On Tue, Mar 10, 2015 at 3:15 PM, Tony Arcieri <basc...@gmail.com> wrote: > I have one question about these sorts of schemes... > > There's a naive approach where you don't attempt to model multisignature > trust in terms of a single signature, but rather have a whitelisted set of > keys, and have k / n potential signers produce an individual signature.
It makes sense to benchmark threshold-signing against multi-sigs, but having good threshold signing would be nice: - Wouldn't have to design multi-sigs into every protocol - Bandwidth savings (e.g. transmitting m signatures and n public keys for certificates) - Compute savings (e.g. verifying cert chains or secure boot on low-end devices) - Some schemes have additional properties, e.g. proactive schemes let you redistribute a set of n shares if there's still a secure threshold, to recover from compromises - The anonymity aspect Tim mentioned - how you handle shares / proactivization could be used to fingerprint parties in an anonymous setting. Trevor _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves