On Mar 9, 2015 2:22 PM, "Trevor Perrin" <tr...@trevp.net> wrote: > > Some advances have been made on practical threshold ECDSA by Steven > Goldfeder et al: > >https://freedom-to-tinker.com/blog/stevenag/threshold-signatures-for-bitcoin-wallets-are-finally-here/ >http://www.cs.princeton.edu/~stevenag/threshold_sigs.pdf > > Is anyone able to breakdown how this compares to threshold Schnorr? >http://cacr.uwaterloo.ca/techreports/2001/corr2001-13.ps > > In particular: Does Schnorr still hold an advantage in this area, or > has ECDSA closed the gap? What are the differences with respect to: > - trust assumptions (trusted setup, robustness to misbehaving parties) > - communication costs (in particular, # of rounds) > - computation costs > - implementation complexity > > > Trevor >
So I've looked at both papers, and threshold ECDSA is still a lot more complicated. Threshold Schnorr can directly get any linear sharing scheme with linear storage cost, while threshold ECDSA requires enumerating all sets that are allowed. The other big difference is the threshold ECDSA uses Pailler in addition to discrete log assumptions, and is much more complicated. Threshold Schnorr was quite a bit simpler, relying only on discrete log assumptions in one group. Sincerely, Watson Ladd _______________________________________________ > Curves mailing list >Curves@moderncrypto.org >https://moderncrypto.org/mailman/listinfo/curves _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves