Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
	designates 74.125.82.173 as permitted sender)
	client-ip=74.125.82.173; envelope-from=natanael.l@gmail.com;
	helo=mail-we0-f173.google.com; 
MIME-Version: 1.0
In-Reply-To: <20140308174101.GA21902@netbook.cypherspace.org>
References: <CA+su7OUMgeWgkMFAmmMEpW3eN=cvU47MKt51idDrmCWEiCb+VQ@mail.gmail.com>
	<531AD080.40501@gmail.com>
	<CA+su7OWx9jrgUJrOH=tg1968vr1G1w7yXjgaRSyYJ0zRBjwpqg@mail.gmail.com>
	<531AF2EA.50904@gmail.com>
	<20140308174101.GA21902@netbook.cypherspace.org>
Date: Sat, 8 Mar 2014 19:15:47 +0100
Message-ID: <CAAt2M18Jcfo8nFBM+PppkWhmWhF4bd3fpRL2--=jZw4We1-kPw@mail.gmail.com>
From: Natanael <natanael.l@gmail.com>
To: Adam Back <adam@cypherspace.org>
Content-Type: multipart/alternative; boundary=047d7bfcfc9811739304f41c5c28
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Is this a safe thing to be doing with ECC
 addition? (Oracle protocol)
Precedence: list

--047d7bfcfc9811739304f41c5c28
Content-Type: text/plain; charset=UTF-8

You can always use a secure multiparty computation algorithm to do it.

https://en.wikipedia.org/wiki/Secure_multi-party_computation

But those aren't the fastest algorithms in the world, and usually both
participants needs to be online at the same time. I guess most people would
prefer a two-step algorithm that can be performed asynchronously.

- Sent from my phone
Den 8 mar 2014 18:44 skrev "Adam Back" <adam@cypherspace.org>:

> Also the other limitation for ECDSA is that there is no known protocol to
> create a signture with a+b (where keys P=aG, Q=bG, R=P+Q=(a+b)G). without
> either a sending its private key to b or viceversa (or both to a third
> party).
>
> With Schnorr sigs you can do it, but the k^-1 term in ECDSA makes a
> (secure)
> direct multiparty signature quite difficult.
>
> ps probably only 1 party needs to hash their key
>
> P=aG
>             H(P) ->
>
>                 <- Q=bG
>
>            P ->
>
> Adam
>
> On Sat, Mar 08, 2014 at 12:37:30PM +0200, Joel Kaartinen wrote:
> >   If both parties insist on seeing a hash of the other party's public key
> >   before they'll show their own public key, they can be sure that the
> >   public key is not chosen based on the public key they themselves
> >   presented.
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries.  Built-in WAN optimization and
> the
> freedom to use Git, Perforce or both. Make the move to Perforce.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>

--047d7bfcfc9811739304f41c5c28
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">You can always use a secure multiparty computation algorithm=
 to do it. </p>
<p dir=3D"ltr"><a href=3D"https://en.wikipedia.org/wiki/Secure_multi-party_=
computation">https://en.wikipedia.org/wiki/Secure_multi-party_computation</=
a></p>
<p dir=3D"ltr">But those aren&#39;t the fastest algorithms in the world, an=
d usually both participants needs to be online at the same time. I guess mo=
st people would prefer a two-step algorithm that can be performed asynchron=
ously.</p>

<p dir=3D"ltr">- Sent from my phone</p>
<div class=3D"gmail_quote">Den 8 mar 2014 18:44 skrev &quot;Adam Back&quot;=
 &lt;<a href=3D"mailto:adam@cypherspace.org">adam@cypherspace.org</a>&gt;:<=
br type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0=
 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Also the other limitation for ECDSA is that there is no known protocol to<b=
r>
create a signture with a+b (where keys P=3DaG, Q=3DbG, R=3DP+Q=3D(a+b)G). w=
ithout<br>
either a sending its private key to b or viceversa (or both to a third<br>
party).<br>
<br>
With Schnorr sigs you can do it, but the k^-1 term in ECDSA makes a (secure=
)<br>
direct multiparty signature quite difficult.<br>
<br>
ps probably only 1 party needs to hash their key<br>
<br>
P=3DaG<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 H(P) -&gt;<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &lt;- Q=3DbG<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0P -&gt;<br>
<br>
Adam<br>
<br>
On Sat, Mar 08, 2014 at 12:37:30PM +0200, Joel Kaartinen wrote:<br>
&gt; =C2=A0 If both parties insist on seeing a hash of the other party&#39;=
s public key<br>
&gt; =C2=A0 before they&#39;ll show their own public key, they can be sure =
that the<br>
&gt; =C2=A0 public key is not chosen based on the public key they themselve=
s<br>
&gt; =C2=A0 presented.<br>
<br>
---------------------------------------------------------------------------=
---<br>
Subversion Kills Productivity. Get off Subversion &amp; Make the Move to Pe=
rforce.<br>
With Perforce, you get hassle-free workflows. Merge that actually works.<br=
>
Faster operations. Version large binaries. =C2=A0Built-in WAN optimization =
and the<br>
freedom to use Git, Perforce or both. Make the move to Perforce.<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D122218951&amp;iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D122218951&amp;iu=3D/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</blockquote></div>

--047d7bfcfc9811739304f41c5c28--