Gregory Maxwell [ARCHIVE] on Nostr: 📅 Original date posted:2014-03-29 📝 Original message:On Sat, Mar 29, 2014 at ...
📅 Original date posted:2014-03-29
📝 Original message:On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd <wbl at uchicago.edu> wrote:
> This is not the case: one can use MPC techniques to compute a
> signature from shares without reconstructing the private key. There is
> a paper on this for bitcoin, but I don't know where it is.
Practically speaking you cannot unless the technique used is one
carefully selected to make it possible. This proposal isn't such a
scheme I beleieve, however, and I think I'd strongly prefer that we
BIP standardize a formulation which also has this property.
The paper you want is
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.67.9913
There will soon be a paper coming out from some princeton folks about
refining that and applying it to Bitcoin.
You can use the secret sharing from threshold ecdsa in the
not-super-useful way where you just recombine the private key and
sign... but you can also use it to compute a secret shared signature
and then interpolate back the signature... avoiding the need for any
trusted device in holding the signature.
📝 Original message:On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd <wbl at uchicago.edu> wrote:
> This is not the case: one can use MPC techniques to compute a
> signature from shares without reconstructing the private key. There is
> a paper on this for bitcoin, but I don't know where it is.
Practically speaking you cannot unless the technique used is one
carefully selected to make it possible. This proposal isn't such a
scheme I beleieve, however, and I think I'd strongly prefer that we
BIP standardize a formulation which also has this property.
The paper you want is
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.67.9913
There will soon be a paper coming out from some princeton folks about
refining that and applying it to Bitcoin.
You can use the secret sharing from threshold ecdsa in the
not-super-useful way where you just recombine the private key and
sign... but you can also use it to compute a secret shared signature
and then interpolate back the signature... avoiding the need for any
trusted device in holding the signature.