On Sat, Mar 29, 2014 at 7:28 AM, Watson Ladd <w...@uchicago.edu> wrote: > This is not the case: one can use MPC techniques to compute a > signature from shares without reconstructing the private key. There is > a paper on this for bitcoin, but I don't know where it is.
Practically speaking you cannot unless the technique used is one carefully selected to make it possible. This proposal isn't such a scheme I beleieve, however, and I think I'd strongly prefer that we BIP standardize a formulation which also has this property. The paper you want is http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.67.9913 There will soon be a paper coming out from some princeton folks about refining that and applying it to Bitcoin. You can use the secret sharing from threshold ecdsa in the not-super-useful way where you just recombine the private key and sign... but you can also use it to compute a secret shared signature and then interpolate back the signature... avoiding the need for any trusted device in holding the signature. ------------------------------------------------------------------------------ _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
