ycen

You may need a one round signing scheme. For ecdsa, you could find gg20 branch that has such features, but in order to sign in one round, the parties needs...

The pre-parameters h1j, h2j, and NTildej are used in sigma PoK protocols, as to commit to private value x, h1^x * h2^r for random r. The prover should not know...

When you have pubkey, you can convert to address by base58 encoding of hash160(pubkey). The conversion process is detailed [here](https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses#How_to_create_Bitcoin_Address). You can use PubkeyToAddress() function in btcec package.

This PR could solve it. #167

Thanks for the update!

Do you mean child key derivation that keygen once and can later derive child keys? This feature in not in master branch now, you can chek [this](https://github.com/binance-chain/tss-lib/pull/140) for usage.

Yes, for N, h1, h2, you can use for another keygen, for the same set of parties.

As far as my knowledge, there are small difference in performance across different branches. The BobMid subroutine is called for every pair of participants. So it is better to keep...

The implementation is based on an internal document. It's quite simple, however strictly speaking it's not precisely align to the original EdDSA scheme.

What's the intention of the PR, or what's the usage? The user still need to input his u_i when running keygen.