On Fri, Mar 28, 2014 at 6:14 PM, Trevor Perrin <[email protected]> wrote: > https://freedom-to-tinker.com/blog/stevenag/new-research-better-wallet-security-for-bitcoin/ > http://www.cs.princeton.edu/~stevenag/bitcoin_threshold_signatures.pdf > > Apparently based on this: > > http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.67.9913 > > I'd be interested to hear how the state-of-the-art in threshold-ECDSA > compares to threshold-Schnorr, if anyone knows.
Threshold Schnorr requires computing only a multiplication and an addition. As a result you don't need special tricks: if you have k people out of n who can get the key, 2k-1 can compute the shares of the signature value and reconstruct in the usual manner. This way avoids the inversion and degree reduction protocols entirely. Sincerely, Watson Ladd > > > Trevor > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
