You can always use a secure multiparty computation algorithm to do it. https://en.wikipedia.org/wiki/Secure_multi-party_computation But those aren't the fastest algorithms in the world, and usually both participants needs to be online at the same time. I guess most people would prefer a two-step algorithm that can be performed asynchronously. - Sent from my phone Den 8 mar 2014 18:44 skrev "Adam Back" : > Also the other limitation for ECDSA is that there is no known protocol to > create a signture with a+b (where keys P=aG, Q=bG, R=P+Q=(a+b)G). without > either a sending its private key to b or viceversa (or both to a third > party). > > With Schnorr sigs you can do it, but the k^-1 term in ECDSA makes a > (secure) > direct multiparty signature quite difficult. > > ps probably only 1 party needs to hash their key > > P=aG > H(P) -> > > <- Q=bG > > P -> > > Adam > > On Sat, Mar 08, 2014 at 12:37:30PM +0200, Joel Kaartinen wrote: > > If both parties insist on seeing a hash of the other party's public key > > before they'll show their own public key, they can be sure that the > > public key is not chosen based on the public key they themselves > > presented. > > > ------------------------------------------------------------------------------ > Subversion Kills Productivity. Get off Subversion & Make the Move to > Perforce. > With Perforce, you get hassle-free workflows. Merge that actually works. > Faster operations. Version large binaries. Built-in WAN optimization and > the > freedom to use Git, Perforce or both. Make the move to Perforce. > > http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development >