Return-Path: <earonesty@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 50C35CA6
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun,  8 Jul 2018 14:20:07 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id BAE06FC
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun,  8 Jul 2018 14:20:06 +0000 (UTC)
Received: by mail-wm0-f41.google.com with SMTP id v25-v6so18723547wmc.0
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 08 Jul 2018 07:20:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=q32-com.20150623.gappssmtp.com; s=20150623;
	h=mime-version:from:date:message-id:subject:to;
	bh=66y0/aLLbfjRiK7dMtZ7q69H1N7Hcb6hFPPTQLky07s=;
	b=faXJd5HH1+v4iAcX9Z0CdZVOyudzPiLtVgwdeXM6I4gi61xdwh/Xa4GcaTBEsjZK3B
	Ai7yHap6D9hIZ/yWVXiNlfFBFjoiAwzfzWASpLSavr89U9yv7NJTY2pmvg/rgycB9QD+
	zgGxrbJvMsHqWKuBHSNzPUI2uZZ8P4cVYhqP8c3fxMQcM7AoekkKhJu8eI+Q/jXRR92r
	rQbCDygQEs1WFU+aUq03T3hk1zk0BMwp5xUTB8533IjOXryRf4jqfLR2eL+SmpavJgvN
	Gb4mChEIClL/wBJpl+UnW2sQQtQgoFqHDiDFvznIghjeQV8IR7FEJ6JfXOVFGwlojPzD
	riaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
	bh=66y0/aLLbfjRiK7dMtZ7q69H1N7Hcb6hFPPTQLky07s=;
	b=PR5l8axzUfrYdUn1ZO7/1m1D0grBi8a3b4kpX2CT3w9kARfByjeVxvlgdP28vfo5Wq
	UuXAKf9wQpTqgmR7JWSpMA6c6Ir6QMl44DhZzQ745i7eznGE1JXyv+hwSutRAlScFazL
	Kjvm3ygqQwT8+xIYanimT+VkL075Wqcmb2A/dSwrPisj1p/0m2jZ7JBfDhtvPeNkQvsl
	JA7nmaNWPSI9vEvt2saYizNo9FCkIcfaaDyauLTOBdZx3qXgYT2oYQDqZFfLVX/d+SxF
	A1f7tLGdv84JGF/5zexrLCwRmJu5ZvJah+w555uwhU8OZGy9QsyAefzDunQjhhaN7AiQ
	iqOQ==
X-Gm-Message-State: APt69E2ISSUV2hkye9fJGT5uEGVKPnyeUjC4BejRXZCBuMaG2JSduI/m
	mFCKMU5aKwBXGxtwxm8sKES+qciDt+MahBPm0nhwkzI7ow==
X-Google-Smtp-Source: AAOMgpcHseuxvuTlXMZAJhml7FHscsnLXZwhL2dCKrcpK21yJXn/JrSQgvTbHmnQDQ6m2h9AsMzHs622mXxI9B014oE=
X-Received: by 2002:a1c:dc41:: with SMTP id
	t62-v6mr10689983wmg.42.1531059604733; 
	Sun, 08 Jul 2018 07:20:04 -0700 (PDT)
MIME-Version: 1.0
From: Erik Aronesty <erik@q32.com>
Date: Sun, 8 Jul 2018 10:19:52 -0400
Message-ID: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000dec8a605707d9790"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Sun, 08 Jul 2018 14:26:15 +0000
Subject: [bitcoin-dev] Multiparty signatures
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2018 14:20:07 -0000

--000000000000dec8a605707d9790
Content-Type: text/plain; charset="UTF-8"

To save space, start with the wiki terminology on schnorr sigs.

Consider changing the "e" term in the schnorr algorithm to hash of message
(elligator style) to the power of r, rather than using concatenation.

I don't think this changes the security.   An attacker would need to know k
to either way to compromise the private key.

This would allow m of n devices to sign a transaction without any of them
knowing a private key at all.

IE: each device can roll a random number as a share and the interpolation
of that is the private key.

The public shares can be broadcast and combines.  And signature shares can
be broadcast and combined.

The net result of this is it really possible for an arbitrary set of
devices to create a perfectly secure public-private key pair set.

At no point was the private key anywhere.

--000000000000dec8a605707d9790
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">To save space, start with the wiki terminology on schnorr=
 sigs.<div dir=3D"auto"><br></div><div dir=3D"auto">Consider changing the &=
quot;e&quot; term in the schnorr algorithm to hash of message (elligator st=
yle) to the power of r, rather than using concatenation.=C2=A0=C2=A0<div di=
r=3D"auto"><br></div><div dir=3D"auto">I don&#39;t think this changes the s=
ecurity.=C2=A0 =C2=A0An attacker would need to know k to either way to comp=
romise the private key.</div><div dir=3D"auto"><br></div><div dir=3D"auto">=
This would allow m of n devices to sign a transaction without any of them k=
nowing a private key at all.</div><div dir=3D"auto"><br></div><div dir=3D"a=
uto">IE: each device can roll a random number as a share and the interpolat=
ion of that is the private key.=C2=A0 =C2=A0</div><div dir=3D"auto"><br></d=
iv><div dir=3D"auto">The public shares can be broadcast and combines.=C2=A0=
 And signature shares can be broadcast and combined.</div><div dir=3D"auto"=
><br></div><div dir=3D"auto">The net result of this is it really possible f=
or an arbitrary set of devices to create a perfectly secure public-private =
key pair set.</div><div dir=3D"auto"><br></div><div dir=3D"auto">At no poin=
t was the private key anywhere.</div><div dir=3D"auto"><br></div><div dir=
=3D"auto"><br></div><div dir=3D"auto"><br></div></div></div>

--000000000000dec8a605707d9790--