Return-Path: <earonesty@gmail.com> Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 93072EE4 for <bitcoin-dev@lists.linuxfoundation.org>; Tue, 11 Sep 2018 17:38:16 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id EF493716 for <bitcoin-dev@lists.linuxfoundation.org>; Tue, 11 Sep 2018 17:38:15 +0000 (UTC) Received: by mail-wm0-f46.google.com with SMTP id 207-v6so1850561wme.5 for <bitcoin-dev@lists.linuxfoundation.org>; Tue, 11 Sep 2018 10:38:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=R9vFr2Lng99oNJv9c40JMsHGH9qE0WOk26DiY2Z65cE=; b=jxxSy4Db9UikZIfrJjq4236WNpl330mXrrmK0mSlX/A10XzjRb2WsCUUxT5lK70Rlp PTRJbQclLfrY2fEXFhJHcUIOLnoL79AS1bJQQda+jK1ZQvTfSUFgRS/4ZT9pqyLrs0x5 bUeYW8fVeLSBH8R84IQb0l51ayQPZnZH4LJwBlroS/+mZgF4cfZ/05kaq9VXamAJDUy5 9EYXZYayE90dXj2762hsygFTW84P3GdIe0V21kSAtmgb6J7ave8iWMkbC94+kczkKZPb HlHKkOMsOSjbe+VefRSqA4YiMFYjKw3LX4kr9j0JFEuuuW12WMIEQOF3a8CA6HiWEmRV MBig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R9vFr2Lng99oNJv9c40JMsHGH9qE0WOk26DiY2Z65cE=; b=OuUatrZxfFvLw93JbVoqed4g2Y1Wrh0xu3nW8uKeCOjZ9y7yOgd/msG8Li3AESimqU 9WFxAIlOjAu7c7Ky4ukVpephpBWXgeXiEop3vJ+MwV9g2h3Sf4hM7S/TmJMHdNZQbRCE ry6D/j6Pyxxo9GdQWwuyCIWIWJInXmlwDFIddHRzaNZceBt7h5dtMMpazH3bZ2ea6RHG C0+q0xYCRzg+Hj8RqSjV8RYodn42gFRO1sd4SwSfedj+XRpwFhvbRjmm744lVJ3rXYN+ /NdG7ePWrffq9SX1HXqwjsvXFZF/2HqtgATIgn4swfQCKz9CemtmhU9yRFUErl1UCxV2 DzTQ== X-Gm-Message-State: APzg51ALFqo2NW3vOquqBH5IDupMxjsqgh8SwYU2tTsa/hYI8pUwDZZV k21HwiNjyTnvbs6NylJaIaCu3NPAk2Pa6TRkogJMIIA= X-Google-Smtp-Source: ANB0VdbfgYdK9iP+X5gm1IgCJQMhqe6X2Xx2c0Annnny++vw0ynz3lhElEbRiO2BWqh87oHtoGI33KdF63XV+hXgPhg= X-Received: by 2002:a1c:dc41:: with SMTP id t62-v6mr2034609wmg.137.1536687494313; Tue, 11 Sep 2018 10:38:14 -0700 (PDT) MIME-Version: 1.0 References: <CAPg+sBj7f+=OYXuOMdNeJk3NBG67FSQSF8Xv3seFCvwxCWq69A@mail.gmail.com> <2e620d305c86f65cbff44b5fba548dc85c118f84.camel@timruffing.de> <20180812163734.GV499@boulet.lan> <CAJowKg+h11YkwOo-gyWCw+87Oh-9K34LOnJ1730hhpoVR2m5sA@mail.gmail.com> <20180903000518.GB18522@boulet.lan> <CAJowKg+PDtEV3je_N9Ra6u3n4+ZQ3ozYapt8ivxGYYU28Qad+w@mail.gmail.com> <CAAS2fgT0uBGbLBOW4TxA-qCzOLwoQ1qSV-R0dMKRzPLAm_UOqQ@mail.gmail.com> <CAJowKg+-45h6vraL1PpnqfhHSbG+G40L+FD7xN+C-Dn1E6Y_Vg@mail.gmail.com> <CAAS2fgSfdfQ2CiEabjrjspQGQufwzk84f1mzM1j_LRWqAPd8wA@mail.gmail.com> <CAJowKgK3Pxev4pDH4xVLPvmHda8oAfq=fya4TY+_dodUJ7j9Nw@mail.gmail.com> <CAAS2fgQOb4UJBkH=pMre=tsbAUmMNYx=4jkBawX4Rc_dKcpwZg@mail.gmail.com> In-Reply-To: <CAAS2fgQOb4UJBkH=pMre=tsbAUmMNYx=4jkBawX4Rc_dKcpwZg@mail.gmail.com> From: Erik Aronesty <erik@q32.com> Date: Tue, 11 Sep 2018 13:37:59 -0400 Message-ID: <CAJowKgK9UdavrGnKum43dx+DXe+LakHXuVU6bNhMFtEoy2U3Og@mail.gmail.com> To: Gregory Maxwell <greg@xiph.org> Content-Type: multipart/alternative; boundary="0000000000003abadd05759bf07d" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 12 Sep 2018 13:40:52 +0000 Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> Subject: Re: [bitcoin-dev] Schnorr signatures BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> X-List-Received-Date: Tue, 11 Sep 2018 17:38:16 -0000 --0000000000003abadd05759bf07d Content-Type: text/plain; charset="UTF-8" - Musig, by being M of M, is inherently prone to loss. - Having the senders of the G*x pubkey shares sign their messages with the associated private key share should be sufficient to prevent them from using wagner's algorithm to attack the combined key. Likewise, the G*k nonce fragments should also be signed with the pubkey shares. On Tue, Sep 11, 2018 at 1:27 PM Gregory Maxwell <greg@xiph.org> wrote: > On Tue, Sep 11, 2018 at 5:20 PM Erik Aronesty <erik@q32.com> wrote: > > The security advantages of a redistributable threshold system are huge. > If a system isn't redistributable, then a single lost or compromised key > results in lost coins... meaning the system is essetntially unusable. > > > > I'm actually worried that Bitcoin releases a multisig that encourages > loss. > > There is no "non- edistributiable multisig" proposed for Bitcoin > anywhere that I am aware of. > --0000000000003abadd05759bf07d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div>- Musig, by being M of M, is inherently prone to loss= .</div><div><br></div><div>- Having the senders of the G*x pubkey shares si= gn their messages with the associated private key share should be sufficien= t to prevent them from using wagner's algorithm to attack the combined = key.=C2=A0=C2=A0 Likewise, the G*k nonce fragments should also be signed wi= th the pubkey shares.=C2=A0=C2=A0 <br></div><div><br></div><div><br></div><= /div><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Tue, Sep 11, 2018 a= t 1:27 PM Gregory Maxwell <<a href=3D"mailto:greg@xiph.org">greg@xiph.or= g</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin= :0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Sep 11, 20= 18 at 5:20 PM Erik Aronesty <<a href=3D"mailto:erik@q32.com" target=3D"_= blank">erik@q32.com</a>> wrote:<br> > The security advantages of a redistributable threshold system are huge= .=C2=A0 =C2=A0If a system isn't redistributable, then a single lost or = compromised key results in lost coins... meaning the system is essetntially= unusable.<br> ><br> > I'm actually worried that Bitcoin releases a multisig that encoura= ges loss.<br> <br> There is no "non- edistributiable multisig" proposed for Bitcoin<= br> anywhere that I am aware of.<br> </blockquote></div> --0000000000003abadd05759bf07d--