diff options
author | Adam Back <adam.back@gmail.com> | 2018-07-11 11:35:08 +0100 |
---|---|---|
committer | bitcoindev <bitcoindev@gnusha.org> | 2018-07-11 10:35:22 +0000 |
commit | ec76796a7964a86391952ac92e16f270bc3f1b6c (patch) | |
tree | 22abae5e18f085b32b6653f133f03ce9a6e805cd | |
parent | e53f4f3a3f082b47d3950611cd26f4575a4164b8 (diff) | |
download | pi-bitcoindev-ec76796a7964a86391952ac92e16f270bc3f1b6c.tar.gz pi-bitcoindev-ec76796a7964a86391952ac92e16f270bc3f1b6c.zip |
Re: [bitcoin-dev] Multiparty signatures
-rw-r--r-- | bd/cc5cdd8e8a868b5d6c2a70a9a08f59a34e5220 | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/bd/cc5cdd8e8a868b5d6c2a70a9a08f59a34e5220 b/bd/cc5cdd8e8a868b5d6c2a70a9a08f59a34e5220 new file mode 100644 index 000000000..eee6afd50 --- /dev/null +++ b/bd/cc5cdd8e8a868b5d6c2a70a9a08f59a34e5220 @@ -0,0 +1,135 @@ +Return-Path: <adam.back@gmail.com> +Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org + [172.17.192.35]) + by mail.linuxfoundation.org (Postfix) with ESMTPS id 09A61D28 + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 11 Jul 2018 10:35:22 +0000 (UTC) +X-Greylist: whitelisted by SQLgrey-1.7.6 +Received: from mail-oi0-f44.google.com (mail-oi0-f44.google.com + [209.85.218.44]) + by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9BEAF334 + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 11 Jul 2018 10:35:21 +0000 (UTC) +Received: by mail-oi0-f44.google.com with SMTP id k81-v6so48333027oib.4 + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 11 Jul 2018 03:35:21 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; + h=mime-version:references:in-reply-to:reply-to:from:date:message-id + :subject:to:cc; + bh=UnyKHb/7T1e9sbllKsd+Ur8a340qDrZUM22k8luAqs0=; + b=aTbP8CtdYJPFH1Zh9y7a8YPY9WfGo2f7grEupaWzj3EnslXlaXFgOqkfpoRLr+qDSt + qyqjRLCZRrSW/YIQdSix8Z0Q4oElPMk3viqhXxF6lr0K6OEoFB58eaBymfQMi9HvrC3I + p/5pWflwSwNu/BkE098K6wx+YOZi9vo6qoV+rL6jNQLjfS1xSJjnDJ+OtGxbrmF2VFcu + XzyyZ4D9dFktwKTCb9t6aXlc63nOTF9LndScAu5D+4e1d2PDDM8fMtI9JeenChrKqQ8/ + aOsGjXXYW0O3QrUqtb5GuK+jsRTysVhK+giAFpxRhBQQSO9AEEWaqiVSDfwLxGS5N4wZ + AvdA== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:mime-version:references:in-reply-to:reply-to + :from:date:message-id:subject:to:cc; + bh=UnyKHb/7T1e9sbllKsd+Ur8a340qDrZUM22k8luAqs0=; + b=G72OuJBHuZTy/3VFhUos1xsjuBtY9zpHIcdigSKprtqO0HPdmUCM+ttjB7MrVkC/oz + bqB6QSinqF/PgAbYMbG4gR0NFqMWHALHHPCA9qAJaBIOBtDjmTg5gDcxTxxlVgmnaQ23 + +V9+wAQ/x6kh1vCUdKOL2UV1HGgAKSODaxfVqR1DsPds5F3I01DazZXmeHPGt+d/j5Nr + JeHVrDDIVBcpVTYRho25feLN/iOnJXX30Rl3EPuqlaC9171YxMMazrFIo4nP+1HXeOLd + 8eI7iC6O/W6KK+frsOaDIvFATy/GLAhNeiBmJlVMeqIS8+VohS6/VRQ0Q27XwqLIHauk + cx1Q== +X-Gm-Message-State: APt69E0oK9SwmEm5xruKMWWg5L34fHRFUQI34QBBLdjfWwkxycyOQWCm + akr8P6Tr8RN51is8PJLpCpllHDlW55BCFuB4WG8= +X-Google-Smtp-Source: AAOMgpe/dEfJJKSZfwvDf0xI1gczh0RpRCVHZghK/am6IuSdMHY3Y3/m7ww7O7rMYo37g0sH/U/NVOANbXJX80ii39g= +X-Received: by 2002:aca:a982:: with SMTP id + s124-v6mr32154717oie.80.1531305320844; + Wed, 11 Jul 2018 03:35:20 -0700 (PDT) +MIME-Version: 1.0 +References: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com> + <08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de> + <CAAS2fgSPUc7xRq36rZ9BVLjUTdd152Fgho4sjJXLhfrc71vPMw@mail.gmail.com> + <CAJowKgL-nRcruXhWdGWrT4x+oV7i3jYST2Wa3bF5m6iT_mOyMw@mail.gmail.com> + <CAPg+sBjdu4mnda-P0y7Ddu-rN7a1GiUt0hY_wYGsy_bJLKOYMA@mail.gmail.com> + <CAJowKgLSQZ1LrZayDi7EFc-NSfK_AD+zBdyaF7jBeQRP7tOwYQ@mail.gmail.com> + <CAPg+sBizrx20XShpeZRvZd4bfq1=E+MFUDmSC9X-xK1CSbV5kQ@mail.gmail.com> + <CAJowKg+=7nS4gNmtc8a4-2cu1uCOPqxjfchFwDVqUciKNMUYWQ@mail.gmail.com> + <CAJowKgJ3K=wmCEtoZXJZhrnnA8XJcHYg788KP+7MCeP4Mxf-0w@mail.gmail.com> + <CAAS2fgSmA02s6Vdk_FYv6NJ4smLBgxnuT4jRYU44G7=bbzv2MA@mail.gmail.com> + <CAJowKgJjQ8EGgbCurOSjTh8ij42_BVeD6dE0y67tzN0Zop3pyg@mail.gmail.com> + <CAAS2fgRrkzq6Fa5T_-YDwLDkwi30LpDtMObMEBE+Fmmj0LJpBw@mail.gmail.com> + <CAJowKgL0b3RT7XwRTF+ohoJCyZAW-ZJ+-8Lijj_s1rqqxgU7VQ@mail.gmail.com> + <CAJowKg+UaMsY_nL6SBfb20Ltki+LdhXOwwvG_mAsUq_ww3Tesg@mail.gmail.com> +In-Reply-To: <CAJowKg+UaMsY_nL6SBfb20Ltki+LdhXOwwvG_mAsUq_ww3Tesg@mail.gmail.com> +Reply-To: adam@cypherspace.org +From: Adam Back <adam.back@gmail.com> +Date: Wed, 11 Jul 2018 11:35:08 +0100 +Message-ID: <CALqxMTHYaspkn8JupaHBeLDxLOfZbnwcne2AVeFZe2ADOefktA@mail.gmail.com> +To: Erik Aronesty <erik@q32.com>, + Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org> +Content-Type: multipart/alternative; boundary="000000000000b1147a0570b6cd6b" +X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, + DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, + RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + smtp1.linux-foundation.org +Subject: Re: [bitcoin-dev] Multiparty signatures +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.12 +Precedence: list +List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Wed, 11 Jul 2018 10:35:22 -0000 + +--000000000000b1147a0570b6cd6b +Content-Type: text/plain; charset="UTF-8" + +On Wed, Jul 11, 2018, 02:42 Erik Aronesty via bitcoin-dev < +bitcoin-dev@lists.linuxfoundation.org> wrote: +> Basically you're just replacing addition with interpolation everywhere in +the musig construction + +Yes, but you can't do that without a delinearization mechanism to prevent +adaptive public key choice being used to break the scheme using Wagner's +attack. It is not specific to addition, it is a generalized birthday attack. + +Look at the delinearization mechanism for an intuition, all public keys are +hashed along with per value hash, so that pre-commits and forces the public +keys to be non-adaptively chosen. + +Adaptively chosen public keys are dangerous and simple to exploit for +example pub keys A+B, add party C' he chooses C=C'-A-B, now we can sign for +A+B+C using adaptively chose public key C. + +Btw Wagner also breaks this earlier delinearization scheme +S=H(A)*A+H(B)*B+H(C)*C + +Adam + +--000000000000b1147a0570b6cd6b +Content-Type: text/html; charset="UTF-8" +Content-Transfer-Encoding: quoted-printable + +<div dir=3D"auto"><div dir=3D"ltr" style=3D"font-family:sans-serif">On Wed,= + Jul 11, 2018, 02:42 Erik Aronesty via bitcoin-dev <<a href=3D"mailto:bi= +tcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org<= +/a>> wrote:<br></div><span style=3D"font-family:sans-serif">> Basical= +ly you're just replacing addition with interpolation everywhere in the = +musig construction</span>=C2=A0<div dir=3D"auto"><br></div><div dir=3D"auto= +">Yes, but you can't do that without a delinearization mechanism to pre= +vent adaptive public key choice being used to break the scheme using Wagner= +'s attack. It is not specific to addition, it is a generalized birthday= + attack.</div><div dir=3D"auto"><br></div><div dir=3D"auto">Look at the del= +inearization mechanism for an intuition, all public keys are hashed along w= +ith per value hash, so that pre-commits and forces the public keys to be no= +n-adaptively chosen.=C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"aut= +o">Adaptively chosen public keys are dangerous and simple to exploit for ex= +ample pub keys A+B, add party C' he chooses C=3DC'-A-B, now we can = +sign for A+B+C using adaptively chose public key C.</div><div dir=3D"auto">= +<br></div><div dir=3D"auto">Btw Wagner also breaks this earlier delineariza= +tion scheme S=3DH(A)*A+H(B)*B+H(C)*C</div><div dir=3D"auto"><br></div><div = +dir=3D"auto">Adam</div></div> + +--000000000000b1147a0570b6cd6b-- + |