Date: Mon, 02 Dec 2019 02:05:01 +0000
To: Lloyd Fournier <lloyd.fourn@gmail.com>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <tvK5ZI4GmQzBkGfcYFOaUI4kgLBv7N615LV-yvyUOeYU49Ig2krXbyPOrTSwiiYNZpPYNv6GtLrSRTQf_MRwqmYeXY1VTLzinq93wNW9ex8=@protonmail.com>
In-Reply-To: <CAH5Bsr2rsiU9gV6VsGH3ZCWGRoTz=g5hXNq37P3P6HB+MmxUAA@mail.gmail.com>
References: <u1IeyK5A7zyklXzl26UpCliJrFEsDp5SXUGbtXGBCrEWw6Wi7vNcoy4HNv2WXUTG_SBuMURDLhvh3YCwL2r53rL0Yj19TZpumYFD5WqmYL8=@protonmail.com>
 <CAH5Bsr2rsiU9gV6VsGH3ZCWGRoTz=g5hXNq37P3P6HB+MmxUAA@mail.gmail.com>
Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Composable MuSig
Precedence: list

Good morning Lloyd, and list,

> Just a quick note: I think there is a way to commit to a point properly w=
ith Pedersen commitments. Consider the following:
> COM(X) =3D (y*G + z*H, y*G=C2=A0+ X)=C2=A0 where y and z are random and t=
he opening is (y,z,X).=C2=A0 This seems to be a=C2=A0 unconditionally hidin=
g and computationally binding homomorphic commitment scheme to a point base=
d on the DL problem rather than DDH.

So the Pedersen commitment commits to a tweak on `X`, which is revealed lat=
er so we can un-tweak `X`.
Am I correct in assuming that you propose to use `X` for the contribution t=
o `R` for a participant?
How is it different from using ElGamal commitments?


-------


Some number of people have noted, including at least one MuSig author, that=
 in the ElGamal case it would be possible to prove your knowledge of the `q=
` behind `q * G`, and thus prevent the cancellation attack shown.
We already have a general proof-of-knowledge-of-secret-key, the Schnorr sig=
nature signing algorithm itself.

Thus, together with `q * G` in the ElGamal commitment, we could include a S=
chnorr signature using `q * G`, either of the target message itself, or any=
 constant string.

This seems highly appropriate, yo dawg, I heard you like MuSig, so I put an=
 aggregate in your aggregate, so you could sign (singly) while you sign (mu=
ltiply).

In terms of a *composable* MuSig, e.g. MuSig(MuSig(A, B), C), both A and B =
will select `q[a]` and `q[b]` and will generate a shared `q[ab] * G` as the=
 MuSig of `q[a] * G` and `q[b] * G`.
Since they know the corresponding `q[a]` and `q[b]` they will also known th=
e contributions they each will need to generate `q[ab] * H`, but note that =
there is no proof of this until they reveal `q[a]` and `q[b]`, which may le=
ad to further attacks, this time on `q[ab] * H` instead.
So at least for `q` it seems not to be a good idea, though I have not put m=
uch thought into this.

Indeed, it seems to me that signatures using the contributions `R[a]` and `=
R[b]` as public keys seems to be another way to commit to `R` while ensurin=
g that your own `R` cannot have cancelled the other participant `R`.
You would have to exchange the (single) signatures of `R[a]` and `R[b]` fir=
st, however, otherwise a Wagner attack may be possible if you exchange `R[a=
]` and `R[b]` first (i.e. the signatures replace the `R` commitment phase o=
f 3-phase MuSig).

The complexity of either sign-while-you-sign idea, however, is much greater=
.
Your signing algorithm now requires delegating to another signing algorithm=
, which while at least fair in that you are now signing while you sign beca=
use you aggregated while you aggregated, is more complicated to implement p=
ractically.


Regards,
ZmnSCPxj