Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id C8DC6C0032 for ; Wed, 26 Jul 2023 19:27:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 94FAA41E55 for ; Wed, 26 Jul 2023 19:27:03 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 94FAA41E55 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=fqxvrsvg X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0YHcL4Jj5N7 for ; Wed, 26 Jul 2023 19:27:02 +0000 (UTC) X-Greylist: delayed 429 seconds by postgrey-1.37 at util1.osuosl.org; Wed, 26 Jul 2023 19:27:02 UTC DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 41FC441E52 Received: from mail-4321.protonmail.ch (mail-4321.protonmail.ch [185.70.43.21]) by smtp4.osuosl.org (Postfix) with ESMTPS id 41FC441E52 for ; Wed, 26 Jul 2023 19:27:02 +0000 (UTC) Date: Wed, 26 Jul 2023 19:19:44 +0000 Authentication-Results: mail-4321.protonmail.ch; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.b="fqxvrsvg" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1690399190; x=1690658390; bh=nC5qu8x5v0IB8BI5Np//aoFvIm3jKHQ2niFoPJNCgXY=; h=Date:To:From:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=fqxvrsvgz4KjXnhuv0I7ZbKvWpHkICS58yghyjp/kcD7FJFgKYIdUDsZmrrJzkiZy 1JPm9vPAYFIgoZYMXPnJLOTc7tb5SAOzbs20clxz54T6ZsHn5PvjtMf7/O8G/rXJzJ SxoD6e2v+dfPukzi6FSnzYWref/flTWdYjF6p5CZLka1DM/bhr/PSMB7m4v18ASQMP R8owBPCZgDKvHpPKiGaO/H/pmLZUrWjI/1fEDxnK3xVN7zIn0VnSXI7TfDpGHs1b09 khnWcesrbceuoNGdh87xnJnH1Uskh1+MaaLP7X+LU61ak7mYwMZdd6EuPG7QRd12LA 8paluEne52GuA== To: moonsettler , Bitcoin Protocol Discussion From: AdamISZ Message-ID: In-Reply-To: References: Feedback-ID: 11565511:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Thu, 27 Jul 2023 00:19:01 +0000 Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2023 19:27:03 -0000 It's an interesting idea for a protocol. If I get it right, your basic idea= here is to kind of "shoehorn" in a 2FA authentication, and that the blind-= signing server has no other function than to check the 2FA? This makes it different from most uses of blind signing, where *counting* t= he number of signatures matters (hence 'one more forgery etc). Here, you ar= e just saying "I'll sign whatever the heck you like, as long as you're auth= orized with this 2FA procedure". Going to ignore the details of practically what that means - though I'm sur= e that's where most of the discussion would end up - but just looking at yo= ur protocol in the gist: It seems you're not checking K values against attacks, so for example this = would allow someone to extract the server's key from one signing: 1 Alice, after receiving K2, sets K1 =3D K1' - K2, where the secret key of = K1' is k1'. 2 Chooses b as normal, sends e' as normal. 3 Receiving s2, calculate s =3D s1 + s2 as normal. So since s =3D k + ex =3D (k' + bx) + ex =3D k' + e'x, and you know s, k' a= nd e', you can derive x. Then x2 =3D x - x1. (Gist I'm referring to: https://gist.github.com/moonsettler/05f5948291ba8db= a63a3985b786233bb) Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, July 26th, 2023 at 03:44, moonsettler via bitcoin-dev wrote: > Hi All, >=20 > I believe it's fairly simple to solve the blinding (sorry for the bastard= notation!): >=20 > Signing: >=20 > X =3D X1 + X2 > K1 =3D k1G > K2 =3D k2G >=20 > R =3D K1 + K2 + bX > e =3D hash(R||X||m) >=20 > e' =3D e + b > s =3D (k1 + e'*x1) + (k2 + e'*x2) > s =3D (k1 + k2 + b(x1 + x2)) + e(x1 + x2) >=20 > sG =3D (K1 + K2 + bX) + eX > sG =3D R + eX >=20 > Verification: >=20 > Rv =3D sG - eX > ev =3D hash(R||X||m) > e ?=3D ev >=20 > https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb >=20 > Been trying to get a review on this for a while, please let me know if I = got it wrong! >=20 > BR, > moonsettler >=20 >=20 > ------- Original Message ------- > On Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev bitcoin= -dev@lists.linuxfoundation.org wrote: >=20 >=20 >=20 > > > Party 1 never learns the final value of (R,s1+s2) or m. > >=20 > > Actually, it seems like a blinding step is missing. Assume the server (= party 1) > > received some c during the signature protocol. Can't the server scan th= e > > blockchain for signatures, compute corresponding hashes c' =3D H(R||X||= m) as in > > signature verification and then check c =3D=3D c'? If true, then the se= rver has the > > preimage for the c received from the client, including m. > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >=20 > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev