Re: [bitcoin-dev] Composable MuSig

author: Erik Aronesty <erik@q32.com> 2020-02-24 10:30:54 -0500
committer: bitcoindev <bitcoindev@gnusha.org> 2020-02-24 15:31:11 +0000
commit: 2d34df5d5b808008742f5474ae3e7937757db1a8 (patch)
tree: 3fb98f89c5c1efc7a903f68d51ad1f1473a611a2
parent: 5be0136b055855c9079bec25e78daa07d60d7a23 (diff)
download: pi-bitcoindev-2d34df5d5b808008742f5474ae3e7937757db1a8.tar.gz
pi-bitcoindev-2d34df5d5b808008742f5474ae3e7937757db1a8.zip
1 files changed, 115 insertions, 0 deletions
diff --git a/5c/db15df88f734f02ca71948ce710dc81856fdb9 b/5c/db15df88f734f02ca71948ce710dc81856fdb9
new file mode 100644
index 000000000..774ac77e2
--- /dev/null
+++ b/5c/db15df88f734f02ca71948ce710dc81856fdb9
@@ -0,0 +1,115 @@
+Return-Path: <earonesty@gmail.com>
+Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
+ by lists.linuxfoundation.org (Postfix) with ESMTP id 7AB83C0177
+ for <bitcoin-dev@lists.linuxfoundation.org>;
+ Mon, 24 Feb 2020 15:31:11 +0000 (UTC)
+Received: from localhost (localhost [127.0.0.1])
+ by fraxinus.osuosl.org (Postfix) with ESMTP id 62ED585C9F
+ for <bitcoin-dev@lists.linuxfoundation.org>;
+ Mon, 24 Feb 2020 15:31:11 +0000 (UTC)
+X-Virus-Scanned: amavisd-new at osuosl.org
+Received: from fraxinus.osuosl.org ([127.0.0.1])
+ by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
+ with ESMTP id 311WEIBvbYV9
+ for <bitcoin-dev@lists.linuxfoundation.org>;
+ Mon, 24 Feb 2020 15:31:07 +0000 (UTC)
+X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
+Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com
+ [209.85.210.50])
+ by fraxinus.osuosl.org (Postfix) with ESMTPS id EEB9C85C4F
+ for <bitcoin-dev@lists.linuxfoundation.org>;
+ Mon, 24 Feb 2020 15:31:06 +0000 (UTC)
+Received: by mail-ot1-f50.google.com with SMTP id 66so9026187otd.9
+ for <bitcoin-dev@lists.linuxfoundation.org>;
+ Mon, 24 Feb 2020 07:31:06 -0800 (PST)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=q32-com.20150623.gappssmtp.com; s=20150623;
+ h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
+ bh=Rtc7KoR6eO2E2UL1N+46bzOyp3pgwH0ibnhJ1llav1k=;
+ b=Xh6eJGXodsMff1hhd27NPNuQFZv4vZEg27vbmYO1BO4IKnsGph9KxyZEIkQSu5cnid
+ F2gjE+x2oCzsfmzXAu0qa6UPA/oUv0RM86s23+Pwnw1KY+/+rMWwYskTQ2vTFRxQzPpS
+ nF7VifjevrmPWmq4pi44OuK8Dr/DMn2r30qI0XGZrkj5Y/cDAhvq61J55jSqdgFyBBuL
+ U/UxqV0RusOxJ+BFODj1QiZbuVAIOQThu0lA3rjBJWobPJt2pXkr2IKKFjf0Mt646Ush
+ FI5gtrFBZ+4uOO2FyuN0/RLzpiA5NliAlfFteNmkjUC3YR51EAs2VPQGyP67KVsgz62+
+ nG9g==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=1e100.net; s=20161025;
+ h=x-gm-message-state:mime-version:references:in-reply-to:from:date
+ :message-id:subject:to;
+ bh=Rtc7KoR6eO2E2UL1N+46bzOyp3pgwH0ibnhJ1llav1k=;
+ b=Va4JWY2hcvfK+PgcclsU7ImLNMj2RU8+ZfHqoILJpqwDFAsqCt4bCaZQBVCMTY67ek
+ r6FfGbTkdgLyL7LyBmPQDoGvO9A+F+gEaHiNLj3q1lbeI7gNice5BZRmfIcj4FFRyyZv
+ u0gqMkW//PVzQDPkyyozQZElUZwP40W/az6tVv+gf0uP2T6fEeiPhHb8m9mPVeCzQR6E
+ lZKs6h2EQXoAc1Rh1+J/WRTkBnZcYkbtDNWxl9uJSMRTh55nsKcSJKIeWc2ioTo1QjB8
+ o/jg7Hp6eMmlt3B4YmWgD8IG+7pzUFQhVJClegjlAlHw7BDHECa5419LYnovUexE6hYX
+ g/XQ==
+X-Gm-Message-State: APjAAAVVtjzlsvU1XttkX3/evR6gm9fXbPUOzUScQmlXh09LXa1PglQn
+ UrMB7tqfnWNsVtAd1vy6uypIYOQE+3jY/WkIPhWTapQ=
+X-Google-Smtp-Source: APXvYqwsM6lnr4pkCyPovT2LYDu2tjpiz9kbEmaUaKvE1vcnI8mNKRUayApX3QTjQ1Sgz5cREX1tRZn2Q9xAfd3WJgk=
+X-Received: by 2002:a9d:7c9a:: with SMTP id q26mr43114357otn.206.1582558265986; 
+ Mon, 24 Feb 2020 07:31:05 -0800 (PST)
+MIME-Version: 1.0
+References: <u1IeyK5A7zyklXzl26UpCliJrFEsDp5SXUGbtXGBCrEWw6Wi7vNcoy4HNv2WXUTG_SBuMURDLhvh3YCwL2r53rL0Yj19TZpumYFD5WqmYL8=@protonmail.com>
+ <CAJowKgJP7FgF1KWOg4Wn=D4CjBgoE-ZYXv8LnfbVfh62ZNG5kQ@mail.gmail.com>
+ <30bdd65dc943f698c0970ca51bfb4dfb406ea7b8.camel@timruffing.de>
+In-Reply-To: <30bdd65dc943f698c0970ca51bfb4dfb406ea7b8.camel@timruffing.de>
+From: Erik Aronesty <erik@q32.com>
+Date: Mon, 24 Feb 2020 10:30:54 -0500
+Message-ID: <CAJowKgJSaDUGM-X7U-eaaCSCSr6x0s+Z5U=Tt3Bt4J1D7SSnnA@mail.gmail.com>
+To: Tim Ruffing <crypto@timruffing.de>, 
+ Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
+Content-Type: text/plain; charset="UTF-8"
+X-Mailman-Approved-At: Mon, 24 Feb 2020 15:44:11 +0000
+Subject: Re: [bitcoin-dev] Composable MuSig
+X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
+X-Mailman-Version: 2.1.15
+Precedence: list
+List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
+List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
+ <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
+List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
+List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
+List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
+List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
+ <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
+X-List-Received-Date: Mon, 24 Feb 2020 15:31:11 -0000
+
+Basically just some mechanism for preventing repeated signings of the
+same message, and using a "validity" time window so that the amount of
+state you need to enquire about isn't unbounded.
+
+The Drijvers, et al paper is specifically concerned with parallel and
+aborted signings, where ksums can be used.  In general, the more
+variables that an attacker can control ,the more "k" lists they can
+form, and the more likely they can find collisions.
+
+If signers refused to sign "stale" messages, refused to sign in
+parallel beyond a certain limit, and refused to sign the same message
+twice, it should help reduce the attack surface.
+
+On Mon, Feb 24, 2020 at 6:41 AM Tim Ruffing via bitcoin-dev
+<bitcoin-dev@lists.linuxfoundation.org> wrote:
+>
+> On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote:
+> > > Thus, two-phase MuSig is potentially unsafe.
+> > > https://eprint.iacr.org/2018/417.pdf describes the argument.
+> >
+> > One solution is to add a signature timeout to the message (say a
+> > block height) .
+> >
+> > A participant refuses to sign if that time is too far in the future,
+> > or is at all in the past, or if a message M is the same as any
+> > previous message within that time window.
+> >
+> > Seems to resolve the attacks on 2 round musig.
+>
+> I don't understand this. Can you elaborate?
+>
+> Best,
+> Tim
+>
+> _______________________________________________
+> bitcoin-dev mailing list
+> bitcoin-dev@lists.linuxfoundation.org
+> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
+
author	Erik Aronesty <erik@q32.com>	2020-02-24 10:30:54 -0500
committer	bitcoindev <bitcoindev@gnusha.org>	2020-02-24 15:31:11 +0000
commit	2d34df5d5b808008742f5474ae3e7937757db1a8 (patch)
tree	3fb98f89c5c1efc7a903f68d51ad1f1473a611a2
parent	5be0136b055855c9079bec25e78daa07d60d7a23 (diff)
download	pi-bitcoindev-2d34df5d5b808008742f5474ae3e7937757db1a8.tar.gz pi-bitcoindev-2d34df5d5b808008742f5474ae3e7937757db1a8.zip