Avalanche Signatures

As pointed out in the ZenGo X group by Elichai, this scheme is insecure, because you can divide ${\alpha }_{122}$ by ${\alpha }_{\bullet 22}$ to recover $k_1$.

Parties $P_1,P_2$, holding shares $x_1,x_2$ of a private key $x_1+x_2$. Both parties know $X_1=x_1\cdot G$ and $X_2=x_2\cdot G$, as well as the public key $X=X_1+X_2$.

---

$P_1$

$k_1\stackrel{R}{\leftarrow }(\mathbb{Z}/(q){)}^{\ast }$

$K_1=\frac{1}{k_1}\cdot G$

$K_1⟶$

${\Pi }^{\text{SHR}}(K_1;1/k_1)⟶$

---

$P_2$

Check ${\Pi }^{\text{SHR}}(K_1)$.

$k_2\stackrel{R}{\leftarrow }(\mathbb{Z}/(q){)}^{\ast }$

$K_2=\frac{1}{k_2}\cdot G$

$R=\frac{1}{k_2}\cdot K_1$

$r=x(R)$

${\alpha }_{\bullet 22}=k_2(m+r{x}_2)$

$K_2⟶$

${\Pi }^{\text{SHR}}(K_2;1/k_2)⟶$

${\alpha }_{\bullet 22}⟶$

---

$P_1$

Check ${\Pi }^{\text{SHR}}(K_2)$.

$R=\frac{1}{k_1}\cdot K_2$

$r=x(R)$

${\alpha }_{\bullet 22}\cdot K_2\stackrel{?}{=}m\cdot G+r\cdot X_2$

${\alpha }_{1\bullet 1}=k_1(m+r{x}_1)$

${\alpha }_{122}=k_1{\alpha }_{\bullet 22}$

${\alpha }_{1\bullet 1},{\alpha }_{122}⟶$

---

$P_2$

${\alpha }_{1\bullet 1}\cdot K_1\stackrel{?}{=}m\cdot G+r\cdot X_1$

${\alpha }_{122}\cdot R\stackrel{?}{=}m\cdot G+r\cdot X_2$

${\alpha }_{121}=k_2{\alpha }_{1\bullet 1}$

${\alpha }_{121}⟶$

---

$P_1$

${\alpha }_{121}\cdot R\stackrel{?}{=}m\cdot G+r\cdot X_1$

---

Then ${\alpha }_{121}+{\alpha }_{122}=k_1{k}_2(2m+r(x_1+x_2))$. If you set $m=2^{-1}H(M)$, then this works out. This requires $2$ to have an inverse modulo the order of the subgroup, which is always the case.