diff options
author | Jonas Nick <jonasdnick@gmail.com> | 2023-07-26 14:59:42 +0000 |
---|---|---|
committer | bitcoindev <bitcoindev@gnusha.org> | 2023-07-26 14:59:50 +0000 |
commit | be0a17489e6451deba0e6e89f68312f1179bed56 (patch) | |
tree | 00e61e60e65962aba5927789320a0b30b3973495 | |
parent | 16ae6133ddf5db67652b49ce3f96593d96c2dcfd (diff) | |
download | pi-bitcoindev-be0a17489e6451deba0e6e89f68312f1179bed56.tar.gz pi-bitcoindev-be0a17489e6451deba0e6e89f68312f1179bed56.zip |
Re: [bitcoin-dev] Blinded 2-party Musig2
-rw-r--r-- | 61/56c1d90d3520add9e6ac3c72cf8f380358c431 | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/61/56c1d90d3520add9e6ac3c72cf8f380358c431 b/61/56c1d90d3520add9e6ac3c72cf8f380358c431 new file mode 100644 index 000000000..9ff7b9a9f --- /dev/null +++ b/61/56c1d90d3520add9e6ac3c72cf8f380358c431 @@ -0,0 +1,121 @@ +Return-Path: <jonasdnick@gmail.com> +Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) + by lists.linuxfoundation.org (Postfix) with ESMTP id 181FDC0032 + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 26 Jul 2023 14:59:50 +0000 (UTC) +Received: from localhost (localhost [127.0.0.1]) + by smtp2.osuosl.org (Postfix) with ESMTP id DA40040135 + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 26 Jul 2023 14:59:49 +0000 (UTC) +DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org DA40040135 +Authentication-Results: smtp2.osuosl.org; + dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com + header.a=rsa-sha256 header.s=20221208 header.b=SH7HH6qn +X-Virus-Scanned: amavisd-new at osuosl.org +X-Spam-Flag: NO +X-Spam-Score: -2.099 +X-Spam-Level: +X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 + tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, + DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, + RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] + autolearn=ham autolearn_force=no +Received: from smtp2.osuosl.org ([127.0.0.1]) + by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id DHYNww8msfTJ + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 26 Jul 2023 14:59:46 +0000 (UTC) +Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com + [IPv6:2a00:1450:4864:20::12c]) + by smtp2.osuosl.org (Postfix) with ESMTPS id 4B40C4174A + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 26 Jul 2023 14:59:46 +0000 (UTC) +DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4B40C4174A +Received: by mail-lf1-x12c.google.com with SMTP id + 2adb3069b0e04-4fddd4e942eso10332824e87.3 + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 26 Jul 2023 07:59:46 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20221208; t=1690383584; x=1690988384; + h=content-transfer-encoding:in-reply-to:references:to + :content-language:subject:user-agent:mime-version:date:message-id + :from:from:to:cc:subject:date:message-id:reply-to; + bh=wBDal9jOYf73xnh4l7oi5gBacUeF7K7+kf5qTjlhoHM=; + b=SH7HH6qn0pc379bCdpO0+TyZMzI/r0fBBbJLXBw22Zuk9EcNI1X1lHfASve3kNcmkN + FHa1pQpPGj0P7Zs6XNP0MghKgQscvk3J/aPsCmhQwd8Fl6glroo7TmJFe4OfGZV580Sd + wybT/vxzYeREVh0YC8s/LBiVL0Wc1rh2zkE/eJOafCFz83W3b92ASFnjNttbh3uwGC9m + NTOLWPk+hF7OGXoCLea/fm9ovK1weqGLPZzyCgf++koN0pzPH/mPEO4+4NrOyjFi5egD + C16qf3HWJdcgiD6NZ7SJLvjRs61uUwOj7x34N6PTlT6cjcmKMxlyFdOJwxBjOiSSp0nn + hleA== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20221208; t=1690383584; x=1690988384; + h=content-transfer-encoding:in-reply-to:references:to + :content-language:subject:user-agent:mime-version:date:message-id + :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; + bh=wBDal9jOYf73xnh4l7oi5gBacUeF7K7+kf5qTjlhoHM=; + b=aokzGwfQGtF2P6lNG3dGDYtJ8WdbuokTxCg6okCAMG70PzIgKNV5CdU2DRRPyilH5D + 4wjnudSsZM0KXHA9pmxYtt+e+61JwYVKDPEOHz1IFTI0wZiXm+2zh/zru8it8i5i3cE0 + BJyD/spWnXTzuKLrmIex5P+w0W7CsP5p5FgSiE+4nFDsNyLOGqUw2D3gndRxKkcku4p9 + 59B5fMKHwya6DktRkyjlAOMzVFCplMs0u1LY35K1pvl8jTblkoe0jQ/s6xhApu0qXgAG + /XjG6KllInsrvd+IyJiu+PszOQVeLTS1R+c1UKJg8QCRGcTW0rDtJxMSzvYVLVlBG3rx + Qg2w== +X-Gm-Message-State: ABy/qLYmGVsxLlYjjyCpluenK+vfspLVZRbFMyf6CX/0cJi69ur0EQp4 + zyaxhuXbMttpp4gtKw9wov4= +X-Google-Smtp-Source: APBJJlGAspCZtH1PgGrrz1mBqKJafA/W2vcueZSIuiGg6K0otoorXfs0ORFH1kltWSOEjcqxdhSYew== +X-Received: by 2002:a19:4f4b:0:b0:4fb:8bea:f5f6 with SMTP id + a11-20020a194f4b000000b004fb8beaf5f6mr1602536lfk.34.1690383583740; + Wed, 26 Jul 2023 07:59:43 -0700 (PDT) +Received: from [10.11.10.42] (p50879c84.dip0.t-ipconnect.de. [80.135.156.132]) + by smtp.googlemail.com with ESMTPSA id + w17-20020a05600c015100b003fbfef555d2sm2209492wmm.23.2023.07.26.07.59.43 + (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); + Wed, 26 Jul 2023 07:59:43 -0700 (PDT) +From: Jonas Nick <jonasdnick@gmail.com> +X-Google-Original-From: Jonas Nick <jonasd.nick@gmail.com> +Message-ID: <d1db8481-140b-a0b4-8c24-4486f8a1cab6@gmail.com> +Date: Wed, 26 Jul 2023 14:59:42 +0000 +MIME-Version: 1.0 +User-Agent: Mozilla Thunderbird +Content-Language: en-US +To: moonsettler <moonsettler@protonmail.com>, + Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> +References: <CAJvkSsc_rKneeVrLkTqXJDKcr+VQNBHVJyXVe=7PkkTZ+SruFQ@mail.gmail.com> + <b770096c-e8c4-70f7-8cd7-d74c27181413@gmail.com> + <O3LTbUbjNa3SLUfJzSKDNLBCIhED_6rdOcmgLpYB9byX6HBVg3BMu3hrvY37fH4SGL8th8oJaVV6_ogl_ZOA0qTXgENq8xqQNSRB-VsHem4=@protonmail.com> +In-Reply-To: <O3LTbUbjNa3SLUfJzSKDNLBCIhED_6rdOcmgLpYB9byX6HBVg3BMu3hrvY37fH4SGL8th8oJaVV6_ogl_ZOA0qTXgENq8xqQNSRB-VsHem4=@protonmail.com> +Content-Type: text/plain; charset=UTF-8; format=flowed +Content-Transfer-Encoding: 7bit +X-Mailman-Approved-At: Wed, 26 Jul 2023 15:34:47 +0000 +Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.15 +Precedence: list +List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Wed, 26 Jul 2023 14:59:50 -0000 + +While this may solve blinding, I don't see how it solves the problem that the +client can forge signatures because the client is in control of challenge e'. +This is not special to MuSig(2), but is also the reason why original blind +Schnorr signatures are insecure (as demonstrated in David Wagner's "A +Generalized Birthday Problem" paper). + +For some more recent work on blind Schnorr signatures, see: +- https://eprint.iacr.org/2019/877.pdf Blind Schnorr Signatures and Signed + ElGamal Encryption in the Algebraic Group Mode +- https://eprint.iacr.org/2020/1071.pdf On Pairing-Free Blind Signature Schemes + in the Algebraic Group Model + +In particular, the first paper proposes a less-efficient variant of blind +Schnorr signatures that is secure under concurrent signing if the "mROS" problem +is hard (which is imho plausible). Another potential approach is using +commitments and a ZKP as I mentioned earlier in this thread. This scheme is +"folklore", in the sense that it is being discussed from time to time but isn't +specified and does not have a security proof as far as I am aware. + |