1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
Return-Path: <pieter.wuille@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 518E1CAF
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 9 Jul 2018 02:29:31 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-oi0-f48.google.com (mail-oi0-f48.google.com
[209.85.218.48])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E16626B7
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 9 Jul 2018 02:29:30 +0000 (UTC)
Received: by mail-oi0-f48.google.com with SMTP id q11-v6so7494765oic.12
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 08 Jul 2018 19:29:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=2sj8yVyw8Uw3vCZoCVsIBYziD+t1s9wZAzzTgQMHqDs=;
b=lJsqFmdbfzB2wsmyEqpwienBEP3nC2eC9WCgwNE+rrWlER6xA0f8pkDZq/3pUSzrW+
9pgi8oKkD9EMW9ZhdDEWdEcME+bNc48DaVHGmp2HaXTrFu37fKLr3WyG7Ar/ZMNLWVfK
+Mpwie/52d/4Jwmky7YCZSmE+mUCIp7hziVwIDdBU4DZVR1UqBvUGtLWuXeKVV3bCwS3
n0MS71JMEG3A79aXUMXN+xPMAN1HMQs79Oz3zS+io/ETtNS/OfPFdXkTyLTfHd0bKA+t
ATAqwcTNMcekym4+IeboKhUmCjwQHo/tm3S21kG6+suURRqfrL0zcs26Nrx4ffre4a20
jigw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=2sj8yVyw8Uw3vCZoCVsIBYziD+t1s9wZAzzTgQMHqDs=;
b=ukDbOlPPNqf53XXPM99vwlADB6pcRXPxDI02aLjqtv1xjRiBfs4VdSZZZKHleDLAoR
OdW/kiO+6yKfVKQevSO9aU0dRGxm/T9v1+T2/GNoaI96+55ccwu+ZSgQy6TtQZXnEH6b
qR+UBmkCslcsKnHNbAW7kn12ho37ap0EBWT0uclNtFdyoEE93pSU+JCzmHrEgermTcPP
iljA6gCmCIKuLWWcqFnnjAMsyRyqPbOP46GTjZYheO/kBPZYQKVbp1Nlt9q5FCLLvfoB
W+sFrRV0MJWBWvnMuITypVo+CB/STLfNZf7rk+49J7b8ttH14siOyBDqN9cmuiw3nO7N
SX+w==
X-Gm-Message-State: APt69E3S4ZnncvwwzhMo6YV21A86tQ03QxHycDq/tIUoLfqEhurhPErH
AiH+ibEQk4EvJo3sjozn3+3pxT7aDD6tYiJYNDiQOA==
X-Google-Smtp-Source: AAOMgpcrMpovuwt3ix7gajlDSzra6raUaI9rdvDOuf9AQ7zE7nbBoF+/BhInOEakJVaVVQwayuEjvMlu1xNye6sRxaw=
X-Received: by 2002:aca:41d7:: with SMTP id
o206-v6mr20039356oia.172.1531103370075;
Sun, 08 Jul 2018 19:29:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
In-Reply-To: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Sun, 8 Jul 2018 19:29:19 -0700
Message-ID: <CAPg+sBhGHOcyS7M2-Vm5en7Z+74pP5gzLbX_Lx_qyi0KDtOnwQ@mail.gmail.com>
To: erik@q32.com, Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000007ce592057087c882"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Multiparty signatures
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 02:29:31 -0000
--0000000000007ce592057087c882
Content-Type: text/plain; charset="UTF-8"
On Sun, Jul 8, 2018, 07:26 Erik Aronesty via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> To save space, start with the wiki terminology on schnorr sigs.
>
> Consider changing the "e" term in the schnorr algorithm to hash of message
> (elligator style) to the power of r, rather than using concatenation.
>
This is a very vague description. Is there some paper you can reference, or
a more detailed explanation of the algorithm?
This would allow m of n devices to sign a transaction without any of them
> knowing a private key at all.
>
IE: each device can roll a random number as a share and the interpolation
> of that is the private key.
>
> The public shares can be broadcast and combines. And signature shares can
> be broadcast and combined.
>
> The net result of this is it really possible for an arbitrary set of
> devices to create a perfectly secure public-private key pair set.
>
At no point was the private key anywhere.
>
All of this sounds like a threshold signature scheme, which as Tim pointed
out is already possible with Schnorr.
What are the advantages of what you're describing?
Cheers,
--
Pieter
--0000000000007ce592057087c882
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto"><div><div class=3D"gmail_quote"><div dir=3D"ltr">On Sun, =
Jul 8, 2018, 07:26 Erik Aronesty via bitcoin-dev <<a href=3D"mailto:bitc=
oin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a=
>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0=
0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"auto">To s=
ave space, start with the wiki terminology on schnorr sigs.<div dir=3D"auto=
"><br></div><div dir=3D"auto">Consider changing the "e" term in t=
he schnorr algorithm to hash of message (elligator style) to the power of r=
, rather than using concatenation.=C2=A0=C2=A0</div></div></blockquote></di=
v></div><div dir=3D"auto"><br></div><div dir=3D"auto">This is a very vague =
description. Is there some paper you can reference, or a more detailed expl=
anation of the algorithm?</div><div dir=3D"auto"><br></div><div dir=3D"auto=
"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"aut=
o"><div dir=3D"auto"><div dir=3D"auto">This would allow m of n devices to s=
ign a transaction without any of them knowing a private key at all.</div></=
div></div></blockquote></div></div><div dir=3D"auto"></div><div dir=3D"auto=
"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"aut=
o"><div dir=3D"auto"><div dir=3D"auto">IE: each device can roll a random nu=
mber as a share and the interpolation of that is the private key.=C2=A0 =C2=
=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">The public shares ca=
n be broadcast and combines.=C2=A0 And signature shares can be broadcast an=
d combined.</div><div dir=3D"auto"><br></div><div dir=3D"auto">The net resu=
lt of this is it really possible for an arbitrary set of devices to create =
a perfectly secure public-private key pair set.</div></div></div></blockquo=
te></div></div><div dir=3D"auto"><div class=3D"gmail_quote"><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pa=
dding-left:1ex"><div dir=3D"auto"><div dir=3D"auto"><div dir=3D"auto">At no=
point was the private key anywhere.</div></div></div></blockquote></div></=
div><div dir=3D"auto"><br></div><div dir=3D"auto">All of this sounds like a=
threshold signature scheme, which as Tim pointed out is already possible w=
ith Schnorr.</div><div dir=3D"auto"><br></div><div dir=3D"auto">What are th=
e advantages of what you're describing?</div><div dir=3D"auto"><br></di=
v><div dir=3D"auto">Cheers,</div><div dir=3D"auto"><br></div><div dir=3D"au=
to">--=C2=A0</div><div dir=3D"auto">Pieter</div><div dir=3D"auto"><br></div=
><div dir=3D"auto"><div class=3D"gmail_quote"><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex=
">
</blockquote></div></div></div>
--0000000000007ce592057087c882--
|