summaryrefslogtreecommitdiff
path: root/ea/adf8af88345ede189deb05436b7264476658de
blob: 91561d95e76707b4dc3034136f5af432eca53b3f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
Return-Path: <earonesty@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id C3E1FC9D
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon,  9 Jul 2018 04:29:16 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 27C496B7
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon,  9 Jul 2018 04:29:16 +0000 (UTC)
Received: by mail-wm0-f53.google.com with SMTP id b188-v6so19689946wme.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 08 Jul 2018 21:29:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=q32-com.20150623.gappssmtp.com; s=20150623;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to
	:cc; bh=7YfklWB3ZZHEi+xdX6Czz92r3xymD4kjh2XuHcMTM6s=;
	b=h17snO8IS5viB7SHRt5RMuGuF5LQAhs0QgW2J2BuNsNjlk0W5ZCp00pbHHZXVpjtxz
	/w2bgsuE/m3osgO4jX9i7RNd0FcehG6Z6bGbMwWYjNNQbCfkY/WsaUts0sbt6ckeCHrf
	bPbprh0XmIMPeTVFKilCfY0usX2bX8SSbR0ezU/KKJvhf9o7uDfOv+rp8H10beNdbRw7
	ueR1V6eBphn7Yzakx8ziT2+VRip93jK29pQnKQulKrailc2ZXBx4FE5Q5Q3wjxqEKyOr
	9AfU3MwiyYD8n1d+sd9f/Ds7L75QrjSNVSVX+r840ucbtGc8hOHyj6vN2LtI74iw900D
	SJXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:cc;
	bh=7YfklWB3ZZHEi+xdX6Czz92r3xymD4kjh2XuHcMTM6s=;
	b=MbQK/t1R7Fqa4dLKj8lshlnWTV7saM+Lom2BCLH1Rby1YWcQcSfTVRyOlbx9KVMPOZ
	Baoh/2JijGD6FYcBxseEtCGDC721QbH/QRjbUrm740pwCyA8CfQIqm4III5Vwlo/I8zo
	ypuPPw0Zqb8KMzS/UCNWRD1Tr9E3pSXw7Phntbclsk/vA598TCEQa/c1tu/rSpC5v3qD
	yBUFi9dbjn+81+Y+yMz4QpE00D7Q7hTQ9KmSyaW4rg9lgnt1lcH7jnOB30LJvnc2BZvv
	8xRXTrBJMXwSJIDgwDxfXn3mcpRoLEGJaLIx7VZGCfjFUxtLYwkJ9swFtGmajYqi4afT
	rlHA==
X-Gm-Message-State: APt69E27RxFZ6iFqDzerXI13VOa+YsjSZ/PqD5ogGN9Kj9WX7E9BVYFT
	EpBr3h57J0jkF0Fv9nXW0L+Sttus/pff/2ykna4NV3Y=
X-Google-Smtp-Source: AAOMgpfQvaGctDtsw7fdgBI9RKAYvFM/eLbzKT2AkgATIyYm5oCu2wR/FfMi4TVgVkvmgyh6jcf6Y3/CXNFLoQbCUhQ=
X-Received: by 2002:a1c:cf81:: with SMTP id
	f123-v6mr11811407wmg.3.1531110554679; 
	Sun, 08 Jul 2018 21:29:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
	<08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de>
	<CAAS2fgSPUc7xRq36rZ9BVLjUTdd152Fgho4sjJXLhfrc71vPMw@mail.gmail.com>
	<CAJowKgL-nRcruXhWdGWrT4x+oV7i3jYST2Wa3bF5m6iT_mOyMw@mail.gmail.com>
	<CAPg+sBjdu4mnda-P0y7Ddu-rN7a1GiUt0hY_wYGsy_bJLKOYMA@mail.gmail.com>
In-Reply-To: <CAPg+sBjdu4mnda-P0y7Ddu-rN7a1GiUt0hY_wYGsy_bJLKOYMA@mail.gmail.com>
From: Erik Aronesty <erik@q32.com>
Date: Mon, 9 Jul 2018 00:29:02 -0400
Message-ID: <CAJowKgLSQZ1LrZayDi7EFc-NSfK_AD+zBdyaF7jBeQRP7tOwYQ@mail.gmail.com>
To: Pieter Wuille <pieter.wuille@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b940aa0570897413"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 09 Jul 2018 15:04:57 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Multiparty signatures
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 04:29:16 -0000

