Return-Path: <earonesty@gmail.com> Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 15F40C7F for <bitcoin-dev@lists.linuxfoundation.org>; Thu, 26 Jul 2018 02:05:20 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f44.google.com (mail-wm0-f44.google.com [74.125.82.44]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E1D3E709 for <bitcoin-dev@lists.linuxfoundation.org>; Thu, 26 Jul 2018 02:05:18 +0000 (UTC) Received: by mail-wm0-f44.google.com with SMTP id f21-v6so339900wmc.5 for <bitcoin-dev@lists.linuxfoundation.org>; Wed, 25 Jul 2018 19:05:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=V6SJygRg16rmxb3UTaZLjCh61OZun12Z/Ii3dSM4EaY=; b=fcvCaduOkTd3d/sakWMRuBHhcQxAPO4Z4nMxnAuiHoi+TSYkJqPyP1r5D7wbFm7Job vGUGdLbCQVZfaxygdh1EOtOjQJw6hVsA1gcV3GnzWEfwXWBadUqRZKMD6w6huyOdLXyj LxGzmwcEW8FCaqT3SBaKMFfxf5PHTVbE5pfXLkmXY398Z8Hs0U+QUVjflnJ+dcSNoeDB hnyG7V+rjjXFdftbU/1e0O4cYwqoppGFlxw29r/Vfqiy82APUghhdnhe6bP5bEL1OJmM Z60QVMUkbYX6TkXOH9+TgM9Udy1MjtiJp4xE5SN7oyexaihmMwGvC1vvE8su/elQS4Ho DbkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=V6SJygRg16rmxb3UTaZLjCh61OZun12Z/Ii3dSM4EaY=; b=YrKr0XK94YjbYwX67TfG1Z0owjnR1alLCrVaU4TFXciSGIc7704B8WG8dupY2rhPVf WFF/imYZ2zjWAhyEKTPM9kcl8K6zUO1XCy++lEwjQiShRK75Aof5+faiNvgONG0Xq7Rk WY5CZcvN3Oa70k8cuYHNOiUjDEh1lsrB7907Y1DcIiPW6jq1YEEExzuoCeKpKukgC3vB Apoi+fH+STBDhKARwudI107qvZ8XFYoT2xpB8PrBsAZbj7Yk1K4jHulZLngEdtB9BHRF MOmGsDEKdnP6+tZPThXgjUKD50A7+MkiEBp/Q2TdxtnV0oqa6dXRiX+AV8F2t8CY/tea Fx8w== X-Gm-Message-State: AOUpUlF5wux+XeeZyudjqtJNpF8WZFdxBxL/nfRyWvK21X2gW8hK9aNv kukIPOVdTaN0N/gtjSEJ3F4q+yCel0+A1jSgs1TDaaF77g== X-Google-Smtp-Source: AAOMgpest23wjwiThO6io8zHIyb1/MkRfjy5HXJ6KjnMn/WeLbMe00taAKvDcO8CjMLl+BWIHQB0f2ESELGAlO9Kef4= X-Received: by 2002:a1c:8952:: with SMTP id l79-v6mr212189wmd.7.1532570717186; Wed, 25 Jul 2018 19:05:17 -0700 (PDT) MIME-Version: 1.0 References: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com> <08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de> <CAAS2fgSPUc7xRq36rZ9BVLjUTdd152Fgho4sjJXLhfrc71vPMw@mail.gmail.com> <CAJowKgL-nRcruXhWdGWrT4x+oV7i3jYST2Wa3bF5m6iT_mOyMw@mail.gmail.com> <CAPg+sBjdu4mnda-P0y7Ddu-rN7a1GiUt0hY_wYGsy_bJLKOYMA@mail.gmail.com> <CAJowKgLSQZ1LrZayDi7EFc-NSfK_AD+zBdyaF7jBeQRP7tOwYQ@mail.gmail.com> <CAPg+sBizrx20XShpeZRvZd4bfq1=E+MFUDmSC9X-xK1CSbV5kQ@mail.gmail.com> <CAJowKg+=7nS4gNmtc8a4-2cu1uCOPqxjfchFwDVqUciKNMUYWQ@mail.gmail.com> <CAJowKgJ3K=wmCEtoZXJZhrnnA8XJcHYg788KP+7MCeP4Mxf-0w@mail.gmail.com> <CAAS2fgSmA02s6Vdk_FYv6NJ4smLBgxnuT4jRYU44G7=bbzv2MA@mail.gmail.com> <CAJowKgJjQ8EGgbCurOSjTh8ij42_BVeD6dE0y67tzN0Zop3pyg@mail.gmail.com> <CAAS2fgRrkzq6Fa5T_-YDwLDkwi30LpDtMObMEBE+Fmmj0LJpBw@mail.gmail.com> <CAJowKgL0b3RT7XwRTF+ohoJCyZAW-ZJ+-8Lijj_s1rqqxgU7VQ@mail.gmail.com> <CAJowKg+UaMsY_nL6SBfb20Ltki+LdhXOwwvG_mAsUq_ww3Tesg@mail.gmail.com> <CALqxMTHYaspkn8JupaHBeLDxLOfZbnwcne2AVeFZe2ADOefktA@mail.gmail.com> <CAJowKg+rC9rmv--NxtrFQ=ea4B20u0ozkmA5hARpA4wLinnVQg@mail.gmail.com> <CAJowKg+QxcU0ECpZrvUckXQfBpn6Qri=gWzLA7+Y2mvTAq_mSw@mail.gmail.com> <CAMZUoK=iNgsZVb89gYRDUdZu0AkTGQ8cXqqbk3NXHEONBpO5ow@mail.gmail.com> <CAJowKgJBVdJbRvf5Y6dV4o5Jf1XyELNsT+vCrp4b-86ZYr+LYQ@mail.gmail.com> <CAJowKgKB1GDxvpQt1JjPr+cgyM8yztLtgJ_mZ8vsoCHyBdqkVA@mail.gmail.com> <CAJowKgJXzgQuxt3YMjUfOQRp4T_QybpWKpLq=x-EAif4HLNMcQ@mail.gmail.com> In-Reply-To: <CAJowKgJXzgQuxt3YMjUfOQRp4T_QybpWKpLq=x-EAif4HLNMcQ@mail.gmail.com> From: Erik Aronesty <erik@q32.com> Date: Wed, 25 Jul 2018 22:05:05 -0400 Message-ID: <CAJowKgLHadxeT4oEoQfwR62LqY9QTkrXihiBfAoHDYydqL2TNw@mail.gmail.com> To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> Content-Type: