Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 50C35CA6 for ; Sun, 8 Jul 2018 14:20:07 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id BAE06FC for ; Sun, 8 Jul 2018 14:20:06 +0000 (UTC) Received: by mail-wm0-f41.google.com with SMTP id v25-v6so18723547wmc.0 for ; Sun, 08 Jul 2018 07:20:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=66y0/aLLbfjRiK7dMtZ7q69H1N7Hcb6hFPPTQLky07s=; b=faXJd5HH1+v4iAcX9Z0CdZVOyudzPiLtVgwdeXM6I4gi61xdwh/Xa4GcaTBEsjZK3B Ai7yHap6D9hIZ/yWVXiNlfFBFjoiAwzfzWASpLSavr89U9yv7NJTY2pmvg/rgycB9QD+ zgGxrbJvMsHqWKuBHSNzPUI2uZZ8P4cVYhqP8c3fxMQcM7AoekkKhJu8eI+Q/jXRR92r rQbCDygQEs1WFU+aUq03T3hk1zk0BMwp5xUTB8533IjOXryRf4jqfLR2eL+SmpavJgvN Gb4mChEIClL/wBJpl+UnW2sQQtQgoFqHDiDFvznIghjeQV8IR7FEJ6JfXOVFGwlojPzD riaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=66y0/aLLbfjRiK7dMtZ7q69H1N7Hcb6hFPPTQLky07s=; b=PR5l8axzUfrYdUn1ZO7/1m1D0grBi8a3b4kpX2CT3w9kARfByjeVxvlgdP28vfo5Wq UuXAKf9wQpTqgmR7JWSpMA6c6Ir6QMl44DhZzQ745i7eznGE1JXyv+hwSutRAlScFazL Kjvm3ygqQwT8+xIYanimT+VkL075Wqcmb2A/dSwrPisj1p/0m2jZ7JBfDhtvPeNkQvsl JA7nmaNWPSI9vEvt2saYizNo9FCkIcfaaDyauLTOBdZx3qXgYT2oYQDqZFfLVX/d+SxF A1f7tLGdv84JGF/5zexrLCwRmJu5ZvJah+w555uwhU8OZGy9QsyAefzDunQjhhaN7AiQ iqOQ== X-Gm-Message-State: APt69E2ISSUV2hkye9fJGT5uEGVKPnyeUjC4BejRXZCBuMaG2JSduI/m mFCKMU5aKwBXGxtwxm8sKES+qciDt+MahBPm0nhwkzI7ow== X-Google-Smtp-Source: AAOMgpcHseuxvuTlXMZAJhml7FHscsnLXZwhL2dCKrcpK21yJXn/JrSQgvTbHmnQDQ6m2h9AsMzHs622mXxI9B014oE= X-Received: by 2002:a1c:dc41:: with SMTP id t62-v6mr10689983wmg.42.1531059604733; Sun, 08 Jul 2018 07:20:04 -0700 (PDT) MIME-Version: 1.0 From: Erik Aronesty Date: Sun, 8 Jul 2018 10:19:52 -0400 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000dec8a605707d9790" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sun, 08 Jul 2018 14:26:15 +0000 Subject: [bitcoin-dev] Multiparty signatures X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2018 14:20:07 -0000 --000000000000dec8a605707d9790 Content-Type: text/plain; charset="UTF-8" To save space, start with the wiki terminology on schnorr sigs. Consider changing the "e" term in the schnorr algorithm to hash of message (elligator style) to the power of r, rather than using concatenation. I don't think this changes the security. An attacker would need to know k to either way to compromise the private key. This would allow m of n devices to sign a transaction without any of them knowing a private key at all. IE: each device can roll a random number as a share and the interpolation of that is the private key. The public shares can be broadcast and combines. And signature shares can be broadcast and combined. The net result of this is it really possible for an arbitrary set of devices to create a perfectly secure public-private key pair set. At no point was the private key anywhere. --000000000000dec8a605707d9790 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
To save space, start with the wiki terminology on schnorr= sigs.

Consider changing the &= quot;e" term in the schnorr algorithm to hash of message (elligator st= yle) to the power of r, rather than using concatenation.=C2=A0=C2=A0

I don't think this changes the s= ecurity.=C2=A0 =C2=A0An attacker would need to know k to either way to comp= romise the private key.

= This would allow m of n devices to sign a transaction without any of them k= nowing a private key at all.

IE: each device can roll a random number as a share and the interpolat= ion of that is the private key.=C2=A0 =C2=A0

The public shares can be broadcast and combines.=C2=A0= And signature shares can be broadcast and combined.

The net result of this is it really possible f= or an arbitrary set of devices to create a perfectly secure public-private = key pair set.

At no poin= t was the private key anywhere.



--000000000000dec8a605707d9790--