1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
|
Return-Path: <earonesty@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id DCB38C77
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 Jul 2018 17:34:32 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f54.google.com (mail-wm0-f54.google.com [74.125.82.54])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B3D85755
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 Jul 2018 17:34:31 +0000 (UTC)
Received: by mail-wm0-f54.google.com with SMTP id o11-v6so10160613wmh.2
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 Jul 2018 10:34:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:sender:in-reply-to:references:from:date:message-id
:subject:cc; bh=tEjmQKMhB5d0vgFbIa5jABj3LlHCWF1Ad16sua/Ly0w=;
b=u1WAegjZvMyI8SwzKeFcrKsFioN7zV93SNEVW/S9kfUoVPsNkqvxbFOv1517UcrT51
fWwp8HK36NhVTWEl4v01H2nwJFe3AQk/z8hr+qSCLBj9p38IODaXminRGVUmqCqVQA28
LzCJ+ihF0ooXh7S/BauJYSHt/mo+X/nh3FiZLz8yNmzdB+ISEpthVrLlBlFKNMXzHy4G
Ey7LxNg6pn4VrykeanElw5kjz1OVuBeD9LL0q2W9UUxUVKRX4zdTXeEr2SIteRb5y9sm
yy8RzhiyIj+pPZDBRn/uWX3bmQitaUrmVR6nZbyfnGLxU3Uu6Gxt9egiQmSjS1zqaS7A
CF4A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=q32-com.20150623.gappssmtp.com; s=20150623;
h=mime-version:sender:in-reply-to:references:from:date:message-id
:subject:cc; bh=tEjmQKMhB5d0vgFbIa5jABj3LlHCWF1Ad16sua/Ly0w=;
b=lyRKX11HuxVctyT2j74cBa8VZwMu6zMAcjRQRR62+ORDzrXAhmlmk2kkvcO+YtFvjf
mqnZYn4rlNiFURgkVl5YeSP/x0fqG9rQ0qtEHPly11EtOP7RfBsWyfiBI8cmIOUZrfPr
Kd2kvOX7CsBV/pML5h31rb1/bOnFAmTxBklJvfEy4nGQLweVaj7I/i4eYY67aJYaEMxk
qsiUEGmKJUF/aqzTpyFopYqpXI390LQmevwR9hd+Tcks5J4lMJuL5H+YdM5hGRG+XOFI
5mGj8hT5mKSg5MC4GTNSAe9RZ9z8CGswDuMUl5aujdBELL9RzQxbR3Sp/sGQVZlxilyO
d6lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
:date:message-id:subject:cc;
bh=tEjmQKMhB5d0vgFbIa5jABj3LlHCWF1Ad16sua/Ly0w=;
b=felHoePd+iOUdFZxysG1bjq6Wgk2xJ/Eno7elwlW54Ezj9m5vW9TA4pXwouFLTFEv/
SBDBwq4lFaernEEb5T+BI4E9inAJCM4M7uWr5il1cMIBRq8nUXiZnqqUbtCwlLScHGH8
1Kb1hS71q/oGe0YCZaQU4fy6V7l7RBOs63mewPTuIj0jmdBUhkxxqtP9CludytT2uPX7
he5fOH4uNRNFK2DxhwSLH5iU4WNQPjSx13f9VM+DQzDRcnR97e0XtqyMH8eppdx7COD1
n1m8Z4u6g6ffRy0pvy3D5hwfQT3hcCcDPIVPwvl4ufHq6bci4B+yCBiWPuLDL6yGzBES
T6tA==
X-Gm-Message-State: AOUpUlE01g/3ljvsRHeVjMc1dKzW1OyZgAxmPGSeGTKhAH4B2aPkn0kb
c6dSN0QRzD7ZzrT6jXD6OmpY0gMMooFaSlK42eLJqlnJjO6K
X-Google-Smtp-Source: AAOMgpegMYPIc8z2R+cwTXc6i3NGMULZwAAxC5XapCinbsjePA7VpNpsQwHrKUUnmBYAwT8/BzwikPEA2CPf5x4t+jQ=
X-Received: by 2002:a1c:c019:: with SMTP id
q25-v6mr2051965wmf.148.1532108070018;
Fri, 20 Jul 2018 10:34:30 -0700 (PDT)
MIME-Version: 1.0
Sender: earonesty@gmail.com
Received: by 2002:a1c:b786:0:0:0:0:0 with HTTP; Fri, 20 Jul 2018 10:34:29
-0700 (PDT)
In-Reply-To: <CAJowKgJBVdJbRvf5Y6dV4o5Jf1XyELNsT+vCrp4b-86ZYr+LYQ@mail.gmail.com>
References: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
<08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de>
