Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1QwhVw-0005ED-TP for bitcoin-development@lists.sourceforge.net; Thu, 25 Aug 2011 21:31:04 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.216.182 as permitted sender) client-ip=209.85.216.182; envelope-from=decker.christian@gmail.com; helo=mail-qy0-f182.google.com; Received: from mail-qy0-f182.google.com ([209.85.216.182]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1QwhVw-0005Su-76 for bitcoin-development@lists.sourceforge.net; Thu, 25 Aug 2011 21:31:04 +0000 Received: by qyk9 with SMTP id 9so2225647qyk.13 for ; Thu, 25 Aug 2011 14:30:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.238.8 with SMTP id l8mr100140wfh.337.1314307858516; Thu, 25 Aug 2011 14:30:58 -0700 (PDT) Received: by 10.68.54.163 with HTTP; Thu, 25 Aug 2011 14:30:56 -0700 (PDT) Received: by 10.68.54.163 with HTTP; Thu, 25 Aug 2011 14:30:56 -0700 (PDT) In-Reply-To: References: Date: Thu, 25 Aug 2011 23:30:56 +0200 Message-ID: From: Christian Decker To: Bitcoin Dev Content-Type: multipart/alternative; boundary=000e0cd23ecc084ad504ab5b255d X-Spam-Score: -0.1 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (decker.christian[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.5 AWL AWL: From: address is in the auto white-list X-Headers-End: 1QwhVw-0005Su-76 Subject: Re: [Bitcoin-development] New standard transaction types: time to schedule a blockchain split? X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2011 21:31:05 -0000 --000e0cd23ecc084ad504ab5b255d Content-Type: text/plain; charset=ISO-8859-1 If I remember the details correctly you could combine (lagrange interpolation) the results of m smaller encryptions/signatures without ever sharing the secret key share itself. No idea if that is possible with ecdsa at all, but it sure would solve quite a few problems, as it would allow several independent servers to share a secret key, sign transactions with it, but no m-1 compromised machines would endanger the whole balance. I will definitely look into it when I'm back from holidays. Cheers, Cdecker On Aug 24, 2011 9:29 PM, "Gregory Maxwell" wrote: > On Wed, Aug 24, 2011 at 3:05 PM, Christian Decker > wrote: >> we could add an rsa-like scheme which allows m-out-of-n signatures. It works >> by distributing shares of the key which are points on a curve having the >> actual key as 0-value. It does not require special length for the key so if >> ecdsa allows something similar there need not be anything changed. > > This works fine for ECC. But it requires that the composite key > signer has simultaneous access to all the key-parts, so it doesn't > solve the "my PC has malware" problem. --000e0cd23ecc084ad504ab5b255d Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

If I remember the details correctly you could combine (lagrange interpol= ation) the results of m smaller encryptions/signatures without ever sharing= the secret key share itself. No idea if that is possible with ecdsa at all= , but it sure would solve quite a few problems, as it would allow several i= ndependent servers to share a secret key, sign transactions with it, but no= m-1 compromised machines would endanger the whole balance.
I will definitely look into it when I'm back from holidays.

Cheers,
Cdecker

On Aug 24, 2011 9:29 PM, "Gregory Maxwell&q= uot; <gmaxwell@gmail.com> w= rote:
> On Wed, Aug 24, 2011 at 3:05 PM, Christi= an Decker
> <decker.christian@gma= il.com> wrote:
>> we could add an rsa-like scheme which all= ows m-out-of-n signatures. It works
>> by distributing shares of t= he key which are points on a curve having the
>> actual key as 0-value. It does not require special length for the = key so if
>> ecdsa allows something similar there need not be anyt= hing changed.
>
> This works fine for ECC. But it requires th= at the composite key
> signer has simultaneous access to all the key-parts, so it doesn't=
> solve the "my PC has malware" problem.
--000e0cd23ecc084ad504ab5b255d--