The two-party protocol for Schnorr/EdDSA signing is designed for enhanced security in elliptic-curve cryptography. Here's how it functions:

• Schnorr Signing Algorithm:

  1. A random $k$ is chosen, and $R=k⋅G$ is computed.

  2. The hash $e=H(m∥R)$ is calculated.

  3. The signature component $s=k+e⋅xmodq$ is computed.

  4. The signature is output as a pair $(e,s)$.

• Two-Party Computation of Schnorr:

  • Key Generation: As in ECDSA, parties hold random $1x1$ and $2x2$, with the public key $Q=(x1+x2)⋅G$.

  • Signature Process: Each party selects random $2k1,k2$ and exchanges $R1=k1⋅G$ and $R2=k2⋅G$. They then define $R=R1+R2$ and locally compute $e=H(m∥R)$.

  • Final Signature Calculation:

    • $1P1$ calculates $s1=k1+e⋅x1$.

    • $2P2$ calculates $s2=k2+e⋅x2$.

    • The final signature $s$ is $2s1+s2$, satisfying the Schnorr equation.

• EdDSA Key Generation Challenges:

  • In EdDSA, the key $x$ is derived by hashing it with SHA-512, and the result is split into two parts: one for the secret key and the other for a Pseudorandom Function (PRF).

  • For compatibility with EdDSA keys, a secure computation protocol for SHA-512 can be used.

  • However, for simplicity and security, $x$ is currently generated directly in MPC.

Considerations and Security Implications

• Security in Two-Party Computation: The protocol ensures that neither party knows the full private key or the nonce $k$, maintaining robust security.

• Implementation Subtleties: While the core ideas are straightforward, careful implementation is required to ensure security and compatibility.