[oleganza]

SSSS is worse than using OP_CHECKMULTISIG because one has to put all the secrets at once on a single machine to produce the final private key. If the machine is compromised, such key can be stolen right away. Using multisig script allows you to have several (possibly compromised) machines sign a transaction independently without ever producing any "master secret".

Here's my suggestion on how to use multisig with blinding so you can lock your bitcoins with N friends and have your financial privacy at the same time: http://oleganza.com/blind-ecdsa-draft-v2.pdf

Prototype for iOS (using my CoreBitcoin objc library): http://github.com/oleganza/blindsignaturedemo

[cryptophile]

Unfortunately, multisig forces you to use the blockchain. There are use cases where you don't want that. SSS, on the other hand, seems too complex to feed back through the ECDSA signing algorithm. In the link above they just use the factors of the private key to distribute as shared secrets. So, your private key cannot be a prime. But then again, ECDSA does not seem to require that from a private key. It's not that using a composite number would make it easier to work your way back to the discrete ECC logarithm ...

[oleganza]

I was replying to your question on how to sign transactions. Multisig is the real and the best solution for this task. Maybe I don't understand the problem with "multisig forces you to use the blockchain". If you sign a bitcoin tx, then sure you need to get it on the blockchain. Or am I missing something?

[cryptophile]

Distributed signing is useful in other contexts too. It does not always have to be bitcoin-related ...