Re: Protocol or Paper for Joint Random Secret Sharing (JRSS)...?
The JRSS isn't for the signature itself, it's for deriving dealer-less shares of a random k value among the t-of-n participants without revealing k. (And can also be used to create shares of a new random private key without a dealer and hence without anybody ever knowing the private key.)
Yes, I understand this.
I've looked a bit more and I'm still not clear on how they are constructing the t of n threshold scheme.
in their scheme the private key must be multiplicatively shared and they mention the secret sharing scheme used by MacKenzie and Reiter. Have a look at Appendix A here https://www.cs.unc.edu/~reiter/papers/2004/IJIS.pdf
Thats just for the two party case!
As far as I understand the JRSS protocol doesnt provide multiplicative sharing and isnt suitable in this case.
Their scheme works for t of t signers and then is extended to t of n signers.
With the t of t case all of the signers hold a share of the secret that can be multiplied together to give the entire secret and they must all participate in the signing process.
To extend this to a t of n case they must make sure that each and all of the possible subsets of t signers hold the same multiplicative secret. I can see how this could possibly be done with a dealer but I cant understand how it is done without a dealer.
Of course this could just be due to my lack of understanding but I reserve the right to keep asking stupid questions in order to try and improve my understanding.
