In the multi-party ECDSA case, in mta.rs, in impl MessageA the range proofs are not
included for Alice, and in impl MessageB, instead it is only computing a proof of
knowledge of a discrete logarithm of bG instead of proving that b is in the
appropriate range as per page 8 of GG18, where it says Bob should be proving in ZK
that b < K
The rational why we might want to have the range proof is in GG18 on page 9,
basically it would allow a malicious party to make the threshold signature fail
verification and let them go unblamed.
Motivation to drop the range proofs is discussed in Section 5 (page 19) of the paper but we think that it should be optional.
In the multi-party ECDSA case, in
mta.rs
, inimpl MessageA
the range proofs are not included for Alice, and inimpl MessageB
, instead it is only computing a proof of knowledge of a discrete logarithm ofbG
instead of proving thatb
is in the appropriate range as per page 8 of GG18, where it says Bob should be proving in ZK thatb < K
The rational why we might want to have the range proof is in GG18 on page 9, basically it would allow a malicious party to make the threshold signature fail verification and let them go unblamed.
Motivation to drop the range proofs is discussed in Section 5 (page 19) of the paper but we think that it should be optional.