search

bnb-chain / tss-lib

Threshold Signature Scheme, for ECDSA and EDDSA
MIT License
783 stars 266 forks source link

Can the number of signers ( variable t ) be retrieved from the signature ? #168

Open ibudisteanu opened 2 years ago

ibudisteanu commented 2 years ago

According to the docs, the t+1 signers will not be revealed. My question is, can the variable t be revealed ? We are thinking of integrating this great library with conditional t. Like if t is 1 we allow some features, if t was 2 used in the signature, we allow more features. Is it possible to retrieve the number of total signers and the total number of signers used t in a broadcast transaction?

yycen commented 2 years ago

The threshold t is known to all parties before keygen phase. So I guess you are asking to recover t from a tss-lib signed signature. A threshold signature looks exactly like a normal signature, unlike multi-signature schemes. (I think it's an advantage for threshold signature over multi-signature, for it hides internal schemes). For your question, I think a simple solution could be to directly pad t in the message to be signed, that msg' = <msg, t>, and before calling signing, add a validateMsg() function to check if msg' is well formed.

ibudisteanu commented 2 years ago

Thank you for taking your time to answer the question. If I understood correctly, this would only change the message to include the variable t. I think this option will not solve the question I was asking because it is not guaranteed that the <msg,t> is actually t as the signers could also say t+1, t+2 or whatever number they want. We were thinking of a feature like: knowing there are 3 signers: employee, secretary and chief. If there is only one signature, some features are unlocked. If there are two signatures, more features are unlocked. If all three signatures are present, all features are unlocked.

yycen commented 2 years ago

Not quite sure about your context, so there are 3 signers, and either 1, 2 or 3 signers could sign a message? For the setting of tss-lib, there are N parties jointly keygen on threshold t, and later you can only ask t+1 of the N parties to sign a message; an other value like t-1 signers would not be able to jointly produce a valid signature. It seems in your setting, you can run multiple keygen for like {employee, secretary}, {employee, secretary, chief}, etc. Each subset could run a k/k-1 threshold keygen and has its own public key. And later the signature could be identified by which subset (pubkey) signed the message.

ibudisteanu commented 2 years ago

Thanks again for your time. The are 2!*3 = 6 possibilities just if there are 3 signers.