[bitcoin-dev] Multiparty signatures
Erik Aronesty
erik at q32.com
Fri Jul 20 17:34:29 UTC 2018
Hi, thanks for all the help. I'm going to summarize again, and see if
we've arrived at the correct solution for an M of N "single sig" extension
of MuSig, which I think we have.
- Using MuSig's solution for the blinding to solve the Wagner attack
- Using interpolation to enhance MuSig to be M of N instead of M of M
References:
- MuSig
https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html
- HomPrf http://crypto.stanford.edu/~dabo/papers/homprf.pdf (sections 7.1
and 7.4)
Each party:
1. Publishes public key G*xi
3. Xi = H(G*xi) ... Xi is the parties x coordinate, for the purposes of
interpolation
3. r = G*x = via interpolation of Gx1, Gx2... (see HomPrf)
4. L = H(X1,X2,…) (see MuSig)
5. X = sum of all H(L,Xi)Xi (see MuSig)
6. Computes e = H(r | M | X) .... standard schnorr e... not a share
7. Computes si = xi - xe ... where si is a "share" of the sig, and xi is
the private data
8. Publishes (si, e, G*Xi)
Any party can then derive s from m of n shares, by interpolating, not
adding.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180720/f3f8901d/attachment-0001.html>
More information about the bitcoin-dev
mailing list