<CAAS2fgSPUc7xRq36rZ9BVLjUTdd152Fgho4sjJXLhfrc71vPMw@mail.gmail.com>
<CAJowKgL-nRcruXhWdGWrT4x+oV7i3jYST2Wa3bF5m6iT_mOyMw@mail.gmail.com>
<CAPg+sBjdu4mnda-P0y7Ddu-rN7a1GiUt0hY_wYGsy_bJLKOYMA@mail.gmail.com>
<CAJowKgLSQZ1LrZayDi7EFc-NSfK_AD+zBdyaF7jBeQRP7tOwYQ@mail.gmail.com>
<CAPg+sBizrx20XShpeZRvZd4bfq1=E+MFUDmSC9X-xK1CSbV5kQ@mail.gmail.com>
<CAJowKg+=7nS4gNmtc8a4-2cu1uCOPqxjfchFwDVqUciKNMUYWQ@mail.gmail.com>
<CAJowKgJ3K=wmCEtoZXJZhrnnA8XJcHYg788KP+7MCeP4Mxf-0w@mail.gmail.com>
<CAAS2fgSmA02s6Vdk_FYv6NJ4smLBgxnuT4jRYU44G7=bbzv2MA@mail.gmail.com>
<CAJowKgJjQ8EGgbCurOSjTh8ij42_BVeD6dE0y67tzN0Zop3pyg@mail.gmail.com>
<CAAS2fgRrkzq6Fa5T_-YDwLDkwi30LpDtMObMEBE+Fmmj0LJpBw@mail.gmail.com>
<CAJowKgL0b3RT7XwRTF+ohoJCyZAW-ZJ+-8Lijj_s1rqqxgU7VQ@mail.gmail.com>
<CAJowKg+UaMsY_nL6SBfb20Ltki+LdhXOwwvG_mAsUq_ww3Tesg@mail.gmail.com>
<CALqxMTHYaspkn8JupaHBeLDxLOfZbnwcne2AVeFZe2ADOefktA@mail.gmail.com>
<CAJowKg+rC9rmv--NxtrFQ=ea4B20u0ozkmA5hARpA4wLinnVQg@mail.gmail.com>
<CAJowKg+QxcU0ECpZrvUckXQfBpn6Qri=gWzLA7+Y2mvTAq_mSw@mail.gmail.com>
<CAMZUoK=iNgsZVb89gYRDUdZu0AkTGQ8cXqqbk3NXHEONBpO5ow@mail.gmail.com>
<CAJowKgJBVdJbRvf5Y6dV4o5Jf1XyELNsT+vCrp4b-86ZYr+LYQ@mail.gmail.com>
From: Erik Aronesty <erik@q32.com>
Date: Fri, 20 Jul 2018 13:34:29 -0400
X-Google-Sender-Auth: 8r5H00WkkfG-ZkTEstFcr8-08MU
Message-ID: <CAJowKgKB1GDxvpQt1JjPr+cgyM8yztLtgJ_mZ8vsoCHyBdqkVA@mail.gmail.com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000457f7d057171b53d"
X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE, MISSING_HEADERS,
RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Sun, 22 Jul 2018 12:50:59 +0000
Subject: Re: [bitcoin-dev] Multiparty signatures
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 17:34:33 -0000
--000000000000457f7d057171b53d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi, thanks for all the help. I'm going to summarize again, and see if
we've arrived at the correct solution for an M of N "single sig" extension
of MuSig, which I think we have.
- Using MuSig's solution for the blinding to solve the Wagner attack
- Using interpolation to enhance MuSig to be M of N instead of M of M
References:
- MuSig
https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures=
.html
- HomPrf http://crypto.stanford.edu/~dabo/papers/homprf.pdf (sections 7.1
and 7.4)
Each party:
1. Publishes public key G*xi
3. Xi =3D H(G*xi) ... Xi is the parties x coordinate, for the purposes of
interpolation
3. r =3D G*x =3D via interpolation of Gx1, Gx2... (see HomPrf)
4. L =3D H(X1,X2,=E2=80=A6) (see MuSig)
5. X =3D sum of all H(L,Xi)Xi (see MuSig)
6. Computes e =3D H(r | M | X) .... standard schnorr e... not a share
7. Computes si =3D xi - xe ... where si is a "share" of the sig, and xi is
the private data
8. Publishes (si, e, G*Xi)
Any party can then derive s from m of n shares, by interpolating, not
adding.
