I have one question about these sorts of schemes... There's a naive approach where you don't attempt to model multisignature trust in terms of a single signature, but rather have a whitelisted set of keys, and have k / n potential signers produce an individual signature.
This clearly takes more space for signatures, but seems a lot more straightforward and easy-to-implement. Also, it can work with any signature scheme, so it's pluggable and easy to switch out once you have the basic framework in place. What is the advantage of "fancy" threshold signature schemes? I'm really not seeing it aside from the space savings. FWIW The Update Framework uses a unique signature per principal.
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves