path: root/66/a23ca487ad6c8731e377b7ae2716b57135d1f8

Return-Path: <pieter.wuille@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 518E1CAF
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon,  9 Jul 2018 02:29:31 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-oi0-f48.google.com (mail-oi0-f48.google.com
	[209.85.218.48])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E16626B7
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon,  9 Jul 2018 02:29:30 +0000 (UTC)
Received: by mail-oi0-f48.google.com with SMTP id q11-v6so7494765oic.12
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 08 Jul 2018 19:29:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to; 
	bh=2sj8yVyw8Uw3vCZoCVsIBYziD+t1s9wZAzzTgQMHqDs=;
	b=lJsqFmdbfzB2wsmyEqpwienBEP3nC2eC9WCgwNE+rrWlER6xA0f8pkDZq/3pUSzrW+
	9pgi8oKkD9EMW9ZhdDEWdEcME+bNc48DaVHGmp2HaXTrFu37fKLr3WyG7Ar/ZMNLWVfK
	+Mpwie/52d/4Jwmky7YCZSmE+mUCIp7hziVwIDdBU4DZVR1UqBvUGtLWuXeKVV3bCwS3
	n0MS71JMEG3A79aXUMXN+xPMAN1HMQs79Oz3zS+io/ETtNS/OfPFdXkTyLTfHd0bKA+t
	ATAqwcTNMcekym4+IeboKhUmCjwQHo/tm3S21kG6+suURRqfrL0zcs26Nrx4ffre4a20
	jigw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to;
	bh=2sj8yVyw8Uw3vCZoCVsIBYziD+t1s9wZAzzTgQMHqDs=;
	b=ukDbOlPPNqf53XXPM99vwlADB6pcRXPxDI02aLjqtv1xjRiBfs4VdSZZZKHleDLAoR
	OdW/kiO+6yKfVKQevSO9aU0dRGxm/T9v1+T2/GNoaI96+55ccwu+ZSgQy6TtQZXnEH6b
	qR+UBmkCslcsKnHNbAW7kn12ho37ap0EBWT0uclNtFdyoEE93pSU+JCzmHrEgermTcPP
	iljA6gCmCIKuLWWcqFnnjAMsyRyqPbOP46GTjZYheO/kBPZYQKVbp1Nlt9q5FCLLvfoB
	W+sFrRV0MJWBWvnMuITypVo+CB/STLfNZf7rk+49J7b8ttH14siOyBDqN9cmuiw3nO7N
	SX+w==
X-Gm-Message-State: APt69E3S4ZnncvwwzhMo6YV21A86tQ03QxHycDq/tIUoLfqEhurhPErH
	AiH+ibEQk4EvJo3sjozn3+3pxT7aDD6tYiJYNDiQOA==
X-Google-Smtp-Source: AAOMgpcrMpovuwt3ix7gajlDSzra6raUaI9rdvDOuf9AQ7zE7nbBoF+/BhInOEakJVaVVQwayuEjvMlu1xNye6sRxaw=
X-Received: by 2002:aca:41d7:: with SMTP id
	o206-v6mr20039356oia.172.1531103370075; 
	Sun, 08 Jul 2018 19:29:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
In-Reply-To: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Sun, 8 Jul 2018 19:29:19 -0700
Message-ID: <CAPg+sBhGHOcyS7M2-Vm5en7Z+74pP5gzLbX_Lx_qyi0KDtOnwQ@mail.gmail.com>
To: erik@q32.com, Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000007ce592057087c882"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Multiparty signatures
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 02:29:31 -0000

--0000000000007ce592057087c882
Content-Type: text/plain; charset="UTF-8"

On Sun, Jul 8, 2018, 07:26 Erik Aronesty via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> To save space, start with the wiki terminology on schnorr sigs.
>
> Consider changing the "e" term in the schnorr algorithm to hash of message
> (elligator style) to the power of r, rather than using concatenation.
>

This is a very vague description. Is there some paper you can reference, or
a more detailed explanation of the algorithm?

This would allow m of n devices to sign a transaction without any of them
> knowing a private key at all.
>
IE: each device can roll a random number as a share and the interpolation
> of that is the private key.
>
> The public shares can be broadcast and combines.  And signature shares can
> be broadcast and combined.
>
> The net result of this is it really possible for an arbitrary set of
> devices to create a perfectly secure public-private key pair set.
>
At no point was the private key anywhere.
>

All of this sounds like a threshold signature scheme, which as Tim pointed
out is already possible with Schnorr.

What are the advantages of what you're describing?

Cheers,

-- 
Pieter

--0000000000007ce592057087c882
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div><div class=3D"gmail_quote"><div dir=3D"ltr">On Sun, =
Jul 8, 2018, 07:26 Erik Aronesty via bitcoin-dev &lt;<a href=3D"mailto:bitc=
oin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a=
>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0=
 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"auto">To s=
ave space, start with the wiki terminology on schnorr sigs.<div dir=3D"auto=
"><br></div><div dir=3D"auto">Consider changing the &quot;e&quot; term in t=
he schnorr algorithm to hash of message (elligator style) to the power of r=
, rather than using concatenation.=C2=A0=C2=A0</div></div></blockquote></di=
v></div><div dir=3D"auto"><br></div><div dir=3D"auto">This is a very vague =
description. Is there some paper you can reference, or a more detailed expl=
anation of the algorithm?</div><div dir=3D"auto"><br></div><div dir=3D"auto=
"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"aut=
o"><div dir=3D"auto"><div dir=3D"auto">This would allow m of n devices to s=
ign a transaction without any of them knowing a private key at all.</div></=
div></div></blockquote></div></div><div dir=3D"auto"></div><div dir=3D"auto=
"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"aut=
o"><div dir=3D"auto"><div dir=3D"auto">IE: each device can roll a random nu=
mber as a share and the interpolation of that is the private key.=C2=A0 =C2=
=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">The public shares ca=
n be broadcast and combines.=C2=A0 And signature shares can be broadcast an=
d combined.</div><div dir=3D"auto"><br></div><div dir=3D"auto">The net resu=
lt of this is it really possible for an arbitrary set of devices to create =
a perfectly secure public-private key pair set.</div></div></div></blockquo=
te></div></div><div dir=3D"auto"><div class=3D"gmail_quote"><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pa=
dding-left:1ex"><div dir=3D"auto"><div dir=3D"auto"><div dir=3D"auto">At no=
 point was the private key anywhere.</div></div></div></blockquote></div></=
div><div dir=3D"auto"><br></div><div dir=3D"auto">All of this sounds like a=
 threshold signature scheme, which as Tim pointed out is already possible w=
ith Schnorr.</div><div dir=3D"auto"><br></div><div dir=3D"auto">What are th=
e advantages of what you&#39;re describing?</div><div dir=3D"auto"><br></di=
v><div dir=3D"auto">Cheers,</div><div dir=3D"auto"><br></div><div dir=3D"au=
to">--=C2=A0</div><div dir=3D"auto">Pieter</div><div dir=3D"auto"><br></div=
><div dir=3D"auto"><div class=3D"gmail_quote"><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex=
">
</blockquote></div></div></div>

--0000000000007ce592057087c882--