Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C3E1FC9D for ; Mon, 9 Jul 2018 04:29:16 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 27C496B7 for ; Mon, 9 Jul 2018 04:29:16 +0000 (UTC) Received: by mail-wm0-f53.google.com with SMTP id b188-v6so19689946wme.3 for ; Sun, 08 Jul 2018 21:29:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7YfklWB3ZZHEi+xdX6Czz92r3xymD4kjh2XuHcMTM6s=; b=h17snO8IS5viB7SHRt5RMuGuF5LQAhs0QgW2J2BuNsNjlk0W5ZCp00pbHHZXVpjtxz /w2bgsuE/m3osgO4jX9i7RNd0FcehG6Z6bGbMwWYjNNQbCfkY/WsaUts0sbt6ckeCHrf bPbprh0XmIMPeTVFKilCfY0usX2bX8SSbR0ezU/KKJvhf9o7uDfOv+rp8H10beNdbRw7 ueR1V6eBphn7Yzakx8ziT2+VRip93jK29pQnKQulKrailc2ZXBx4FE5Q5Q3wjxqEKyOr 9AfU3MwiyYD8n1d+sd9f/Ds7L75QrjSNVSVX+r840ucbtGc8hOHyj6vN2LtI74iw900D SJXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7YfklWB3ZZHEi+xdX6Czz92r3xymD4kjh2XuHcMTM6s=; b=MbQK/t1R7Fqa4dLKj8lshlnWTV7saM+Lom2BCLH1Rby1YWcQcSfTVRyOlbx9KVMPOZ Baoh/2JijGD6FYcBxseEtCGDC721QbH/QRjbUrm740pwCyA8CfQIqm4III5Vwlo/I8zo ypuPPw0Zqb8KMzS/UCNWRD1Tr9E3pSXw7Phntbclsk/vA598TCEQa/c1tu/rSpC5v3qD yBUFi9dbjn+81+Y+yMz4QpE00D7Q7hTQ9KmSyaW4rg9lgnt1lcH7jnOB30LJvnc2BZvv 8xRXTrBJMXwSJIDgwDxfXn3mcpRoLEGJaLIx7VZGCfjFUxtLYwkJ9swFtGmajYqi4afT rlHA== X-Gm-Message-State: APt69E27RxFZ6iFqDzerXI13VOa+YsjSZ/PqD5ogGN9Kj9WX7E9BVYFT EpBr3h57J0jkF0Fv9nXW0L+Sttus/pff/2ykna4NV3Y= X-Google-Smtp-Source: AAOMgpfQvaGctDtsw7fdgBI9RKAYvFM/eLbzKT2AkgATIyYm5oCu2wR/FfMi4TVgVkvmgyh6jcf6Y3/CXNFLoQbCUhQ= X-Received: by 2002:a1c:cf81:: with SMTP id f123-v6mr11811407wmg.3.1531110554679; Sun, 08 Jul 2018 21:29:14 -0700 (PDT) MIME-Version: 1.0 References: <08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de> In-Reply-To: From: Erik Aronesty Date: Mon, 9 Jul 2018 00:29:02 -0400 Message-ID: To: Pieter Wuille Content-Type: multipart/alternative; boundary="000000000000b940aa0570897413" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Mon, 09 Jul 2018 15:04:57 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Multiparty signatures X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 04:29:16 -0000 --000000000000b940aa0570897413 Content-Type: text/plain; charset="UTF-8" Because it's non-interactive, this construction can produce multisig signatures offline. Each device produces a signature using it's own k-share and x-share. It's only necessary to interpolate M of n shares. There are no round trips. The security is Shamir + discrete log. it's just something I've been tinkering with and I can't see an obvious problem. It's basically the same as schnorr, but you use a threshold hash to fix the need to be online. Just seems more useful to me. On Sun, Jul 8, 2018, 10:33 PM Pieter Wuille wrote: > On Sun, Jul 8, 2018, 19:23 Erik Aronesty via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> Pretty sure these non interactive sigs are more secure. >> > > Schnorr signatures are provably secure in the random oracle model assuming > the discrete logarithm problem is hard in the used group. > > What does "more secure" mean? Is your construction secure with weaker > assumptions? > > -- > Pieter > > --000000000000b940aa0570897413 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Because it's non-interactive, this construction can p= roduce multisig signatures offline.=C2=A0 =C2=A0Each device produces a sign= ature using it's own k-share and x-share.=C2=A0 =C2=A0It's only nec= essary to interpolate M of n shares.

There are no round trips.

The security is Shamir + discrete log.=C2=A0=C2=A0

it's just something= I've been tinkering with and I can't see an obvious problem.=C2=A0= =C2=A0

It's basicall= y the same as schnorr, but you use a threshold hash to fix the need to be o= nline.

Just seems more u= seful to me.


On Sun, Jul 8, 2018, 10:33 PM Pieter W= uille <pieter.wuille@gmail.co= m> wrote:
=
On Sun, Jul 8, 201= 8, 19:23 Erik Aronesty via bitcoin-dev <bitcoin-dev@l= ists.linuxfoundation.org> wrote:
Pretty sure these non interactive sigs are more secu= re.

S= chnorr signatures are provably secure in the random oracle model assuming t= he discrete logarithm problem is hard in the used group.

What does "more secure" mean? Is= your construction secure with weaker assumptions?
<= br>
--=C2=A0
Pieter

--000000000000b940aa0570897413--