Threshold ECDSA Signatures

Dear community!

As there have been some discussions going in this thread related to security (protocol review, testing, QA in general etc.), let me point out to you this new discussion thread that may be of interest, at least to some of you: Security Sandboxing (Community Consideration)

With this thread, we have just started a community discussion on security sandboxing. It would be great if those of you interested in the topic would join the discussion there.

As security has had so much resonance in the ECDSA, Bitcoin, and other feature discussions, we would like to follow an approach of having a community discussion as a first step of the whole process in order to get your requirements and thoughts on security sandboxing.

We are listening.

5 Likes

Watch the community conversation on threshold ECDSA with Victor Shoup.

5 Likes

Motion passed: :white_check_mark:

https://dashboard.internetcomputer.org/proposal/21340

7 Likes

Congratulations @diegop ! Sorry 1 silly question: I read this article recently regarding Taproot upgrade for the Bitcoin network due in November where it will change its crptographical method from ECDSA to Schnorr. I’m wondering how this change will affect the integration work that is being done by Dfinity at this stage. Thanks.

3 Likes

Good question.

@Manu wrote a great answer to this question on r/dfinity, so instead of copy/pasting, I will instead link to it:

4 Likes

Thanks for reposting this!

I honestly only vaguely understood taproot. This was a very clear explanation. Very excited for direct integration.

4 Likes

Thanks @diegop ~ much appreciated and excellent post by Manu!

Not sure if I missed his comments but I cannot seem to find Manu’s comments about the IC planning to implement Schnorr in line with how BTC is switching to Schnorr (and discarding use of ECDSA unless I am completely wrong on this one). In this regard, I would presume Dfinity is on top of this and as long as the IC’s implementation of ECDSA works fine with BTC (once Schnorr is turned on) then this is probably a non-issue (and my sincere apologies for unnecessarily bringing this issue up).

4 Likes

Thanks @Alixthe!

Not sure if I missed his comments but I cannot seem to find Manu’s comments about the IC planning to implement Schnorr in line with how BTC is switching to Schnorr (and discarding use of ECDSA unless I am completely wrong on this one). In this regard, I would presume Dfinity is on top of this and as long as the IC’s implementation of ECDSA works fine with BTC (once Schnorr is turned on) then this is probably a non-issue (and my sincere apologies for unnecessarily bringing this issue up).

That’s a very good question. I think the article you linked above makes it seem like Schnorr will completely replace ECDSA, and there will be no ECDSA in bitcoin anymore after taproot. This is not the case, addresses currently protected by ECDSA signatures will continue to work as before. Schnorr is just a new option that will additionally be supported. Does that answer your question?

6 Likes

Yes ~ perfect thanks @Manu ~ much appreciated. Sorry but I must have misinterpreted the articles I have read so far which make it seem like Schnorr is going to replace ECDSA when I guess it is in addition to ECDSA. All good! :+1:

3 Likes

I thought this thread would be interested in the update about project scope and design on the Sandboxing project tread: Security Sandboxing (Community Consideration) - #3 by diegop

4 Likes

Just in case anyone here is interested. Jens Groth and I released a paper on the security of several variations of ECDSA, which is available as Cryptology ePrint Archive: Report 2021/1330. While this paper is not specifically on threshold ECDSA. In fact, variations considered are directly motivated by our current design for threshold ECDSA, and the analysis in this paper form the theoretical foundations for the security of our threshold protocol.

7 Likes

Link for the lazy like me :slight_smile: : Cryptology ePrint Archive: Report 2021/1330 - On the security of ECDSA with additive key derivation and presignatures

4 Likes

I tried to insert a link, but it wouldn’t let me.

2 Likes

That happens to me 1/3 of the time, I cannot figure out why or how. there seems to be no rhyme or reason to why discourse (the platform) does this.

2 Likes

This post was flagged by the community and is temporarily hidden.