Author: Dan Robinson 2018-07-09 15:57:07
Published on: 2018-07-09T15:57:07+00:00
A proposed non-interactive multisig scheme based on threshold hash and Shamir polynomial interpolation was discussed on the bitcoin-dev mailing list. The scheme involves each party having a public key g*x', where x' is their private key, and rolling a random k' to compute r' = g*k'. A share of r' is broadcasted and used in lagrange interpolation across shares to compute g*k, e' = H(M) * r' and s' = k'-x*e'. The share of signature is (s', e'). Verification is the same as Schnorr, but only after using interpolation to get the needed (s, e, g*x) from shares of s', e' and g*x'. Security assumptions are that H(M) * r does not reveal any information about k, which relies on the same discrete logarithm assumptions as Bitcoin itself. The scheme has fewer moving parts than musig and may have a smaller attack surface because it's not additive and instead uses Shamir combination. While the proposal seems useful, a complete writeup is needed before considering its inclusion in Bitcoin.
Updated on: 2023-06-13T03:53:39.033724+00:00