📅 Original date posted:2014-03-29 📝 Original message:On Saturday, 29 March ...

Matt Whitlock [ARCHIVE] /

npub17qx…pwet

2023-06-07 15:16:39

in reply to nevent1q…t7nf

📅 Original date posted:2014-03-29
📝 Original message:On Saturday, 29 March 2014, at 7:36 am, Gregory Maxwell wrote:
> On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd <wbl at uchicago.edu> wrote:
> > This is not the case: one can use MPC techniques to compute a
> > signature from shares without reconstructing the private key. There is
> > a paper on this for bitcoin, but I don't know where it is.
>
> Practically speaking you cannot unless the technique used is one
> carefully selected to make it possible. This proposal isn't such a
> scheme I beleieve, however, and I think I'd strongly prefer that we
> BIP standardize a formulation which also has this property.

I too would prefer that, but I do not believe there exists a method for computing a traditional signature from decomposed private key shares. Unless I'm mistaken, the composed signature has a different formula and requires a different verification algorithm from the ECDSA signatures we're using today. Thus, such a scheme would require a change to the Bitcoin scripting language. I specifically did not want to address that in my BIP because changes like that take too long. I am aiming to be useful in the present.

Author Public Key

npub17qxssk9sj2r7jswvh3y32e7vwz7mcckhz33gk9nurdmw0lhsfkgswupwet

Seen on

wss://relay.noswhere.com

Show more details

Published at

2023-06-07 15:16:39

Kind type

1 Short Text Note

Event JSON

{ "id": "a9d4bdf78518ee1d075cd85ca207b9e9a960d409e63473f9e40d3f8caa5c9d76", "pubkey": "f00d0858b09287e941ccbc491567cc70bdbc62d714628b167c1b76e7fef04d91", "created_at": 1686150999, "kind": 1, "tags": [ [ "e", "cd470d06d90a3107c21da4b48b344ebdd3b4ab813362bb85b0e7a02311012700", "", "root" ], [ "e", "372bae148496eae190c2d334550d48c80a545677d47bd2ba99ec5ac666c45610", "", "reply" ], [ "p", "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73" ] ], "content": "📅 Original date posted:2014-03-29\n📝 Original message:On Saturday, 29 March 2014, at 7:36 am, Gregory Maxwell wrote:\n\u003e On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd \u003cwbl at uchicago.edu\u003e wrote:\n\u003e \u003e This is not the case: one can use MPC techniques to compute a\n\u003e \u003e signature from shares without reconstructing the private key. There is\n\u003e \u003e a paper on this for bitcoin, but I don't know where it is.\n\u003e \n\u003e Practically speaking you cannot unless the technique used is one\n\u003e carefully selected to make it possible. This proposal isn't such a\n\u003e scheme I beleieve, however, and I think I'd strongly prefer that we\n\u003e BIP standardize a formulation which also has this property.\n\nI too would prefer that, but I do not believe there exists a method for computing a traditional signature from decomposed private key shares. Unless I'm mistaken, the composed signature has a different formula and requires a different verification algorithm from the ECDSA signatures we're using today. Thus, such a scheme would require a change to the Bitcoin scripting language. I specifically did not want to address that in my BIP because changes like that take too long. I am aiming to be useful in the present.", "sig": "7c7202b27790a98b40346fd6d7dcc7e321b96a596701b51c910114081e745e5ed0999da108345ab1755f84f6de2bcb02f64b953ca757d191f31c282d5189ba4a" }