1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
Return-Path: <omer.shlomovits@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 9566887A
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 28 Nov 2018 08:13:21 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com
[209.85.167.182])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C9F8F19B
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 28 Nov 2018 08:13:20 +0000 (UTC)
Received: by mail-oi1-f182.google.com with SMTP id y23so21832243oia.4
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 28 Nov 2018 00:13:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=dUhyOnkTjXXVVJlnaB1wqKr7wWzV5l7NcUEscqDsjTY=;
b=uGb5e5EoXAUCJPtgLsAIof3DxXPiPGZIX7lT6koNXsAMUlVUR8YJNXdTVQGko025V1
AnsagGGUg2m7K9/JiYU2Qoi38jXNl7Z0kZ4b2a//1D5W89ZLbOq5Eyhf26m9E0fr97Y7
me6lIgk4CujRb7bh5NuC72ARDRJkuteOJ6RFLChHucxDJXV3HMzCd8b0SRUoL3BJ3Wuc
6QDs/epb15IbqCy2L621bPPQK/4YgreVoLJWgrYJJU+8UUA/HzD2EGJUanNeSFGED6Gm
auoa5pP0Ej99tD0ufoeJ86yLMTbPXT8i180HkXADJg9BBapCnyg00sRbk3wAJBFS/2bQ
Zyvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=dUhyOnkTjXXVVJlnaB1wqKr7wWzV5l7NcUEscqDsjTY=;
b=A5atmow1xYmSW8O4XXqsju6pYogXYt0Y/NWIUvHIUNF6BPlFmqcES8yoH1JENnq956
TQBkleIzNgmXZu4nDLhq5g4XbuNr4sfkV/71m9W3FzdEa8WvWDO+HAOyNkPcSzm71jlL
+H+P0BnmjO0bVKXpjA6rSX+ZGNB3S9CIGz4KSEpx7NO2ssGZAsv1VTUnMthDvjxUDgyt
/E4AHsAlRLQRrGqikIa8L8CRBhUkDowT5MGgpQ5Dr08NkOnLJMCwHLuLsr+zuiBNJRnI
zml7k/tggB4vlCizC4AsLPgW1gDIsmf+YFuvfdDFyM3W/V4TcuHKgSvz03NichyH/DOc
l4EQ==
X-Gm-Message-State: AGRZ1gKL7qjCpq19uF+qCAi0xA5j2S8x6yPWtTusHu2US8y9xOO5u8bY
OK/te8dMMFEUdApebDyvkDbplZxD1tBI8L2/NWM=
X-Google-Smtp-Source: AJdET5fgkLQw6S+0y/AVdQkUNMh/ciDGymUlQv1v7EbochIdthdSe+OlXqCj8hHUYcLBHD5jAcKS23VkTuu7Wr0Kw1U=
X-Received: by 2002:aca:4c02:: with SMTP id z2mr19012302oia.318.1543392800033;
Wed, 28 Nov 2018 00:13:20 -0800 (PST)
MIME-Version: 1.0
References: <CALhDas2W5QEPmw8JEgak0zf7y3N0UFTiMVk-djR8x9_WYZiyfQ@mail.gmail.com>
<CAB0O3SVjhXVV4PKYPh+2O4xZomcyT-T2Mis1A8riTtrnUUigig@mail.gmail.com>
In-Reply-To: <CAB0O3SVjhXVV4PKYPh+2O4xZomcyT-T2Mis1A8riTtrnUUigig@mail.gmail.com>
From: Omer Shlomovits <omer.shlomovits@gmail.com>
Date: Wed, 28 Nov 2018 10:13:08 +0200
Message-ID: <CALhDas1F6guAvPtTcSR+NJ+cybH-wcJu14ZmiQaSNX98OcWYBw@mail.gmail.com>
To: c1.bitcoin@niftybox.net
Content-Type: multipart/alternative; boundary="000000000000984f29057bb523b7"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 28 Nov 2018 08:18:25 +0000
Cc: Morten Dahl <mortendahlcs@gmail.com>, bitcoin-dev@lists.linuxfoundation.org,
Elichai Turkel <elichai.turkel@gmail.com>, Roman Zeyde <mail@romanzey.de>,
Gary Benattar <g.benattar@gmail.com>
Subject: Re: [bitcoin-dev] Multi party Schnorr Rust implementation
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2018 08:13:21 -0000
--000000000000984f29057bb523b7
Content-Type: text/plain; charset="UTF-8"
Hi,
AFAIK, There is no way to do threshold signatures non-interactively for the
general case of t out of n. Even if you are willing to maintain additional
data structure on top of the standard and change verification algorithm
(see for example appendix B in [1] where they use bitmaps).
