February 25, 2019

Tari Protocol Discussion 25

On Monday, the Tari community compared the pros and cons of different Multisig approaches. Mostly, the conversation revolved around Aggregated Schnorr signatures and Bitcoin-style script based multisigs. Below is the TL;DR on Monday’s conversation (full transcript included below):

Considerations for multisig approaches

  • N-of-N scenarios can be solved with aggregated schnorr signatures
  • They are flexible, small, and confidential between parties

  • N-of-M scenarios could leverage Shamir’s secret sharding
  • How do you tie final assembly of the secret to a transaction that all parties have agreed to without requiring the asset issuer to always be online?

Join us for our next discussion on Freenode in #tari-dev.

Discussion times proposed by the Tari community:

Mondays: 6pm CAT (11am EST)

Thursdays: 11am CAT (4am EST)

To keep up with the latest Tari developments, you can follow the project on Twitter.

Transcript of Monday’s discussion

11:06 AM <Blackwolfsa> Hi everyone, wat do you guys think about aggregated vs multisigs in mimble wimble
11:06 AM <Blackwolfsa> The pros ans cons of each
11:07 AM <simian_za> are we talking n-of-n?
11:08 AM <simian_za> because what's the difference between aggregated sigs in MW and multisig?
11:10 AM <simian_za> do you mean Bitcoin style script based multisig vs aggregated schnorr?
11:14 AM <Blackwolfsa> Yes bitcoin type sigs vs musig type sigs
11:19 AM <simian_za> so for n-of-n Multisig seems great. The signature is small and completely confidential between the parties
11:20 AM <simian_za> for n-of-n is there any downside to musig vs script style?
11:20 AM <Blackwolfsa> Yes I agree, it does seem to be very flexible, but the problem is 'n of m
11:21 AM <Blackwolfsa> But as far as I have it, we might be able to do so something like a shamirs secret sharding
11:23 AM <neonknight> Having a compact n-of-m sig without relying on generating all combinations of signatures, in the mempool, would be nice.
11:24 AM <simian_za> ja n-of-m seems quite difficult. so pure Shamir sharding is a a little tricky because how do you tie the final assembly of the secret to a transaction that all the parties have agreed to?
11:25 AM <neonknight> In some cases such as with Validator nodes, I think the asset creator could possible create and share the secrets for each validator node. Only he knows the full secr
11:26 AM <neonknight> secret, but combining the secrets remain a problem.
11:31 AM <Blackwolfsa> But then he as to be online 100% of the time
11:32 AM <Blackwolfsa> Not exactly undoable, but undesirable
11:33 AM <simian_za> the second layer aspect is definitely important but I do think we need to find a general solution on the base layer for a number of applications
11:35 AM <neonknight> The asset creator could pre-generate different secrets and share the partial secrets at asset creation or some other event, ensuring that he doesn't always need to be online. Agreed, a generic n-of-m sig mechanism would be better.
11:37 AM <simian_za> so Shamir sharding of the complete key is quite tricky but I heard in passing Andy Poelstra talking about an approach where the members of the multisig shard their individual portions of a n-of-n MuSig. This means that if there is a majority of the members available they could collaborate to reconstruct the missing members portions of the MuSig during a MuSig style protocol
11:39 AM <Blackwolfsa> That's definitely something we need
11:45 AM <mikethetike> mw - all the participants in a transaction need to sign (n-of-n) the excess
11:45 AM <mikethetike> that's still using schnorr right?
11:47 AM <simian_za> I am not actually sure about that in the MuSig context, in MuSig they definitely all have to collaborate to reconstruct the blinding factor
11:47 AM <simian_za> which I guess is then used to sign the excess in the usual MW way?
11:48 AM <simian_za> and that signature will be aggregated with the blinding factor chosen by the recipient of the payment
11:49 AM <simian_za> but that MW aggregation of the sender (the MuSig) and the receiver is not a MuSig itself
11:52 AM <mikethetike> so we are discussing n-of-m spending of an output?
11:52 AM <simian_za> Ja, MuSig seems to neatly solve the n-of-n case
11:56 AM <mikethetike> so in shamir sharding, there is the actual blinding factor, that none of the m know. A party could then communicate with N-1 other parties to retrieve their point and then find the actual blinding factor?
11:58 AM <simian_za> So that implies that someone knew the blinding factor to start with and sharded it, I think that is why the approach of sharding the blinding factor directly is not possible
11:59 AM <Blackwolfsa> One thing to remember thou is the signing of the excess and the blinding of the output, is sperate.
11:59 AM <Blackwolfsa> And both very important
12:00 PM <simian_za> Andy Poelstra's approach was that the participants each choose their constituent keys and aggregate using the MuSig protocol but they each member shard's their component secret and distributes the shards to the other participants. This means that the threshold majority of the members can reconstruct the missing MuSig components
12:01 PM <simian_za> right Blackwolfsa? You explained it to me, I didn't actually read it myself :P
12:04 PM <Blackwolfsa> That's as far as I have it. But I have not properly gone over the math fully yet.
12:05 PM <simian_za> sounds plausible though it will add a round or two of comms to distribute the shards