Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: ECDSA 2 of 2 signing
by
Crowex
on 12/03/2014, 22:22:15 UTC
Quote from: Mike Hearn on March 12, 2014, 04:29:36 PM
I was under the impression that n-of-m ecdsa was outlined some time ago by this paper:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.67.9913&rep=rep1&type=pdf

Perhaps I have missed something? Your technique does however appear a lot simpler for the 2-of-2 case specifically, which is often useful for various contract protocols.

I haven't come across this, it's really interesting.
It looks really useful and you can do multiple signatures corresponding to one public key and threshold signatures.
As far as I can see (if I understand it correctly) the main problem with this scheme for bitcoin applications is that the dealer who initializes the protocol knows the secret key s.
 The dealer distributes shares of the key using a Shamir type secret sharing scheme and then the players (or enough players to meet the threshold) can create nonces and signatures between themselves independently of the dealer. However the dealer could spend the funds corresponding to the public key whenever he wants. I'm not sure if there's a way round this, but there might be.
 I don't know if the Schnorr and other threshold signature schemes work this way but I suspect they will.
 The advantage of the above 2 of 2 method (if there's no mistakes 😊) is that both parties can be sure that nobody knows the secret key since it has been constructed using their secret values. You can only do one signature per address because the secret values create the nonce too but I suppose that will discourage address reuse. 😊