The best way that I came up with so far (which I plan to implement in the
library) is to take SS01 paper [2], this also the paper cited in
bip-schnorr [3], and to replace Pedersen VSS with Feldman VSS (Feldman VSS
implementation can be found in [4] ). Basically taking the DKG from GG18
without paillier and the dlog pok (threshold ecdsa paper [5]) and use it
for the threshold schnorr DKG and for the ephemeral key distributed
generation. This will cause the lost of Robustness but will be more
efficient.
Generally speaking - the purpose of using threshold security is to replace
hw security. The assumption is that you would rather trust that no more
than t out of n different machines will get corrupted at same time than to
trust one secure hardware. Maybe that relax a bit the demand for using air
gapped devices?
[1] https://docs.zilliqa.com/whitepaper.pdf
[2]
https://github.com/KZen-networks/multi-party-schnorr/blob/master/papers/provably_secure_distributed_schnorr_signatures_and_a_threshold_scheme.pdf
[3]
https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#multisignatures-and-threshold-signatures
[4]
https://github.com/KZen-networks/curv/tree/master/src/cryptographic_primitives/secret_sharing
[5] http://stevengoldfeder.com/papers/GG18.pdf
On Wed, Nov 28, 2018 at 8:33 AM Devrandom <c1.bitcoin@niftybox.net> wrote:
> Hi Omer,
>
> Are there any candidates for non-interactive threshold signatures?
> Interactive signatures are not very suitable for air-gapped use cases.
>
> On Tue, Nov 27, 2018 at 11:18 AM Omer Shlomovits via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hello all,
>>
>> I am working for the past few months with collaborators (in cc) on
>> providing Rust reference implementations to existing multi party schemes
>> for Schnorr signatures [1]. This includes aggregated signatures,
>> accountable signatures (which for n out of n are multi-signatures) and
>> threshold signatures (wip).
>> The project can be found here:
>> https://github.com/KZen-networks/multi-party-schnorr .
>> We aim that if the protocol is run in a configuration of a single party
>> it will be bip-schnorr [2] compliant.
>>
>> Hope you'll find it useful :)
>> Questions, suggestions and pull requests are welcome!