multipart/alternative; boundary="00000000000030f1ea0571dd6db5" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 26 Jul 2018 02:08:07 +0000 Subject: Re: [bitcoin-dev] Multiparty signatures X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> X-List-Received-Date: Thu, 26 Jul 2018 02:05:20 -0000 --00000000000030f1ea0571dd6db5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Also we don't need any new opcodes to support this. Done right this could literally go out into clients immediately. On Fri, Jul 20, 2018, 4:18 PM Erik Aronesty <erik@q32.com> wrote: > Sorry there were typos: > > - Using MuSig's solution for the blinding factor (e) > - Using interpolation to enhance MuSig to be M of N instead of M of M > > References: > > - MuSig > https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatur= es.html > - HomPrf http://crypto.stanford.edu/~dabo/papers/homprf.pdf (sections > 7.1 and 7.4) > > Each party: > > 1. Publishes public key G*xi, G*ki, where ki is a random nonce > 3. Xi =3D H(G*xi) ... Xi is the parties x coordinate, for the purposes of > interpolation > 3. R =3D G*k =3D via interpolation of r1=3DGk1, r2=3DGk2... (see HomPrf) > 4. L =3D H(X1,X2,=E2=80=A6) (see MuSig) > 5. X =3D sum of all H(L,Xi)Xi (see MuSig) > 6. Computes e =3D H(R | M | X) .... standard schnorr e... not a share > 7. Computes si =3D ki *e+ xi * e ... where si is a "share" of the sig, an= d > xi is the private data, and e is the blinding factor > 8. Publishes (si, e) as the share sig > > If an attacker has multiple devices, e is safe, because of the musig > construction. > > But what protects k from the same multiparty birthday attack? > > If an attacker has multiple devices, by carefully controlling the > selection of private keys, the attacker can try to solve > the polynomial equation to force the selection of a "known k". > > A "known k" would allow an attacker to sign messages on his own. > > To fix this, we need to somehow "blind k as well". > > Does this work? > > The revision below seems to solve this problem. > > 1. Publishes public key G*xi, G*ki, where ki is a random nonce > 3. Xi =3D H(G*xi) ... Xi is the parties x coordinate, for the purposes of > interpolation > 3. R =3D G*k =3D via interpolation of r1=3DGk1, r2=3DGk2... (see HomPrf) > 4. L =3D H(X1,X2,=E2=80=A6) (see MuSig) > 5. L2 =3D H2(XN,XN-1,=E2=80=A6) (see MuSig... H2 is a "second hash") > 6. X =3D sum of all H(L,Xi)Xi (see MuSig) > 7. Computes e =3D H(R | M | X) .... standard schnorr e... not a share > 8. Computes e2 =3D H(R | M | X2) ... a second blinding factor > 9. Computes si =3D ki *e2 + xi * e ... where si is a "share" of the sig, = and > xi is the private data, and e, e2 are blinding factors > 10. Publishes (si, e, e2) as the share sig > > The final signature is computed via interpolation, and e2 is can be > subtracted to recover a "normal" schnor sig for the set of participants. > > Now there's no mechanism for a birthday attack on k. > > > > On Fri, Jul 20, 2018 at 1:34 PM, Erik Aronesty <erik@q32.com> wrote: > >> Hi, thanks for all the help. I'm going to summarize again, and see if >> we've arrived at the correct solution for an M of N "single sig" extensi= on >> of MuSig, which I think we have. >> >> - Using MuSig's solution for the blinding to solve the Wagner attack >> - Using interpolation to enhance MuSig to be M of N instead of M of M >> >> References: >> >> - MuSig >> https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatu= res.html >> - HomPrf http://crypto.stanford.edu/~dabo/papers/homprf.pdf (sections >> 7.1 and 7.4) >> >> Each party: >> >> 1. Publishes public key G*xi >> 3. Xi =3D H(G*xi) ... Xi is the parties x coordinate, for the purposes o= f >> interpolation >> 3. r =3D G*x =3D via interpolation of Gx1, Gx2... (see HomPrf) >> 4. L =3D H(X1,X2,=E2=80=A6) (see MuSig) >> 5. X =3D sum of all H(L,Xi)Xi (see MuSig) >> 6. Computes e =3D H(r | M | X) .... standard schnorr e... not a share >> 7. Computes si =3D xi - xe ... where si is a "share" of the sig, and xi = is >> the private data >> 8. Publishes (si, e, G*Xi) >> >> Any party can then derive s from m of n shares, by interpolating, not >> adding. >> >> >> >> > --00000000000030f1ea0571dd6db5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"auto">Also we don't need any new opcodes to support this.= =C2=A0 Done right this could literally go out into clients immediately.</di= v><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Fri, Jul 20, 2018, 4:1= 8 PM Erik Aronesty <<a href=3D"mailto:erik@q32.com">erik@q32.com</a>>= wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8= ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div> <div style=3D"font-size:small;text-decoration-style:initial;text-decoration= -color:initial">Sorry there were typos:</div><div style=3D"font-size:small;= text-decoration-style:initial;text-decoration-color:initial"><br></div></di= v><div style=3D"font-size:small;text-decoration-style:initial;text-decorati= on-color:initial">- Using MuSig's solution for the blinding factor (e)<= br></div><div style=3D"font-size:small;text-decoration-style:initial;text-d= ecoration-color:initial">- Using interpolation to enhance MuSig to be M of = N instead of M of M</div><div style=3D"font-size:small;text-decoration-styl= e:initial;text-decoration-color:initial"></div><div style=3D"font-size:smal= l;text-decoration-style:initial;text-decoration-color:initial"><br></div><d= iv style=3D"font-size:small;text-decoration-style:initial;text-decoration-c= olor:initial">References:</div><div style=3D"font-size:small;text-decoratio= n-style:initial;text-decoration-color:initial"><br></div><div style=3D"font= -size:small;text-decoration-style:initial;text-decoration-color:initial">= =C2=A0- MuSig <a href=3D"https://blockstream.com/2018/01/23/musig-key-aggre= gation-schnorr-signatures.html" target=3D"_blank" rel=3D"noreferrer">https:= //blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html<= /a><br></div><div style=3D"font-size:small;text-decoration-style:initial;te= xt-decoration-color:initial">=C2=A0- HomPrf <a href=3D"http://crypto.stanfo= rd.edu/~dabo/papers/homprf.pdf" target=3D"_blank" rel=3D"noreferrer">http:/= /crypto.stanford.edu/~dabo/papers/homprf.pdf</a> (sections 7.1 and 7.4)</di= v><div style=3D"font-size:small;text-decoration-style:initial;text-decorati= on-color:initial"><br></div><div style=3D"font-size:small;text-decoration-s= tyle:initial;text-decoration-color:initial">Each <span class=3D"m_-66957066= 78382846522gmail-il">party</span>:</div><div style=3D"font-size:small;text-= decoration-style:initial;text-decoration-color:initial"><br></div><div styl= e=3D"font-size:small;text-decoration-style:initial;text-decoration-color:in= itial">1. Publishes public key G*xi, G*ki, where ki is a random nonce<br></= div><div style=3D"font-size:small;text-decoration-style:initial;text-decora= tion-color:initial">3. Xi =3D H(G*xi) ... Xi is the parties x coordinate, f= or the purposes of interpolation</div><div