Return-Path: <earonesty@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id C3E1FC9D
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon,  9 Jul 2018 04:29:16 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 27C496B7
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon,  9 Jul 2018 04:29:16 +0000 (UTC)
Received: by mail-wm0-f53.google.com with SMTP id b188-v6so19689946wme.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 08 Jul 2018 21:29:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=q32-com.20150623.gappssmtp.com; s=20150623;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to
	:cc; bh=7YfklWB3ZZHEi+xdX6Czz92r3xymD4kjh2XuHcMTM6s=;
	b=h17snO8IS5viB7SHRt5RMuGuF5LQAhs0QgW2J2BuNsNjlk0W5ZCp00pbHHZXVpjtxz
	/w2bgsuE/m3osgO4jX9i7RNd0FcehG6Z6bGbMwWYjNNQbCfkY/WsaUts0sbt6ckeCHrf
	bPbprh0XmIMPeTVFKilCfY0usX2bX8SSbR0ezU/KKJvhf9o7uDfOv+rp8H10beNdbRw7
	ueR1V6eBphn7Yzakx8ziT2+VRip93jK29pQnKQulKrailc2ZXBx4FE5Q5Q3wjxqEKyOr
	9AfU3MwiyYD8n1d+sd9f/Ds7L75QrjSNVSVX+r840ucbtGc8hOHyj6vN2LtI74iw900D
	SJXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:cc;
	bh=7YfklWB3ZZHEi+xdX6Czz92r3xymD4kjh2XuHcMTM6s=;
	b=MbQK/t1R7Fqa4dLKj8lshlnWTV7saM+Lom2BCLH1Rby1YWcQcSfTVRyOlbx9KVMPOZ
	Baoh/2JijGD6FYcBxseEtCGDC721QbH/QRjbUrm740pwCyA8CfQIqm4III5Vwlo/I8zo
	ypuPPw0Zqb8KMzS/UCNWRD1Tr9E3pSXw7Phntbclsk/vA598TCEQa/c1tu/rSpC5v3qD
	yBUFi9dbjn+81+Y+yMz4QpE00D7Q7hTQ9KmSyaW4rg9lgnt1lcH7jnOB30LJvnc2BZvv
	8xRXTrBJMXwSJIDgwDxfXn3mcpRoLEGJaLIx7VZGCfjFUxtLYwkJ9swFtGmajYqi4afT
	rlHA==
X-Gm-Message-State: APt69E27RxFZ6iFqDzerXI13VOa+YsjSZ/PqD5ogGN9Kj9WX7E9BVYFT
	EpBr3h57J0jkF0Fv9nXW0L+Sttus/pff/2ykna4NV3Y=
X-Google-Smtp-Source: AAOMgpfQvaGctDtsw7fdgBI9RKAYvFM/eLbzKT2AkgATIyYm5oCu2wR/FfMi4TVgVkvmgyh6jcf6Y3/CXNFLoQbCUhQ=
X-Received: by 2002:a1c:cf81:: with SMTP id
	f123-v6mr11811407wmg.3.1531110554679; 
	Sun, 08 Jul 2018 21:29:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
	<08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de>
	<CAAS2fgSPUc7xRq36rZ9BVLjUTdd152Fgho4sjJXLhfrc71vPMw@mail.gmail.com>
	<CAJowKgL-nRcruXhWdGWrT4x+oV7i3jYST2Wa3bF5m6iT_mOyMw@mail.gmail.com>
	<CAPg+sBjdu4mnda-P0y7Ddu-rN7a1GiUt0hY_wYGsy_bJLKOYMA@mail.gmail.com>
In-Reply-To: <CAPg+sBjdu4mnda-P0y7Ddu-rN7a1GiUt0hY_wYGsy_bJLKOYMA@mail.gmail.com>
From: Erik Aronesty <erik@q32.com>
Date: Mon, 9 Jul 2018 00:29:02 -0400
Message-ID: <CAJowKgLSQZ1LrZayDi7EFc-NSfK_AD+zBdyaF7jBeQRP7tOwYQ@mail.gmail.com>
To: Pieter Wuille <pieter.wuille@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b940aa0570897413"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 09 Jul 2018 15:04:57 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Multiparty signatures
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 04:29:16 -0000