--000000000000457f7d057171b53d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra">
<div style=3D"font-size:small;text-decoration-style:initial;text-decoration=
-color:initial">Hi, thanks for all the help.=C2=A0 =C2=A0I'm going to s=
ummarize again, and see if we've arrived at the correct solution for an=
M of N "single sig" extension of MuSig, which I think we have.</=
div><div style=3D"font-size:small;text-decoration-style:initial;text-decora=
tion-color:initial"><br></div><div style=3D"font-size:small;text-decoration=
-style:initial;text-decoration-color:initial">- Using MuSig's solution =
for the blinding to solve the Wagner attack</div><div style=3D"font-size:sm=
all;text-decoration-style:initial;text-decoration-color:initial">- Using in=
terpolation to enhance MuSig to be M of N instead of M of M</div><div style=
=3D"font-size:small;text-decoration-style:initial;text-decoration-color:ini=
tial"><br></div><div style=3D"font-size:small;text-decoration-style:initial=
;text-decoration-color:initial">References:</div><div style=3D"font-size:sm=
all;text-decoration-style:initial;text-decoration-color:initial"><br></div>=
<div style=3D"font-size:small;text-decoration-style:initial;text-decoration=
-color:initial">=C2=A0- MuSig <a href=3D"https://blockstream.com/2018/01/23=
/musig-key-aggregation-schnorr-signatures.html">https://blockstream.com/201=
8/01/23/musig-key-aggregation-schnorr-signatures.html</a><br></div><div sty=
le=3D"font-size:small;text-decoration-style:initial;text-decoration-color:i=
nitial">=C2=A0- HomPrf <a href=3D"http://crypto.stanford.edu/~dabo/papers/h=
omprf.pdf">http://crypto.stanford.edu/~dabo/papers/homprf.pdf</a> (sections=
7.1 and 7.4)</div><div style=3D"font-size:small;text-decoration-style:init=
ial;text-decoration-color:initial"><br></div><div style=3D"font-size:small;=
text-decoration-style:initial;text-decoration-color:initial">Each party:</d=
iv><div style=3D"font-size:small;text-decoration-style:initial;text-decorat=
ion-color:initial"><br></div><div style=3D"font-size:small;text-decoration-=
style:initial;text-decoration-color:initial">1. Publishes public key G*xi</=
div><div style=3D"font-size:small;text-decoration-style:initial;text-decora=
tion-color:initial">3. Xi =3D H(G*xi) ... Xi is the parties x coordinate, f=
or the purposes of interpolation</div><div style=3D"font-size:small;text-de=
coration-style:initial;text-decoration-color:initial">3. r =3D G*x =3D via =
interpolation of Gx1, Gx2... (see=C2=A0<span style=3D"background-color:rgb(=
255,255,255);text-decoration-style:initial;text-decoration-color:initial;fl=
oat:none;display:inline">HomPrf</span>)</div><div style=3D"font-size:small;=
text-decoration-style:initial;text-decoration-color:initial">4. L =3D H(X1,=
X2,=E2=80=A6) (see MuSig)<br></div><div style=3D"font-size:small;text-decor=
ation-style:initial;text-decoration-color:initial">5. X =3D sum of all H(L,=
Xi)Xi (<span style=3D"background-color:rgb(255,255,255);text-decoration-sty=
le:initial;text-decoration-color:initial;float:none;display:inline">see MuS=
ig</span>)</div><div style=3D"font-size:small;text-decoration-style:initial=
;text-decoration-color:initial">6. Computes e =3D H(r | M | X) .... standar=
d schnorr e... not a share</div><div style=3D"font-size:small;text-decorati=
on-style:initial;text-decoration-color:initial">7. Computes si =3D xi - xe =
... where si is a "share" of the sig, and xi is the private data<=
/div><div style=3D"font-size:small;text-decoration-style:initial;text-decor=
ation-color:initial">8. Publishes (si, e, G*Xi)</div><div style=3D"font-siz=
e:small;text-decoration-style:initial;text-decoration-color:initial"><br></=
div><div style=3D"font-size:small;text-decoration-style:initial;text-decora=
tion-color:initial">Any party can then derive s from m of n shares, by inte=
rpolating, not adding.</div><div style=3D"font-size:small;text-decoration-s=
tyle:initial;text-decoration-color:initial"><br></div><br class=3D"gmail-Ap=
ple-interchange-newline">
<br></div></div>
--000000000000457f7d057171b53d--
|