--000000000000b940aa0570897413
Content-Type: text/plain; charset="UTF-8"

Because it's non-interactive, this construction can produce multisig
signatures offline.   Each device produces a signature using it's own
k-share and x-share.   It's only necessary to interpolate M of n shares.

There are no round trips.

The security is Shamir + discrete log.

it's just something I've been tinkering with and I can't see an obvious
problem.

It's basically the same as schnorr, but you use a threshold hash to fix the
need to be online.

Just seems more useful to me.


On Sun, Jul 8, 2018, 10:33 PM Pieter Wuille <pieter.wuille@gmail.com> wrote:

> On Sun, Jul 8, 2018, 19:23 Erik Aronesty via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Pretty sure these non interactive sigs are more secure.
>>
>
> Schnorr signatures are provably secure in the random oracle model assuming
> the discrete logarithm problem is hard in the used group.
>
> What does "more secure" mean? Is your construction secure with weaker
> assumptions?
>
> --
> Pieter
>
>

--000000000000b940aa0570897413
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Because it&#39;s non-interactive, this construction can p=
roduce multisig signatures offline.=C2=A0 =C2=A0Each device produces a sign=
ature using it&#39;s own k-share and x-share.=C2=A0 =C2=A0It&#39;s only nec=
essary to interpolate M of n shares.<div dir=3D"auto"><br></div><div dir=3D=
"auto">There are no round trips.<br><div dir=3D"auto"><br></div><div dir=3D=
"auto">The security is Shamir + discrete log.=C2=A0=C2=A0</div><div dir=3D"=
auto"><div dir=3D"auto"><br></div><div dir=3D"auto">it&#39;s just something=
 I&#39;ve been tinkering with and I can&#39;t see an obvious problem.=C2=A0=
=C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">It&#39;s basicall=
y the same as schnorr, but you use a threshold hash to fix the need to be o=
nline.</div><div dir=3D"auto"><br></div><div dir=3D"auto">Just seems more u=
seful to me.</div><div dir=3D"auto"><br></div></div></div></div><br><div cl=
ass=3D"gmail_quote"><div dir=3D"ltr">On Sun, Jul 8, 2018, 10:33 PM Pieter W=
uille &lt;<a href=3D"mailto:pieter.wuille@gmail.com">pieter.wuille@gmail.co=
m</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"auto">=
<div class=3D"gmail_quote" dir=3D"auto"><div dir=3D"ltr">On Sun, Jul 8, 201=
8, 19:23 Erik Aronesty via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@li=
sts.linuxfoundation.org" target=3D"_blank" rel=3D"noreferrer">bitcoin-dev@l=
ists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail=
_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:=
1ex"><div dir=3D"auto">Pretty sure these non interactive sigs are more secu=
re.</div></blockquote></div><div dir=3D"auto"><br></div><div dir=3D"auto">S=
chnorr signatures are provably secure in the random oracle model assuming t=
he discrete logarithm problem is hard in the used group.</div><div dir=3D"a=
uto"><br></div><div dir=3D"auto">What does &quot;more secure&quot; mean? Is=
 your construction secure with weaker assumptions?</div><div dir=3D"auto"><=
br></div><div dir=3D"auto">--=C2=A0</div><div dir=3D"auto">Pieter</div><div=
 dir=3D"auto"><br></div><div class=3D"gmail_quote" dir=3D"auto"><blockquote=
 class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli=
d;padding-left:1ex">
</blockquote></div></div>
</blockquote></div>

--000000000000b940aa0570897413--