Re: [bitcoin-dev] Multi party Schnorr Rust implementation

From: Omer Shlomovits <omer.shlomovits@gmail.com>
To: c1.bitcoin@niftybox.net
Cc: Morten Dahl <mortendahlcs@gmail.com>,
	bitcoin-dev@lists.linuxfoundation.org,
	Elichai Turkel <elichai.turkel@gmail.com>,
	Roman Zeyde <mail@romanzey.de>,
	Gary Benattar <g.benattar@gmail.com>
Subject: Re: [bitcoin-dev] Multi party Schnorr Rust implementation
Date: Wed, 28 Nov 2018 10:13:08 +0200	[thread overview]
Message-ID: <CALhDas1F6guAvPtTcSR+NJ+cybH-wcJu14ZmiQaSNX98OcWYBw@mail.gmail.com> (raw)
In-Reply-To: <CAB0O3SVjhXVV4PKYPh+2O4xZomcyT-T2Mis1A8riTtrnUUigig@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2908 bytes --]

Hi,

AFAIK, There is no way to do threshold signatures non-interactively for the
general case of t out of n. Even if you are willing to maintain additional
data structure on top of the standard and change verification algorithm
(see for example appendix B in [1] where they use bitmaps).

The best way that I came up with so far (which I plan to implement in the
library) is to take SS01 paper [2], this also the paper cited in
bip-schnorr [3], and to replace Pedersen VSS with Feldman VSS (Feldman VSS
implementation can be found in [4] ). Basically taking the DKG from GG18
without paillier and the dlog pok (threshold ecdsa paper [5]) and use it
for the threshold schnorr DKG and for the ephemeral key distributed
generation. This will cause the lost of Robustness but will be more
efficient.

Generally speaking - the purpose of using threshold security is to replace
hw security. The assumption is that you would rather trust that no more
than t out of n different machines will get corrupted at same time than to
trust one secure hardware. Maybe that relax a bit the demand for using air
gapped devices?

[1] https://docs.zilliqa.com/whitepaper.pdf
[2]
https://github.com/KZen-networks/multi-party-schnorr/blob/master/papers/provably_secure_distributed_schnorr_signatures_and_a_threshold_scheme.pdf
[3]
https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#multisignatures-and-threshold-signatures
[4]
https://github.com/KZen-networks/curv/tree/master/src/cryptographic_primitives/secret_sharing
[5] http://stevengoldfeder.com/papers/GG18.pdf

On Wed, Nov 28, 2018 at 8:33 AM Devrandom <c1.bitcoin@niftybox.net> wrote:

> Hi Omer,
>
> Are there any candidates for non-interactive threshold signatures?
> Interactive signatures are not very suitable for air-gapped use cases.
>
> On Tue, Nov 27, 2018 at 11:18 AM Omer Shlomovits via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hello all,
>>
>> I am working for the past few months with collaborators (in cc) on
>> providing Rust reference implementations to existing multi party schemes
>> for Schnorr signatures [1]. This includes aggregated signatures,
>> accountable signatures (which for n out of n are multi-signatures) and
>> threshold signatures (wip).
>> The project can be found here:
>> https://github.com/KZen-networks/multi-party-schnorr .
>> We aim that if the protocol is run in a configuration of a single party
>> it will be bip-schnorr [2] compliant.
>>
>> Hope you'll find it useful :)
>> Questions, suggestions and pull requests are welcome!
>>
>>
>> [1]
>> https://github.com/KZen-networks/multi-party-schnorr/tree/master/papers
>> [2] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>

[-- Attachment #2: Type: text/html, Size: 5000 bytes --]