>>
>>
>> [1]
>> https://github.com/KZen-networks/multi-party-schnorr/tree/master/papers
>> [2] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
--000000000000984f29057bb523b7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div di=
r=3D"ltr"><div dir=3D"ltr">Hi,=C2=A0<div><br></div><div>AFAIK, There is no =
way to do threshold signatures non-interactively for the general case of t =
out of n. Even if you are willing to maintain additional data structure on =
top of the standard and change verification algorithm (see for example appe=
ndix B in [1] where they use bitmaps).</div><div>=C2=A0</div><div>The best =
way that I came up with so far (which I plan to implement in the library) i=
s to take SS01 paper [2], this also the paper cited in bip-schnorr [3], and=
to replace Pedersen VSS with Feldman VSS (Feldman VSS implementation can b=
e found in [4] ). Basically taking the DKG from GG18 without paillier and t=
he dlog pok (threshold ecdsa paper [5]) and use it for the threshold schnor=
r DKG and for the ephemeral key distributed generation. This will cause the=
lost of Robustness but will be more efficient.</div><div><br></div><div>Ge=
nerally speaking - the purpose of using threshold security is to replace hw=
security. The assumption is that you would rather trust that no more than =
t out of n different machines will get corrupted at same time than to trust=
one secure hardware. Maybe that relax a bit the demand for using air gappe=
d devices?=C2=A0</div><div><br></div><div><br></div><div>[1]=C2=A0<a href=
=3D"https://docs.zilliqa.com/whitepaper.pdf">https://docs.zilliqa.com/white=
paper.pdf</a></div><div>[2]=C2=A0<a href=3D"https://github.com/KZen-network=
s/multi-party-schnorr/blob/master/papers/provably_secure_distributed_schnor=
r_signatures_and_a_threshold_scheme.pdf">https://github.com/KZen-networks/m=
ulti-party-schnorr/blob/master/papers/provably_secure_distributed_schnorr_s=
ignatures_and_a_threshold_scheme.pdf</a></div><div>[3]=C2=A0<a href=3D"http=
s://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#multisignat=
ures-and-threshold-signatures">https://github.com/sipa/bips/blob/bip-schnor=
r/bip-schnorr.mediawiki#multisignatures-and-threshold-signatures</a><br></d=
iv><div>[4] <a href=3D"https://github.com/KZen-networks/curv/tree/master/sr=
c/cryptographic_primitives/secret_sharing">https://github.com/KZen-networks=
/curv/tree/master/src/cryptographic_primitives/secret_sharing</a></div><div=
>[5]=C2=A0<a href=3D"http://stevengoldfeder.com/papers/GG18.pdf">http://ste=
vengoldfeder.com/papers/GG18.pdf</a></div></div></div></div></div></div></d=
iv><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Wed, Nov 28, 2018 at =
8:33 AM Devrandom <<a href=3D"mailto:c1.bitcoin@niftybox.net">c1.bitcoin=
@niftybox.net</a>> wrote:<br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div d=
ir=3D"ltr"><div>Hi Omer,</div><div><br></div>Are there any candidates for n=
on-interactive threshold signatures?=C2=A0 Interactive signatures are not v=
ery suitable for air-gapped use cases.<br><br><div class=3D"gmail_quote"><d=
iv dir=3D"ltr">On Tue, Nov 27, 2018 at 11:18 AM Omer Shlomovits via bitcoin=
-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D=
"_blank">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c=
cc solid;padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"lt=
r"><div dir=3D"ltr">Hello all,<div><br></div><div>I am working for the past=
few months with collaborators (in cc) on providing Rust reference implemen=
tations to existing multi party schemes for Schnorr signatures [1]. This in=
cludes aggregated signatures, accountable signatures (which for n out of n =
are multi-signatures) and threshold signatures (wip).=C2=A0</div><div>The p=
roject can be found here:=C2=A0<a href=3D"https://github.com/KZen-networks/=
multi-party-schnorr" target=3D"_blank">https://github.com/KZen-networks/mul=
ti-party-schnorr</a> .=C2=A0</div><div>We aim that if the protocol is run i=
n a configuration of a single party it will be bip-schnorr [2] compliant.=
=C2=A0</div><div><br></div><div><font face=3D"arial, helvetica, sans-serif"=
><span style=3D"color:rgb(0,0,0)">Hope you'll find it useful :)</span><=
br style=3D"color:rgb(0,0,0)"><span style=3D"color:rgb(0,0,0)">Questions, s=
uggestions and pull requests are welcome!</span></font><br></div><div><br><=
/div><div><br></div><div>[1]=C2=A0<a href=3D"https://github.com/KZen-networ=
ks/multi-party-schnorr/tree/master/papers" target=3D"_blank">https://github=
.com/KZen-networks/multi-party-schnorr/tree/master/papers</a></div><div>[2]=
=C2=A0<a href=3D"https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.=
mediawiki" target=3D"_blank">https://github.com/sipa/bips/blob/bip-schnorr/=
bip-schnorr.mediawiki</a></div></div></div></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div></div>
</blockquote></div>
--000000000000984f29057bb523b7--
|
