New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two round trip Schnorr multi-signatures #6

burdges opened this Issue Jan 10, 2019 · 2 comments


None yet
1 participant
Copy link

burdges commented Jan 10, 2019

There is now supposedly a clear break for the simple two-round multi-signature scheme, maybe not in but forthcoming, so we'll do the three round version using session types, but..

There are many real world problems with using session types on small devices, including that you ideally should never serialize anything. I noticed an approach to this problem in which Andrew Polestra has a team at Blockstream addressing for secp256k1. In their case, there is a nice canonical curve SecQ that swaps the based field and group order.

We do eventually want two-round multi-signatures so we need :

First, another curve with base field Z/lZ where l is the group group order of Ed25519, meaning l = 2^252+27742317777372353535851937790883648493. We'd prefer an Edwards curve with group order 2^255-19, but this sounds impossible. Any Edwards curve for which we can implement Ristretto works for this use case however. It'd be cool if we find a non-Edwards curve with group order 2^255-19 though.

Second, an implementation of a ZK proof scheme for the VRF that taks a key from this curve and yields a point on Ed25519. We should collaborate with blockstream on this as much as possible, but it's considerable work.


This comment has been minimized.

Copy link
Collaborator Author

burdges commented Jan 11, 2019

It appears Henry de Valance already learned about this problem and plans to address it, maybe even in curve25519-dalek itself. We can perhaps just track this and see if anyone needs help, funding, etc.

@burdges burdges changed the title two-round multi-signatures Two-round trip Schnorr multi-signatures Feb 13, 2019


This comment has been minimized.

Copy link
Collaborator Author

burdges commented Feb 13, 2019

I think #15 mostly supersedes this issue for now, as it provides reasonable messages sizes which matters for parity signer use cases. I'll leave this open however since the two-round trip Schnorr multi-signatures looks solvable this way, but maybe it's not really required here.

@burdges burdges changed the title Two-round trip Schnorr multi-signatures Two round trip Schnorr multi-signatures Feb 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment