Author: Erik Aronesty 2018-07-09 17:59:23
Published on: 2018-07-09T17:59:23+00:00
The discussion revolves around the security assumptions of a multiparty signing using the Schnorr construction. The original scheme is secure against participants adaptively choosing their keys, unlike the naive interpolation of schnorr signatures which is vulnerable to adaptive key choice. The naive protocol works as preprocessing on the keys and then continues with the same verifier as the original schnorr construction. However, doing that alone is insecure against adaptive key choice, and potentially adaptive R choice, depending on specifics which aren't clear enough. Wagner's algorithm has remarkable power that makes it possible for cancellation attacks even if interpolation locations are picked with the hash of each key. Each party only has a share of the private key and publishes a share of the public key, which hopefully precludes any sort of adaptive key attack. The verification process involves interpolation of m of n s' shares to get s, interpolation of m of n g^x' shares to get g^x, and standard schnorr verification. The actual public key of the "set of signers" is interpolated.
Updated on: 2023-06-13T03:54:47.168644+00:00