I do believe there is another parameter to take into account. The threshold sigs from the Princeton paper wants signer’s anonymity which I believe is not achieved in threshold Schnorr sigs.
> On 09 Mar 2015, at 22:21, Trevor Perrin <tr...@trevp.net> wrote: > > Some advances have been made on practical threshold ECDSA by Steven > Goldfeder et al: > > https://freedom-to-tinker.com/blog/stevenag/threshold-signatures-for-bitcoin-wallets-are-finally-here/ > http://www.cs.princeton.edu/~stevenag/threshold_sigs.pdf > > Is anyone able to breakdown how this compares to threshold Schnorr? > http://cacr.uwaterloo.ca/techreports/2001/corr2001-13.ps > > In particular: Does Schnorr still hold an advantage in this area, or > has ECDSA closed the gap? What are the differences with respect to: > - trust assumptions (trusted setup, robustness to misbehaving parties) > - communication costs (in particular, # of rounds) > - computation costs > - implementation complexity > > > Trevor > _______________________________________________ > Curves mailing list > Curves@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/curves _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves