A two-party method can be used to generate a public key for elliptic-curve signing (such as ECDSA or EdDSA). This two-party approach can be used to generate a public key $Q$ without either party knowing the private key $x$. Here's how it works:

• Concept of Elliptic-Curve Keys: The private key $x$ corresponds to a public key $Q$, defined as $Q=x⋅G$, where $G$ is the generator of the elliptic-curve group.

• Objective: The goal is for party $1P1$ to hold a share $1x1$, and party $2P2$ to hold a share $2x2$, with the condition $2x=x1+x2$.

The Process of Two-Party Key Generation

• Initial Step: Each party independently selects a random value: $1P1$ chooses $1x1$ and computes $Q1=x1⋅G$, and $2P2$ chooses $2x2$ and computes $Q2=x2⋅G$.

• Exchange and Calculation: $1P1$ and $2P2$ exchange $1Q1$ and $2Q2$ respectively, and each then defines $2Q=Q1+Q2$. By elliptic-curve properties, $Q=(x1+x2)⋅G=x⋅G$, thus generating the public key without exposing $x$.

Addressing Security Concerns

• Problem with Initial Approach: If $2P2$ is corrupt, it could bias $Q$ by waiting for $1Q1$ from $1P1$ and then choosing $2Q2$ to manipulate $Q$.

• Solution - Commitment Scheme: To prevent this, $1P1$ sends a commitment to $1Q1$, essentially a cryptographic "envelope" that hides $1Q1$ but binds $1P1$ to it. After $2P2$ sends $2Q2$, $1P1$ reveals $1Q1$.

• Ensuring Randomness and Security: This method ensures that $1Q1$ and $2Q2$ are chosen independently. If one party is honest, the result is random and secure. Neither party knows $x$, as it's only additively shared between them.