Bitcoin Forum>Bitcoin>Development & Technical Discussion
Pages:
Author

Topic: ECDSA 2 of 2 signing - page 2. (Read 7411 times)

gmaxwell
staff
Activity: 4242
Merit: 8672
Re: ECDSA 2 of 2 signing
March 12, 2014, 10:48:30 AM
#6
Quote from: oleganza on March 12, 2014, 06:20:20 AM
Very cool to see someone playing with my approach. Haven't checked your paper throughly, but the principle of packing 2 signatures in one is very useful. I was recently thinking about packing 1000s of signatures in one to help with crowdfunding and possibly a majority vote. Maybe it's possible with some more algebraic mumbo-jumbo.
It's relatively easy to do with schnorr signatures.  It would be a major advance to be able to do this with ECDSA.

I've not worked through the protocol presented here yet... but if it is indeed secure it will also be a major advance.  In CoinSwap there is shown a method where any two party fancy scripted transaction can be made indistinguishable from a 2-of-2 multisig, assuming the transacting parties are honest (if someone cheats the transaction loses its indistinguishably). So the anonymity set of these transactions is the set of 2-of-2 multisig transactions. I'd previously lamented that in schorr signatures single key 2-of-2 is utterly trivial, and these could have an anonymity set of all transactions.

Though it's too early to deploy, I recommend coming up with a patch for libsecp256k1 to do these 2-of-2 key agreement and signing.
Crowex
member
Activity: 111
Merit: 10
Re: ECDSA 2 of 2 signing
March 12, 2014, 07:53:04 AM
#5
Quote from: oleganza on March 12, 2014, 06:20:20 AM
Very cool to see someone playing with my approach. Haven't checked your paper throughly, but the principle of packing 2 signatures in one is very useful. I was recently thinking about packing 1000s of signatures in one to help with crowdfunding and possibly a majority vote. Maybe it's possible with some more algebraic mumbo-jumbo.

I think my method is OK but there may be some attack I haven't considered.

It's very similar to your approach but for my method I had to add a step to stop someone cheating by declaring a false value for A.

I think it's interesting using the EC maths rather than the bicoin scripting for this type of thing - less problem with wallet compatibility and it works with most alt-currencies too.

The multiple signatures and crowd funding ideas are interesting. I was going to see if I could adapt it to a 2 of 3 signature when I get time.I think this type of thing could be useful in other distributed systems.
oleganza
full member
Activity: 200
Merit: 104
Software design and user experience.
Re: ECDSA 2 of 2 signing
March 12, 2014, 06:20:20 AM
#4
Very cool to see someone playing with my approach. Haven't checked your paper throughly, but the principle of packing 2 signatures in one is very useful. I was recently thinking about packing 1000s of signatures in one to help with crowdfunding and possibly a majority vote. Maybe it's possible with some more algebraic mumbo-jumbo.
Crowex
member
Activity: 111
Merit: 10
Re: ECDSA 2 of 2 signing
March 12, 2014, 03:32:06 AM
#3
yes, thanks, that was a typo
I've corrected it
jaesyn
newbie
Activity: 10
Merit: 1
Re: ECDSA 2 of 2 signing
March 12, 2014, 01:19:25 AM
#2
I think you made an error in the following:
Quote
3. Alice signs by calculating s2 = c*s1 + d mod p

Should be s2=a*s1 + b, no?
Crowex
member
Activity: 111
Merit: 10
Re: ECDSA 2 of 2 signing
March 11, 2014, 10:29:56 AM
#1
hi,
 After coming across the blind signature protocol in this forum http://oleganza.com/blind-ecdsa-draft-v2.pdf I've designed a 2 of 2 ECDSA signing protocol. It's only suitable for a one time signature. Any feedback is appreciated (thanks andytoshi for some useful pm feedback prior to post)

 https://www.dropbox.com/s/zaxkh0uy7zgavm1/2%20of%202%20ECDSA.pdf?dl=0

 Smiley
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: