On Mon, Aug 12, 2019 at 09:09:43PM -0500, Bryan Bishop wrote:
> > > Multisig gated by ECDSA pubkey recovery for provably-unknown keys
> > > =================================================================
> > >
> > > A group can participate in a multisig scheme with provably-unknown ECDSA
> > keys.
> > > Instead of deleting the key, the idea is to agree on a blockheight and
> > then
> > > select the blockhash (or some function of the chosen blockhash like
> > > H(H(H(blockhash)))) as the signature. Next, the group agrees on a
> > transaction
> > > and they recover the public key from the signature using ECDSA pubkey
> > recovery.
> >
> > Could you explain in more detail why you're deriving this from a blockhash?
> >
> Well you need to pick an entropy source, and I wouldn't want to tell people
> to just trust the first party to tell you a good sequence of bytes.

But why does this specifically need to be entropy?

If I understand the scheme correctly, the important thing is for the ECDSA
private key to be unknown. Under the standard assumption that hash functions
are random oracles, hashing anything should be sufficient to create a pubkey
whose private key is unknown.

Secondly, there's probably better slightly privacy if a random nonce is chosen
(perhaps by concatenating a nonce from each party) rather than picking pubkeys
unique to this use-case.

https://petertodd.org 'peter'[:-1]@petertodd.org

Attachment: signature.asc
Description: PGP signature

bitcoin-dev mailing list

Reply via email to