style=3D"font-size:small;text-de= coration-style:initial;text-decoration-color:initial">3. R =3D G*k =3D via = interpolation of r1=3DGk1, r2=3DGk2... (see=C2=A0<span style=3D"background-= color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:= initial;float:none;display:inline">HomPrf</span>)</div><div style=3D"font-s= ize:small;text-decoration-style:initial;text-decoration-color:initial">4. L= =3D H(X1,X2,=E2=80=A6) (see MuSig)<br></div><div style=3D"font-size:small;= text-decoration-style:initial;text-decoration-color:initial">5. X =3D sum o= f all H(L,Xi)Xi (<span style=3D"background-color:rgb(255,255,255);text-deco= ration-style:initial;text-decoration-color:initial;float:none;display:inlin= e">see MuSig</span>)</div><div style=3D"font-size:small;text-decoration-sty= le:initial;text-decoration-color:initial">6. Computes e =3D H(R | M | X) ..= .. standard schnorr e... not a share</div><div style=3D"font-size:small;tex= t-decoration-style:initial;text-decoration-color:initial">7. Computes si = =3D ki *e+ xi * e ... where si is a "share" of the sig, and xi is= the private data, and e is the blinding factor<br></div><div style=3D"font= -size:small;text-decoration-style:initial;text-decoration-color:initial">8.= Publishes (si, e) as the share sig<br></div><div style=3D"font-size:small;= text-decoration-style:initial;text-decoration-color:initial"><br></div><div= >If an attacker has multiple devices, e is safe, because of the musig const= ruction.</div><div><br></div><div> <div style=3D"font-size:small;text-decoration-style:initial;text-decoration= -color:initial">But what protects k from the same multiparty birthday attac= k?=C2=A0=C2=A0</div><div style=3D"font-size:small;text-decoration-style:ini= tial;text-decoration-color:initial"><br></div><div style=3D"font-size:small= ;text-decoration-style:initial;text-decoration-color:initial"></div></div><= div style=3D"font-size:small;text-decoration-style:initial;text-decoration-= color:initial"> <div style=3D"text-decoration-style:initial;text-decoration-color:initial">= If an attacker has multiple devices, by carefully controlling the selection= of private keys, the attacker can try to solve <br></div><div style=3D"tex= t-decoration-style:initial;text-decoration-color:initial">the polynomial eq= uation to force the selection of a "known k".<br><br></div><div s= tyle=3D"text-decoration-style:initial;text-decoration-color:initial">A &quo= t;known k" would allow an attacker to sign messages on his own.</div><= div style=3D"text-decoration-style:initial;text-decoration-color:initial"><= br></div><div style=3D"text-decoration-style:initial;text-decoration-color:= initial">To fix this, we need to somehow "blind k as well".</div>= <div style=3D"text-decoration-style:initial;text-decoration-color:initial">= <br></div><div style=3D"text-decoration-style:initial;text-decoration-color= :initial">Does this work?</div><div style=3D"text-decoration-style:initial;= text-decoration-color:initial"><br></div><div style=3D"text-decoration-styl= e:initial;text-decoration-color:initial">The revision below seems to solve = this problem.