Signature Technology
- Let
L = h(P1 || ... || Pn). Every participant computes the digest:ai = h(L || Pi). - Compute the aggregated public key:
X̃ = Σ (ai * Pi)fori = 1, ..., n.X̃is made public. - Every participant randomly selects
riand computes:Ri = ri * G. Every participant sends their dedication:ti = h(Ri)to all different individuals. - After receiving the opposite
n-1commitments, every participant sends their levelRi. - After receiving the opposite
n-1factorsRi, every participant verifies:ti = h(Ri)for alli ∈ {1, ..., n}. - Calculate the aggregated level:
Rsum = R1 + ... + Rn. - Every participant computes the problem:
c = h(Rsum || X̃ || M). - Every participant calculates their partial signature:
si = ri + c * di * ai mod N.Lastly, compute the aggregated signature:ssum = s1 + ... + sn mod N. - The signature is the pair
(Rsum, ssum).
Signature Verification
Test if:
ssum * G = Rsum + c * X̃.
Questions:
-
Sharing ti, Ri, and si:
How do individuals ship their commitments (ti), share theirRivalues, and change partial signatures (si)? What does this course of appear like in apply? Is there an ordinary, asynchronous, and user-friendly option to handle this in software program? Or do individuals have to manually compute theirsi, sum them, and share the outcomes backwards and forwards? -
Verification Course of:
Who verifies the ultimate signature(Rsum, ssum)? When and the way does this verification occur in real-world Bitcoin use instances? Is the verification accomplished by way of P2SH scripts?
And relating to the initiation of the verification course of—does a participant (e.g., one of many multisig signers) who has collected all of theRsumandssumvalues create the transaction from the P2SH tackle? Or am I misunderstanding this movement? -
What Occurs With out Commitments?
What might an adversary do if the commitments (ti) weren’t a part of the protocol? What sort of assaults might happen, and the way would they exploit the shortage of commitments?
