Return-Path: <moonsettler@protonmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 73F3DC0032
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 26 Jul 2023 09:45:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 491CC4038D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 26 Jul 2023 09:45:12 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 491CC4038D
Authentication-Results: smtp2.osuosl.org;
 dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
 header.a=rsa-sha256 header.s=protonmail3 header.b=CBNjx1sp
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level: 
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id A-UobSyZDMyY
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 26 Jul 2023 09:45:11 +0000 (UTC)
X-Greylist: delayed 36590 seconds by postgrey-1.37 at util1.osuosl.org;
 Wed, 26 Jul 2023 09:45:11 UTC
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4BD6B4012D
Received: from mail-0201.mail-europe.com (mail-0201.mail-europe.com
 [51.77.79.158])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 4BD6B4012D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 26 Jul 2023 09:45:11 +0000 (UTC)
Date: Wed, 26 Jul 2023 09:44:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1690364694; x=1690623894;
 bh=FpM2lWmFl3wmyupuiZXYKnRPeTnxRswB82Ie0zVtcIs=;
 h=Date:To:From:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=CBNjx1sp4Rvkk5+614w4Qm7ydwwfcXgieIvd4ADXFVwMPm8yoYgiJy4OZZPrFKiKR
 0PCOaT7k5BKtjobRNup9XHtQW7E3CkHpCl05Ldh8EWfhsOidBbXOVi9iU0rlLLkNy7
 xy72TUyEI1oYxQw4rO1ogu1EBKuntBfEcdwbJHiqvT1GxgvwFDH4uCsiZPJ5VcLA2d
 wFfRtW4Z69QTyrnEs+tQmib+zyipG4oZltqiy1DFdXt63cBf+QBNiOLSzvfg1iTaQJ
 IXJ8qQ9NW0ev0ED0ONXToo+GSVGpfWCmfiYoV4cGRScNkqlz4tbW2Un3pjYtf5nncT
 Xk+zHiI3fj7Xg==
To: "bitcoin-dev@lists.linuxfoundation.org"
 <bitcoin-dev@lists.linuxfoundation.org>
From: moonsettler <moonsettler@protonmail.com>
Message-ID: <O3LTbUbjNa3SLUfJzSKDNLBCIhED_6rdOcmgLpYB9byX6HBVg3BMu3hrvY37fH4SGL8th8oJaVV6_ogl_ZOA0qTXgENq8xqQNSRB-VsHem4=@protonmail.com>
In-Reply-To: <b770096c-e8c4-70f7-8cd7-d74c27181413@gmail.com>
References: <CAJvkSsc_rKneeVrLkTqXJDKcr+VQNBHVJyXVe=7PkkTZ+SruFQ@mail.gmail.com>
 <b770096c-e8c4-70f7-8cd7-d74c27181413@gmail.com>
Feedback-ID: 38540639:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Wed, 26 Jul 2023 14:32:46 +0000
Subject: [bitcoin-dev]  Blinded 2-party Musig2
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 09:45:12 -0000

Hi All,

I believe it's fairly simple to solve the blinding (sorry for the bastard n=
otation!):

Signing:

X =3D X1 + X2
K1 =3D k1G
K2 =3D k2G

R =3D K1 + K2 + bX
e =3D hash(R||X||m)

e' =3D e + b
s =3D (k1 + e'*x1) + (k2 + e'*x2)
s =3D (k1 + k2 + b(x1 + x2)) + e(x1 + x2)

sG =3D (K1 + K2 + bX) + eX
sG =3D R + eX

Verification:

Rv =3D sG - eX
ev =3D hash(R||X||m)
e ?=3D ev

https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb

Been trying to get a review on this for a while, please let me know if I go=
t it wrong!

BR,
moonsettler


------- Original Message -------
On Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev <bitcoin-=
dev@lists.linuxfoundation.org> wrote:


> > Party 1 never learns the final value of (R,s1+s2) or m.
>=20
>=20
> Actually, it seems like a blinding step is missing. Assume the server (pa=
rty 1)
> received some c during the signature protocol. Can't the server scan the
> blockchain for signatures, compute corresponding hashes c' =3D H(R||X||m)=
 as in
> signature verification and then check c =3D=3D c'? If true, then the serv=
er has the
> preimage for the c received from the client, including m.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev