9, 2018 at 11:59 AM, Gregory Maxwell <greg at xiph.org> wrote:

> On Mon, Jul 9, 2018 at 3:02 PM, Erik Aronesty via bitcoin-dev
> <bitcoin-dev at lists.linuxfoundation.org> wrote:
> > with
> > security assumptions that match the original Schnorr construction more
> > closely,
>
> More closely than what?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180709/0db6454e/attachment.html>