<br></div><div style=3D"text-decoration-style:initial;text-dec= oration-color:initial"><br></div><div style=3D"text-decoration-style:initia= l;text-decoration-color:initial"></div><div style=3D"text-decoration-style:= initial;text-decoration-color:initial"> <div style=3D"font-size:small;text-decoration-style:initial;text-decoration= -color:initial">1. Publishes public key G*xi, G*ki, where ki is a random no= nce<br></div><div style=3D"font-size:small;text-decoration-style:initial;te= xt-decoration-color:initial">3. Xi =3D H(G*xi) ... Xi is the parties x coor= dinate, for the purposes of interpolation</div><div style=3D"font-size:smal= l;text-decoration-style:initial;text-decoration-color:initial">3. R =3D G*k= =3D via interpolation of r1=3DGk1, r2=3DGk2... (see=C2=A0<span style=3D"ba= ckground-color:rgb(255,255,255);text-decoration-style:initial;text-decorati= on-color:initial;float:none;display:inline">HomPrf</span>)</div><div style= =3D"font-size:small;text-decoration-style:initial;text-decoration-color:ini= tial">4. L =3D H(X1,X2,=E2=80=A6) (see MuSig)<br></div><div style=3D"font-s= ize:small;text-decoration-style:initial;text-decoration-color:initial"> <div style=3D"text-decoration-style:initial;text-decoration-color:initial">= 5. L2 =3D H2(XN,XN-1,=E2=80=A6) (see MuSig... H2 is a "second hash&quo= t;)<br></div><div style=3D"text-decoration-style:initial;text-decoration-co= lor:initial"></div> 6. X =3D sum of all H(L,Xi)Xi (<span style=3D"background-color:rgb(255,255,= 255);text-decoration-style:initial;text-decoration-color:initial;float:none= ;display:inline">see MuSig</span>)</div>7. Computes e =3D H(R | M | X) ....= standard schnorr e... not a share<div style=3D"font-size:small;text-decora= tion-style:initial;text-decoration-color:initial"> <div style=3D"text-decoration-style:initial;text-decoration-color:initial">= 8. Computes e2 =3D H(R | M | X2) ... a second blinding factor<br></div><div= style=3D"text-decoration-style:initial;text-decoration-color:initial"></di= v> 9. Computes si =3D ki *e2 + xi * e ... where si is a "share" of t= he sig, and xi is the private data, and e, e2 are blinding factors<br></div= ><div style=3D"font-size:small;text-decoration-style:initial;text-decoratio= n-color:initial">10. Publishes (si, e, e2) as the share sig<br></div><div s= tyle=3D"font-size:small;text-decoration-style:initial;text-decoration-color= :initial"><br></div><div style=3D"font-size:small;text-decoration-style:ini= tial;text-decoration-color:initial">The final signature is computed via int= erpolation, and e2 is can be subtracted to recover a "normal" sch= nor sig for the set of participants.<br><br></div><div style=3D"font-size:s= mall;text-decoration-style:initial;text-decoration-color:initial">Now there= 's no mechanism for a birthday attack on k.<br></div><div style=3D"font= -size:small;text-decoration-style:initial;text-decoration-color:initial"><b= r></div> </div></div><br></div><div class=3D"gmail_extra"><br><div class=3D"gmail_qu= ote">On Fri, Jul 20, 2018 at 1:34 PM, Erik Aronesty <span dir=3D"ltr"><<= a href=3D"mailto:erik@q32.com" target=3D"_blank" rel=3D"noreferrer">erik@q3= 2.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"m= argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"l= tr"><div class=3D"gmail_extra"> <div style=3D"font-size:small;text-decoration-style:initial;text-decoration= -color:initial">Hi, thanks for all the help.=C2=A0 =C2=A0I'm going to s= ummarize again, and see if we've arrived at the correct solution for an= M of N "single sig" extension of MuSig, which I think we have.