Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id CD40CC0032 for ; Mon, 24 Jul 2023 14:40:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 9A56D81ED2 for ; Mon, 24 Jul 2023 14:40:22 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9A56D81ED2 Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=q32-com.20221208.gappssmtp.com header.i=@q32-com.20221208.gappssmtp.com header.a=rsa-sha256 header.s=20221208 header.b=2R9NmIZN X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.399 X-Spam-Level: X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gbaml9tNY81 for ; Mon, 24 Jul 2023 14:40:21 +0000 (UTC) Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) by smtp1.osuosl.org (Postfix) with ESMTPS id 8737581A9C for ; Mon, 24 Jul 2023 14:40:21 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8737581A9C Received: by mail-oi1-x233.google.com with SMTP id 5614622812f47-3a48ae22bb7so284757b6e.0 for ; Mon, 24 Jul 2023 07:40:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20221208.gappssmtp.com; s=20221208; t=1690209620; x=1690814420; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=h4tElREw55X7jiqoTrcjvuErYK2bDmvqzkVoNobOZLQ=; b=2R9NmIZNd74Sj3iFh5CL1y7CiaMv95yf/zL6zQQOWFRgiMng3eDWWU07ziWIL7Ixoh 3+fkI2YfqwlAoByN2nBnyV/Uoisf/lV40oDfcWRYA95RjQSMKAU68/ZaEObvkHGZMyjR GAe/+7C16PvWnmK6x6+O+6zfIp6PQzmXraExN3zrarcGlL/8csRgKvmbwyPx8YPiA6iR dCq4qGQtFZUk/8NPa4xHbwP2Bqt5wKa2sdbn1LaM/wLNdPDNiYxU78RD6UcKtDjyJwW7 jkBgPmTwVREjUCAD9aWHLVtydMq5RBXDuJOvMIZaMc/JblOwg2Wbcxa84LFGLKCB8ZfE AcHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690209620; x=1690814420; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=h4tElREw55X7jiqoTrcjvuErYK2bDmvqzkVoNobOZLQ=; b=TswVtjeFTxyqWtAMN9dz5DXM9DCKuj8jvB8KbAzFSsxrHQ1u+hny74uhQQF/HSc2PL zLh3IGquKvovWKdtkvabq7B8RUkrbQGV54Li3bN2Rp6FMNMETG4mMsopQ4WqCzUNL8Nr iKpRib0t9f55rltS1mciBhoIeyUXc7cJ/HrqXX9DaT9qCs3ppf2/B/47c7lHTvpgm55s J1CYylvRRgQ3L87UebgmFSjDC6PKpnvmnPDVMl+XN4yCSTIBkKwui3yYl2XBduqQj74d nC2mDxpt7O3SVjWa7iMCivKAVUcHMGVKbH+EJ54USbyxmILOzbTZZCst9RNKs8WlYj9g uQMw== X-Gm-Message-State: ABy/qLZkCVbRPFd4Cx2RFVCFnPHj+qcSHYM8g/oCV8+kjvUacXHwXmH4 uVUackTCfPB0GF21N4VRxUAXXyHGUXbZQTcVig323csUCC4e X-Google-Smtp-Source: APBJJlHHYyINt0nrhoOoj0mJpKCCClTzLfYwUfSMVHOPr5pocAS43qUD6ATfBYH4eH/sqGt7YfsZvxh6VEA2O5A08cE= X-Received: by 2002:a05:6808:2082:b0:3a3:a8d3:e01 with SMTP id s2-20020a056808208200b003a3a8d30e01mr8925639oiw.3.1690209620378; Mon, 24 Jul 2023 07:40:20 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Erik Aronesty Date: Mon, 24 Jul 2023 10:40:10 -0400 Message-ID: To: Jonas Nick , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000004c78b06013c987a" X-Mailman-Approved-At: Mon, 24 Jul 2023 15:24:23 +0000 Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2023 14:40:22 -0000 --00000000000004c78b06013c987a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable You can't choose R if you provide posk On Mon, Jul 24, 2023 at 10:31=E2=80=AFAM Jonas Nick via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Hi Tom, > > I'm not convinced that this works. As far as I know blind musig is still > an open > research problem. What the scheme you propose appears to try to prevent i= s > that > the server signs K times, but the client ends up with K+1 Schnorr > signatures for > the aggregate of the server's and the clients key. I think it's possible = to > apply a variant of the attack that makes MuSig1 insecure if the nonce > commitment > round was skipped or if the message isn't determined before sending the > nonce. > Here's how a malicious client would do that: > > - Obtain K R-values R1[0], ..., R1[K-1] from the server > - Let > R[i] :=3D R1[i] + R2[i] for all i <=3D K-1 > R[K] :=3D R1[0] + ... + R1[K-1] > c[i] :=3D H(X, R[i], m[i]) for all i <=3D K. > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that > c[0] + ... + c[K-1] =3D c[K]. > - Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1]. > - Let > s[K] =3D s[0] + ... + s[K-1]. > Then (s[K], R[K]) is a valid signature from the server, since > s[K]*G =3D R[K] + c[K]*a1*X1, > which the client can complete to a signature for public key X. > > What may work in your case is the following scheme: > - Client sends commitment to the public key X2, nonce R2 and message m to > the > server. > - Server replies with nonce R1 =3D k1*G > - Client sends c to the server and proves in zero knowledge that c =3D > SHA256(X1 + X2, R1 + R2, m). > - Server replies with s1 =3D k1 + c*x1 > > However, this is just some quick intuition and I'm not sure if this > actually > works, but maybe worth exploring. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000004c78b06013c987a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
You can't choose R if you provide posk

