Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC 10: ROAST Schnorr signatures #601

Merged
merged 8 commits into from
Jul 14, 2023
Merged

RFC 10: ROAST Schnorr signatures #601

merged 8 commits into from
Jul 14, 2023

Conversation

eth-r
Copy link
Contributor

@eth-r eth-r commented Apr 17, 2023

Using ROAST and Schnorr signatures, we can significantly simplify threshold signing while achieving attributability of misbehaviour.

@beaurancourt beaurancourt self-requested a review April 17, 2023 18:33
beaurancourt
beaurancourt reviewed Apr 17, 2023
View reviewed changes
docs/rfc/rfc-10.adoc Outdated Show resolved Hide resolved
beaurancourt
beaurancourt reviewed Apr 17, 2023
View reviewed changes
docs/rfc/rfc-10.adoc Outdated Show resolved Hide resolved
beaurancourt
beaurancourt reviewed Apr 17, 2023
View reviewed changes
docs/rfc/rfc-10.adoc
and our implementation must conform to it.

Schnorr signatures are incompatible with existing Bitcoin scripts,
requiring the use of taproot scripts instead.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a link to an explainer of taproot scripts would help

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow-up issue

@beaurancourt
Copy link

Left a few comments around hyperlinking extra info and some state stuff

Additionally, I think adding more resources like https://www.youtube.com/watch?v=FVW6Hgt_meg and https://github.com/robot-dreams/roast would be sweet

@eth-r eth-r marked this pull request as ready for review May 2, 2023 15:50
@beaurancourt
Copy link

I'm good here! I think it would be helpful to have someone from @keep-network/go check this out as well

@mhluongo mhluongo mentioned this pull request Jul 14, 2023
Closed
mhluongo
mhluongo approved these changes Jul 14, 2023
View reviewed changes
Copy link
Member

@mhluongo mhluongo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent RFC, and overdue for a merge.

docs/rfc/rfc-10.adoc
and our implementation must conform to it.

Schnorr signatures are incompatible with existing Bitcoin scripts,
requiring the use of taproot scripts instead.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow-up issue

docs/rfc/rfc-10.adoc
=== DKG

The (51, 100) secret key for a tBTC-ROAST signing group (aka wallet)
is produced using GJKR.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A link here would be 👌

@mhluongo mhluongo mentioned this pull request Jul 14, 2023
Open
@mhluongo mhluongo enabled auto-merge July 14, 2023 13:58
@mhluongo mhluongo merged commit e62c262 into main Jul 14, 2023
@mhluongo mhluongo deleted the rfc-10 branch July 14, 2023 13:58
pdyraga
pdyraga reviewed Jul 14, 2023
View reviewed changes
docs/rfc/rfc-10.adoc
Because of this, the only solution is to retry the signing
until a set of signers with no misbehaving participants is stumbled upon.
This means that even a small group of misbehaving participants
can cause a dramatic slowdown in signing,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth noting what the dramatic slowdown means: For 51-of-100 signing and 2 malicious members, we need 5 retries on average.

docs/rfc/rfc-10.adoc
already widely used in Bitcoin.
A signature for message m and public key point P
is defined as the (point, scalar) pair `(R, s)`
where `s * G = R + hash(R || P || m) * P`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is II a byte concatenation or a logical alternative of bytes? I take the former but would be nice to define it in the RFC.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow up issue

#665

docs/rfc/rfc-10.adoc

The algorithm `Verify(pk, m, sig)` is defined as:

* Let `P = lift_x(int(pk))`; fail if that fails.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the lift_x function doing?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created a follow up issue

#664

This was referenced Jul 15, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pdyraga pdyraga pdyraga left review comments

@beaurancourt beaurancourt beaurancourt left review comments

@mhluongo mhluongo mhluongo approved these changes

Assignees

@eth-r eth-r

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@eth-r @beaurancourt @mhluongo @pdyraga