Post ATNWLbP9ppwk0jq0Dg by Rucknium@pleroma.rucknium.me
(DIR) More posts by Rucknium@pleroma.rucknium.me
(DIR) Post #ATNWLaZkuwpVRJmx6G by chelseakomlo@mathstodon.xyz
2023-03-07T16:30:01Z
0 likes, 0 repeats
Who uses threshold cryptography and genuinely cares about indisintguishability from the single-party scheme? For example, that keys output from a distributed key generation protocol are from the same distribution as keys output from the target single-party key generation algorithm
(DIR) Post #ATNWLbP9ppwk0jq0Dg by Rucknium@pleroma.rucknium.me
2023-03-07T16:54:26.398509Z
0 likes, 0 repeats
@chelseakomlo Monero would probably prefer that threshold multisig and single signatures appear to be the same to reduce any kind of transaction fingerprinting.
(DIR) Post #ATNWLugAApq3mywLrc by chelseakomlo@mathstodon.xyz
2023-03-07T16:33:07Z
0 likes, 0 repeats
Theoreticians, I already know what you think :)
(DIR) Post #ATNaQJ4JpqvePIab0C by chelseakomlo@mathstodon.xyz
2023-03-07T17:06:53Z
0 likes, 0 repeats
@Rucknium In the setting where threshold signatures differ from single-party, one of the threshold signers must be acting maliciously. It then could trivially just output information that allows for transaction fingerprinting directly, no?
(DIR) Post #ATNaQK408WGjUbRr96 by Rucknium@pleroma.rucknium.me
2023-03-07T17:40:08.469604Z
0 likes, 0 repeats
@chelseakomlo Maybe I'm not understanding. Multisig transactions are used for escrow often. No potential signer is necessarily acting maliciously since that's not the Nash equilibrium to do so. Under conditions of real behavior, you don't necessarily have to design for every strategy, especially when an occasional non-equilibrium strategy in the wild would just cause a statistical dent in privacy rather than an all-or-nothing failure.In game theory, the mere existence of an option can influence the best strategy even if that option would never be taken by players.