--000000000000b940aa0570897413
Content-Type: text/plain; charset="UTF-8"

Because it's non-interactive, this construction can produce multisig
signatures offline.   Each device produces a signature using it's own
k-share and x-share.   It's only necessary to interpolate M of n shares.

There are no round trips.

The security is Shamir + discrete log.

it's just something I've been tinkering with and I can't see an obvious
problem.

It's basically the same as schnorr, but you use a threshold hash to fix the
need to be online.

Just seems more useful to me.


On Sun, Jul 8, 2018, 10:33 PM Pieter Wuille <pieter.wuille@gmail.com> wrote:

> On Sun, Jul 8, 2018, 19:23 Erik Aronesty via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Pretty sure these non interactive sigs are more secure.
>>
>
> Schnorr signatures are provably secure in the random oracle model assuming
> the discrete logarithm problem is hard in the used group.
>
> What does "more secure" mean? Is your construction secure with weaker
> assumptions?
>
> --
> Pieter
>
>

--000000000000b940aa0570897413
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Because it&#39;s non-interactive, this construction can p=
roduce multisig signatures offline.=C2=A0 =C2=A0Each device produces a sign=
ature using it&#39;s own k-share and x-share.=C2=A0 =C2=A0It&#39;s only nec=
essary to interpolate M of n shares.<div dir=3D"auto"><br></div><div dir=3D=
"auto">There are no round trips.<br><div dir=3D"auto"><br></div><div dir=3D=
"auto">The security is Shamir + discrete log.=C2=A0=C2=A0</div><div dir=3D"=
auto"><div dir=3D"auto"><br></div><div dir=3D"auto">it&#39;s just something=
 I&#39;ve been tinkering with and I can&#39;t see an obvious problem.=C2=A0=
=C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">It&#39;s basicall=
y the same as schnorr, but you use a threshold hash to fix the need to be o=
nline.</div><div dir=3D"auto"><br></div><div dir=3D"auto">Just seems more u=
seful to me.</div><div dir=3D"auto"><br></div></div></div></div><br><div cl=
ass=3D"gmail_quote"><div dir=3D"ltr">On Sun, Jul 8, 2018, 10:33 PM Pieter W=
uille &lt;<a href=3D"mailto:pieter.wuille@gmail.com">pieter.wuille@gmail.co=
m</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"auto">=
<div class=3D"gmail_quote" dir=3D"auto"><div dir=3D"ltr">On Sun, Jul 8, 201=
8, 19:23 Erik Aronesty via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@li=
sts.linuxfoundation.org" target=3D"_blank" rel=3D"noreferrer">bitcoin-dev@l=
ists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail=
_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:=
1ex"><div dir=3D"auto">Pretty sure these non interactive sigs are more secu=
re.</div></blockquote></div><div dir=3D"auto"><br></div><div dir=3D"auto">S=
chnorr signatures are provably secure in the random oracle model assuming t=
he discrete logarithm problem is hard in the used group.</div><div dir=3D"a=
uto"><br></div><div dir=3D"auto">What does &quot;more secure&quot; mean? Is=
 your construction secure with weaker assumptions?</div><div dir=3D"auto"><=
br></div><div dir=3D"auto">--=C2=A0</div><div dir=3D"auto">Pieter</div><div=
 dir=3D"auto"><br></div><div class=3D"gmail_quote" dir=3D"auto"><blockquote=
 class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli=
d;padding-left:1ex">
</blockquote></div></div>
</blockquote></div>

--000000000000b940aa0570897413--