Share this page!

Sergey Gorbunov Profile picture
Twitter logo
6 Oct, 10 tweets, 2 min read
Have you ever wondered why Threshold ECDSA is painful, Threshold Schnorr is straightforward, and Threshold BLS is trivial? Here's an informal explanation:
Everything comes down to the complexity of the signing equation for each scheme.

All secrets in all schemes are typically distributed across users using Shamir's secret sharing techniques. en.wikipedia.org/wiki/Shamir%27…
Threshold ECDSA sign equation involves multiplication of two secrets (k^{-1} and x, where x is the secret).
s = k^{-1} * (Hash(v) + r * x)

This is not straightforward!
The fight with "multiplication" gates dates back to the original papers on MPC from '87-88 [see Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation by Ben-Or, Goldwasser, and Wigderson' 88; "The multiplication step is only a bit harder." :).]
citeseerx.ist.psu.edu/viewdoc/downlo…
If you have two shares distributed following Shamir's secret sharing protocol, then multiplying them results in a polynomial of a larger degree. So if you want to preserve your threshold/participants parameters, you need to do a "degree reduction" one way or another.
Hence, you must fall back to some good old MPC techniques for this.
On the other hand, the Schnorr signatures are simpler:
s = k - x * Hash(v).
Note that you only need to multiply a distributed secret (x) by a !public value, Hash(v), which is significantly easier. [Additions usually come "for free" in all settings]
Finally, the BLS signature equation is trivial: H(m)^x.
The complexity and the security of the scheme are reduced to pairings. Aggregating distributed shares then follows the basic linearity over the group.
That's it! If everyone supported BLS signatures, our lives would be so much simpler today! 🚀😀

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sergey Gorbunov

Sergey Gorbunov Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @sergey_nog

Sergey Gorbunov Profile picture
12 Oct
Almost "everything" you need to know about fully homomorphic encryption and how it can solve (at least some) of our data privacy problems.
The problem was first introduced by Rivest, Adleman, and Dertouzos all the way back in 1978. luca-giuzzi.unibs.it/corsi/Support/…
On a high level, an encryption scheme is homomorphic if one can perform field operations over the encrypted messages, E(a) and E(b), that result in simple base operations over the underlying encrypted values.
Read 23 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @sergey_nog has new unrolls!

Check out other threads from @sergey_nog!

Read all threads by @sergey_nog

:(