Signature Era
- Let
L = h(P1 || ... || Pn)
. Every participant computes the digest:ai = h(L || Pi)
. - Compute the aggregated public key:
X̃ = Σ (ai * Pi)
fori = 1, ..., n
.X̃
is made public. - Every participant randomly selects
ri
and computes:Ri = ri * G
. Every participant sends their dedication:ti = h(Ri)
to all different individuals. - After receiving the opposite
n-1
commitments, every participant sends their levelRi
. - After receiving the opposite
n-1
factorsRi
, every participant verifies:ti = h(Ri)
for alli ∈ {1, ..., n}
. - Calculate the aggregated level:
Rsum = R1 + ... + Rn
. - Every participant computes the problem:
c = h(Rsum || X̃ || M)
. - Every participant calculates their partial signature:
si = ri + c * di * ai mod N
.Lastly, compute the aggregated signature:ssum = s1 + ... + sn mod N
. - The signature is the pair
(Rsum, ssum)
.
Signature Verification
Examine if:
ssum * G = Rsum + c * X̃
.
Questions:
-
Sharing ti, Ri, and si:
How do individuals ship their commitments (ti
), share theirRi
values, and alternate partial signatures (si
)? What does this course of seem like in observe? Is there a regular, asynchronous, and user-friendly technique to handle this in software program? Or do individuals must manually compute theirsi
, sum them, and share the outcomes forwards and backwards? -
Verification Course of:
Who verifies the ultimate signature(Rsum, ssum)
? When and the way does this verification occur in real-world Bitcoin use instances? Is the verification finished through P2SH scripts?
And relating to the initiation of the verification course of—does a participant (e.g., one of many multisig signers) who has collected all of theRsum
andssum
values create the transaction from the P2SH handle? Or am I misunderstanding this circulate? -
What Occurs With out Commitments?
What might an adversary do if the commitments (ti
) weren’t a part of the protocol? What sort of assaults might happen, and the way would they exploit the dearth of commitments?