On Mon, Jul 24, = 2023 at 10:31=E2=80=AFAM Jonas Nick via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org= > wrote:
= Hi Tom,

I'm not convinced that this works. As far as I know blind musig is stil= l an open
research problem. What the scheme you propose appears to try to prevent is = that
the server signs K times, but the client ends up with K+1 Schnorr signature= s for
the aggregate of the server's and the clients key. I think it's pos= sible to
apply a variant of the attack that makes MuSig1 insecure if the nonce commi= tment
round was skipped or if the message isn't determined before sending the= nonce.
Here's how a malicious client would do that:

- Obtain K R-values R1[0], ..., R1[K-1] from the server
- Let
=C2=A0 =C2=A0 =C2=A0R[i] :=3D R1[i] + R2[i] for all i <=3D K-1
=C2=A0 =C2=A0 =C2=A0R[K] :=3D R1[0] + ... + R1[K-1]
=C2=A0 =C2=A0 =C2=A0c[i] :=3D H(X, R[i], m[i]) for all i <=3D K.
=C2=A0 =C2=A0Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such = that
=C2=A0 =C2=A0 =C2=A0c[0] + ... + c[K-1] =3D c[K].
- Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1].
- Let
=C2=A0 =C2=A0 =C2=A0s[K] =3D s[0] + ... + s[K-1].
=C2=A0 =C2=A0Then (s[K], R[K]) is a valid signature from the server, since<= br> =C2=A0 =C2=A0 =C2=A0s[K]*G =3D R[K] + c[K]*a1*X1,
=C2=A0 =C2=A0which the client can complete to a signature for public key X.=

What may work in your case is the following scheme:
- Client sends commitment to the public key X2, nonce R2 and message m to t= he
=C2=A0 =C2=A0server.
- Server replies with nonce R1 =3D k1*G
- Client sends c to the server and proves in zero knowledge that c =3D
=C2=A0 =C2=A0SHA256(X1 + X2, R1 + R2, m).
- Server replies with s1 =3D k1 + c*x1

However, this is just some quick intuition and I'm not sure if this act= ually
works, but maybe worth exploring.
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--00000000000004c78b06013c987a--