Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 6D96ACD7 for ; Sun, 8 Jul 2018 15:16:39 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.mailbox.org (mx1.mailbox.org [80.241.60.212]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A1B99FC for ; Sun, 8 Jul 2018 15:16:38 +0000 (UTC) Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.mailbox.org (Postfix) with ESMTPS id 0337F40CC2 for ; Sun, 8 Jul 2018 17:16:36 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTP id UI4s6NkJH546 for ; Sun, 8 Jul 2018 17:16:35 +0200 (CEST) Message-ID: <08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de> From: Tim Ruffing To: bitcoin-dev@lists.linuxfoundation.org Date: Sun, 08 Jul 2018 17:16:34 +0200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sun, 08 Jul 2018 15:31:10 +0000 Subject: Re: [bitcoin-dev] Multiparty signatures X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2018 15:16:39 -0000 Hi Erik, On Sun, 2018-07-08 at 10:19 -0400, Erik Aronesty via bitcoin-dev wrote: > Consider changing the "e" term in the schnorr algorithm to hash of > message (elligator style) to the power of r, rather than using > concatenation. How do you compute s = x*e if e is an element of group G? (Similar question: How do you verify if e is element of G?) Are you aware of http://cacr.uwaterloo.ca/techreports/2001/corr2001-13.ps ? This is a threshold signature scheme for Schnorr signatures, so what you want is possible already with Schnorr signatures. Best, Tim