📅 Original date posted:2018-07-09 📝 Original message:Because it's ...

Erik Aronesty [ARCHIVE] /

npub1y22…taj0

2023-06-07 18:13:41

in reply to nevent1q…w5lj

📅 Original date posted:2018-07-09
📝 Original message:Because it's non-interactive, this construction can produce multisig
signatures offline. Each device produces a signature using it's own
k-share and x-share. It's only necessary to interpolate M of n shares.

There are no round trips.

The security is Shamir + discrete log.

it's just something I've been tinkering with and I can't see an obvious
problem.

It's basically the same as schnorr, but you use a threshold hash to fix the
need to be online.

Just seems more useful to me.

On Sun, Jul 8, 2018, 10:33 PM Pieter Wuille <pieter.wuille at gmail.com> wrote:

> On Sun, Jul 8, 2018, 19:23 Erik Aronesty via bitcoin-dev <
> bitcoin-dev at lists.linuxfoundation.org> wrote:
>
>> Pretty sure these non interactive sigs are more secure.
>>
>
> Schnorr signatures are provably secure in the random oracle model assuming
> the discrete logarithm problem is hard in the used group.
>
> What does "more secure" mean? Is your construction secure with weaker
> assumptions?
>
> --
> Pieter
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180709/364d4561/attachment.html>;

Author Public Key

npub1y22yec0znyzw8qndy5qn5c2wgejkj0k9zsqra7kvrd6cd6896z4qm5taj0

Show more details

Published at

2023-06-07 18:13:41

Kind type

1 Short Text Note

Event JSON

{ "id": "bb686046e2f2be30699366ee1715c6cec0ad3aab5ce301afeedf94ba8087f95b", "pubkey": "22944ce1e29904e3826d25013a614e4665693ec514003efacc1b7586e8e5d0aa", "created_at": 1686161621, "kind": 1, "tags": [ [ "e", "5913947cd80c78b94322af07aff87080ecda6ad2abd7e1bd4a8b9634dfe27fca", "", "root" ], [ "e", "ffaeaf4e5fead0c3f73f287797713b1a5e692bbbb9dfefa809381690093baa63", "", "reply" ], [ "p", "5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6" ] ], "content": "📅 Original date posted:2018-07-09\n📝 Original message:Because it's non-interactive, this construction can produce multisig\nsignatures offline. Each device produces a signature using it's own\nk-share and x-share. It's only necessary to interpolate M of n shares.\n\nThere are no round trips.\n\nThe security is Shamir + discrete log.\n\nit's just something I've been tinkering with and I can't see an obvious\nproblem.\n\nIt's basically the same as schnorr, but you use a threshold hash to fix the\nneed to be online.\n\nJust seems more useful to me.\n\n\nOn Sun, Jul 8, 2018, 10:33 PM Pieter Wuille \u003cpieter.wuille at gmail.com\u003e wrote:\n\n\u003e On Sun, Jul 8, 2018, 19:23 Erik Aronesty via bitcoin-dev \u003c\n\u003e bitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\n\u003e\u003e Pretty sure these non interactive sigs are more secure.\n\u003e\u003e\n\u003e\n\u003e Schnorr signatures are provably secure in the random oracle model assuming\n\u003e the discrete logarithm problem is hard in the used group.\n\u003e\n\u003e What does \"more secure\" mean? Is your construction secure with weaker\n\u003e assumptions?\n\u003e\n\u003e --\n\u003e Pieter\n\u003e\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180709/364d4561/attachment.html\u003e", "sig": "95b88e2a73b8bdbfa66525c80a38bfc076b27aa3987b129464875623d4f8c7180a26a15105b1166751dabaec87fe589adc541938bbdf5d47d0fe24dc82091934" }