Expand description
Implementation of threshold BBS and BBS+ based on the paper Threshold BBS+ Signatures for Distributed Anonymous Credential Issuance The threshold signing protocol has 3 phases (not communication rounds) 1. This is the randomness generation phase 2. This is the phase where multiplications happen 3. Here the outputs of phases 1 and 2 and the messages to be signed are used to generate the signature.
Note that only 3rd phase requires the messages to be known so the first 2 phases can be treated as pre-computation
and can be done proactively. Secondly since the communication time among signers is most likely to be the bottleneck
in threshold signing, phase 1 and 2 support batching meaning that to generate n signatures only a single execution
of phase 1 and 2 needs to done, although with larger inputs. Then n executions of phase 3 are done to generate
the signature.
Also its assumed that parties have done the DKG as well as the base OT and stored their results.
Both BBS and BBS+ implementations share the same multiplication phase and the base OT phase but their phase 1 is slightly different.
Modules§
- Each pair of participants must run a base OT among themselves and stores the OT receiver choices and the output, i.e sender and receiver keys. This needs to be done only once unless they are lost or compromised.
- Generate 1 or more random numbers using commit-and-release coin tossing. Called F_com in the paper
- The multiplication phase of the threshold signing protocol of BBS and BBS+.
- Generate a secret sharing of 0. Does not use a trusted party or Shamir secret sharing. Called F_zero and described in section 3.1 in the paper