Home

tl;dr: ECDSA is one of the most widely-deployed signature schemes (for better or worse). ECDSA is efficient, offers versatility via its pubkey recovery feature and is widely adopted due to Bitcoin’s success. Its history is fascinating, as is its security analysis. Nonetheless: you should stay away from it, as I argue here.

tl;dr: Signs $m$ as $\sigma = (R, s)$, where $s = r - H(R, m) \cdot \sk$, $R = g^r$ and $r\randget \Zp$. Verifies this signature against $\pk = g^\sk$ as $R \equals g^s \cdot \pk^{H(R, m)}$.

tl;dr: This blog post investigates whether threshold verifiable unpredictable functions (VUFs) can be efficiently instantiated in the silent setup setting, which avoids the need for an interactive, expensive and often complex distributed key generation (DKG) phase. We show that (1) silent setup threshold VUFs are possible from multilinear maps a...

In this post, we describe a strawman threshold signature construction by Baird et al.[^BGJplus23] which produces unique signatures. In their paper, Baird et al. modify this construction into a (non-unique) multiverse threshold signature scheme.

tl;dr: A $t$-out-of-$n$ sharing of $s$ can be reshared as a $t’$-out-of-$n’$. How? Each old player $t’$-out-of-$n’$ reshares their share with the new players. Let $H$ denote an agreed-upon set of $\ge t$ old players who (re)shared correctly. Then, each new player’s $t’$-out-of-$n’$ share of $s$ will be the Lagrange interpolation (w.r.t. $H$) ...

tl;dr: “If you thought before that science is certain, well, that’s just an error on your part.” – Richard Feynman

tl;dr: …because (1) they are only secure when the tree is correctly-computed (e.g., secure with BFT consensus, but insecure in single-server transparency logs), (2) you cannot efficiently insert or delete leaves, and (3) they have worse proof sizes. What does that mean? Never implement one. Stick to Merkle tries (a.k.a., Merkle prefix trees). Or...

tl;dr: Pointcheval-Sanders (PS) signatures[^PS16] are incredibly powerful: (1) they can sign Pedersen commitments directly and (2) they can be re-randomized together with the signed commitment. This enables very simple schemes for proving yourself anonymously. For example, an authority can give you a PS signature on a commitment of your age and ...