I do believe there is another parameter to take into account. The threshold sigs from the Princeton paper wants signer’s anonymity which I believe is not achieved in threshold Schnorr sigs.
> On 09 Mar 2015, at 22:21, Trevor Perrin <[email protected]> wrote: > > Some advances have been made on practical threshold ECDSA by Steven > Goldfeder et al: > > https://freedom-to-tinker.com/blog/stevenag/threshold-signatures-for-bitcoin-wallets-are-finally-here/ > http://www.cs.princeton.edu/~stevenag/threshold_sigs.pdf > > Is anyone able to breakdown how this compares to threshold Schnorr? > http://cacr.uwaterloo.ca/techreports/2001/corr2001-13.ps > > In particular: Does Schnorr still hold an advantage in this area, or > has ECDSA closed the gap? What are the differences with respect to: > - trust assumptions (trusted setup, robustness to misbehaving parties) > - communication costs (in particular, # of rounds) > - computation costs > - implementation complexity > > > Trevor > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
