📅 Original date posted:2014-03-29
📝 Original message:On Saturday, 29 March 2014, at 7:36 am, Gregory Maxwell wrote:
> On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd <wbl at uchicago.edu> wrote:
> > This is not the case: one can use MPC techniques to compute a
> > signature from shares without reconstructing the private key. There is
> > a paper on this for bitcoin, but I don't know where it is.
>
> Practically speaking you cannot unless the technique used is one
> carefully selected to make it possible. This proposal isn't such a
> scheme I beleieve, however, and I think I'd strongly prefer that we
> BIP standardize a formulation which also has this property.
I too would prefer that, but I do not believe there exists a method for computing a traditional signature from decomposed private key shares. Unless I'm mistaken, the composed signature has a different formula and requires a different verification algorithm from the ECDSA signatures we're using today. Thus, such a scheme would require a change to the Bitcoin scripting language. I specifically did not want to address that in my BIP because changes like that take too long. I am aiming to be useful in the present.
Matt Whitlock [ARCHIVE] /
npub17q…upwet
2023-06-07 15:16:39
in reply to nevent1q…t7nf
Author Public Key
npub17qxssk9sj2r7jswvh3y32e7vwz7mcckhz33gk9nurdmw0lhsfkgswupwetPublished at
2023-06-07 15:16:39Event JSON
{
"id": "a9d4bdf78518ee1d075cd85ca207b9e9a960d409e63473f9e40d3f8caa5c9d76",
"pubkey": "f00d0858b09287e941ccbc491567cc70bdbc62d714628b167c1b76e7fef04d91",
"created_at": 1686150999,
"kind": 1,
"tags": [
[
"e",
"cd470d06d90a3107c21da4b48b344ebdd3b4ab813362bb85b0e7a02311012700",
"",
"root"
],
[
"e",
"372bae148496eae190c2d334550d48c80a545677d47bd2ba99ec5ac666c45610",
"",
"reply"
],
[
"p",
"4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73"
]
],
"content": "📅 Original date posted:2014-03-29\n📝 Original message:On Saturday, 29 March 2014, at 7:36 am, Gregory Maxwell wrote:\n\u003e On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd \u003cwbl at uchicago.edu\u003e wrote:\n\u003e \u003e This is not the case: one can use MPC techniques to compute a\n\u003e \u003e signature from shares without reconstructing the private key. There is\n\u003e \u003e a paper on this for bitcoin, but I don't know where it is.\n\u003e \n\u003e Practically speaking you cannot unless the technique used is one\n\u003e carefully selected to make it possible. This proposal isn't such a\n\u003e scheme I beleieve, however, and I think I'd strongly prefer that we\n\u003e BIP standardize a formulation which also has this property.\n\nI too would prefer that, but I do not believe there exists a method for computing a traditional signature from decomposed private key shares. Unless I'm mistaken, the composed signature has a different formula and requires a different verification algorithm from the ECDSA signatures we're using today. Thus, such a scheme would require a change to the Bitcoin scripting language. I specifically did not want to address that in my BIP because changes like that take too long. I am aiming to be useful in the present.",
"sig": "7c7202b27790a98b40346fd6d7dcc7e321b96a596701b51c910114081e745e5ed0999da108345ab1755f84f6de2bcb02f64b953ca757d191f31c282d5189ba4a"
}