</= div><div style=3D"font-size:small;text-decoration-style:initial;text-decora= tion-color:initial"><br></div><div style=3D"font-size:small;text-decoration= -style:initial;text-decoration-color:initial">- Using MuSig's solution = for the blinding to solve the Wagner attack</div><div style=3D"font-size:sm= all;text-decoration-style:initial;text-decoration-color:initial">- Using in= terpolation to enhance MuSig to be M of N instead of M of M</div><div style= =3D"font-size:small;text-decoration-style:initial;text-decoration-color:ini= tial"><br></div><div style=3D"font-size:small;text-decoration-style:initial= ;text-decoration-color:initial">References:</div><div style=3D"font-size:sm= all;text-decoration-style:initial;text-decoration-color:initial"><br></div>= <div style=3D"font-size:small;text-decoration-style:initial;text-decoration= -color:initial">=C2=A0- MuSig <a href=3D"https://blockstream.com/2018/01/23= /musig-key-aggregation-schnorr-signatures.html" target=3D"_blank" rel=3D"no= referrer">https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-= signatures.html</a><br></div><div style=3D"font-size:small;text-decoration-= style:initial;text-decoration-color:initial">=C2=A0- HomPrf <a href=3D"http= ://crypto.stanford.edu/~dabo/papers/homprf.pdf" target=3D"_blank" rel=3D"no= referrer">http://crypto.stanford.edu/~dabo/papers/homprf.pdf</a> (sections = 7.1 and 7.4)</div><div style=3D"font-size:small;text-decoration-style:initi= al;text-decoration-color:initial"><br></div><div style=3D"font-size:small;t= ext-decoration-style:initial;text-decoration-color:initial">Each party:</di= v><div style=3D"font-size:small;text-decoration-style:initial;text-decorati= on-color:initial"><br></div><div style=3D"font-size:small;text-decoration-s= tyle:initial;text-decoration-color:initial">1. Publishes public key G*xi</d= iv><div style=3D"font-size:small;text-decoration-style:initial;text-decorat= ion-color:initial">3. Xi =3D H(G*xi) ... Xi is the parties x coordinate, fo= r the purposes of interpolation</div><div style=3D"font-size:small;text-dec= oration-style:initial;text-decoration-color:initial">3. r =3D G*x =3D via i= nterpolation of Gx1, Gx2... (see=C2=A0<span style=3D"background-color:rgb(2= 55,255,255);text-decoration-style:initial;text-decoration-color:initial;flo= at:none;display:inline">HomPrf</span>)</div><div style=3D"font-size:small;t= ext-decoration-style:initial;text-decoration-color:initial">4. L =3D H(X1,X= 2,=E2=80=A6) (see MuSig)<br></div><div style=3D"font-size:small;text-decora= tion-style:initial;text-decoration-color:initial">5. X =3D sum of all H(L,X= i)Xi (<span style=3D"background-color:rgb(255,255,255);text-decoration-styl= e:initial;text-decoration-color:initial;float:none;display:inline">see MuSi= g</span>)</div><div style=3D"font-size:small;text-decoration-style:initial;= text-decoration-color:initial">6. Computes e =3D H(r | M | X) .... standard= schnorr e... not a share</div><div style=3D"font-size:small;text-decoratio= n-style:initial;text-decoration-color:initial">7. Computes si =3D xi - xe .= .. where si is a "share" of the sig, and xi is the private data</= div><div style=3D"font-size:small;text-decoration-style:initial;text-decora= tion-color:initial">8. Publishes (si, e, G*Xi)</div><div style=3D"font-size= :small;text-decoration-style:initial;text-decoration-color:initial"><br></d= iv><div style=3D"font-size:small;text-decoration-style:initial;text-decorat= ion-color:initial">Any party can then derive s from m of n shares, by inter= polating, not adding.</div><div style=3D"font-size:small;text-decoration-st= yle:initial;text-decoration-color:initial"><br></div><br class=3D"m_-669570= 6678382846522m_-4832618653516637091gmail-Apple-interchange-newline"> <br></div></div> </blockquote></div><br></div> </blockquote></div> --00000000000030f1ea0571dd6db5--