Author: Adam Back 2014-03-08 17:41:01
Published on: 2014-03-08T17:41:01+00:00
ECDSA has a limitation that there is no known protocol to create a signature with a+b (where keys P=aG, Q=bG, R=P+Q=(a+b)G) without either a sending its private key to b or vice versa. In contrast, with Schnorr signatures, this can be done. However, the k^-1 term in ECDSA makes a direct multiparty signature quite difficult and can't be easily done. One party hashing their key may be sufficient for the process. Joel Kaartinen suggests that if both parties insist on seeing a hash of the other party's public key before they'll show their own public key, they can be sure that the public key is not chosen based on the public key they themselves presented.
Updated on: 2023-06-08T03:55:30.392301+00:00