Some advances have been made on practical threshold ECDSA by Steven Goldfeder et al:
https://freedom-to-tinker.com/blog/stevenag/threshold-signatures-for-bitcoin-wallets-are-finally-here/ http://www.cs.princeton.edu/~stevenag/threshold_sigs.pdf Is anyone able to breakdown how this compares to threshold Schnorr? http://cacr.uwaterloo.ca/techreports/2001/corr2001-13.ps In particular: Does Schnorr still hold an advantage in this area, or has ECDSA closed the gap? What are the differences with respect to: - trust assumptions (trusted setup, robustness to misbehaving parties) - communication costs (in particular, # of rounds) - computation costs - implementation complexity Trevor _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
