📅 Original date posted:2014-03-29
📝 Original message:On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd <wbl at uchicago.edu> wrote:
> This is not the case: one can use MPC techniques to compute a
> signature from shares without reconstructing the private key. There is
> a paper on this for bitcoin, but I don't know where it is.
Practically speaking you cannot unless the technique used is one
carefully selected to make it possible. This proposal isn't such a
scheme I beleieve, however, and I think I'd strongly prefer that we
BIP standardize a formulation which also has this property.
The paper you want is
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.67.9913
There will soon be a paper coming out from some princeton folks about
refining that and applying it to Bitcoin.
You can use the secret sharing from threshold ecdsa in the
not-super-useful way where you just recombine the private key and
sign... but you can also use it to compute a secret shared signature
and then interpolate back the signature... avoiding the need for any
trusted device in holding the signature.
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 15:16:39
in reply to nevent1q…sm8k
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 15:16:39Event JSON
{
"id": "372bae148496eae190c2d334550d48c80a545677d47bd2ba99ec5ac666c45610",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686150999,
"kind": 1,
"tags": [
[
"e",
"cd470d06d90a3107c21da4b48b344ebdd3b4ab813362bb85b0e7a02311012700",
"",
"root"
],
[
"e",
"e145189734aed2ee317be62a6e5c792288d7da430f5cba9a63b09a508726bd44",
"",
"reply"
],
[
"p",
"79da9465d0e005bd619ff8b66831e69cf4518e5322281ec55df2bd63966dbc4c"
]
],
"content": "📅 Original date posted:2014-03-29\n📝 Original message:On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd \u003cwbl at uchicago.edu\u003e wrote:\n\u003e This is not the case: one can use MPC techniques to compute a\n\u003e signature from shares without reconstructing the private key. There is\n\u003e a paper on this for bitcoin, but I don't know where it is.\n\nPractically speaking you cannot unless the technique used is one\ncarefully selected to make it possible. This proposal isn't such a\nscheme I beleieve, however, and I think I'd strongly prefer that we\nBIP standardize a formulation which also has this property.\n\nThe paper you want is\nhttp://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.67.9913\n\nThere will soon be a paper coming out from some princeton folks about\nrefining that and applying it to Bitcoin.\n\nYou can use the secret sharing from threshold ecdsa in the\nnot-super-useful way where you just recombine the private key and\nsign... but you can also use it to compute a secret shared signature\nand then interpolate back the signature... avoiding the need for any\ntrusted device in holding the signature.",
"sig": "3a759ddeb3861c8f7cb54e8a9130a1c3f8b690c905e6694b59f028ed092aea352528126612a10e360d053c593b6474ab8282dc11856196695da3ccf6556fdd50"
}