Notes on Threshold EdDSA/Schnorr Signatures

Abstract: EdDSA is one of the signature schemes specified in the NIST Draft FIPS 186-5. As a Schnorr-style scheme, its signature makes an interesting linear combination of two secrets --- the signing key and a (pseudo)random secret nonce. Assuming both secrets are linearly secret-shared, it is easy to obtain a signature in a threshold manner, i.e., without reconstructing the key. However, the secret-sharing of the nonce gives rise to various approaches, which, absent proper consideration, can be insecurely instantiated (allowing key recovery or forgeries). This presentation will overview some notes on conventional EdDSA/Schnorr, and on threshold signatures interchangeable with respect to the FIPS-specified EdDSA verification.

Joint work (NIST IR 8214B) with Michael Davidson

Suggested reading: NIST IR 8214 ipd (initial public draft)