Because it's non-interactive, this construction can produce multisig signatures offline. Each device produces a signature using it's own k-share and x-share. It's only necessary to interpolate M of n shares.
There are no round trips. The security is Shamir + discrete log. it's just something I've been tinkering with and I can't see an obvious problem. It's basically the same as schnorr, but you use a threshold hash to fix the need to be online. Just seems more useful to me. On Sun, Jul 8, 2018, 10:33 PM Pieter Wuille <pieter.wui...@gmail.com> wrote: > On Sun, Jul 8, 2018, 19:23 Erik Aronesty via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> Pretty sure these non interactive sigs are more secure. >> > > Schnorr signatures are provably secure in the random oracle model assuming > the discrete logarithm problem is hard in the used group. > > What does "more secure" mean? Is your construction secure with weaker > assumptions? > > -- > Pieter > >
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
