1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
Return-Path: <lloyd.fourn@gmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 5600EC077D
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 8 Dec 2019 06:10:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id 954C686DFF
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 8 Dec 2019 06:10:31 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id kocoZLlsBTNS
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 8 Dec 2019 06:10:27 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-io1-f46.google.com (mail-io1-f46.google.com
[209.85.166.46])
by whitealder.osuosl.org (Postfix) with ESMTPS id D517D86C5C
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 8 Dec 2019 06:10:26 +0000 (UTC)
Received: by mail-io1-f46.google.com with SMTP id s2so11434674iog.10
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 07 Dec 2019 22:10:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=Z+wYCLmzoXGakbxe62plNIHzj1Z4+DdIPHeOGoPtz/A=;
b=UbxBVfrtwhbhcQ0L18iL6q7WE6TlXXEAgo1iC0SeDCiGBAdCL3cbEv9jIwWVRlViDR
TQUZJErAFmNQnMCVAS3meDh2y4q0SN7vpcX7xvu/Ot5RevK6+fRtFITPBx59q8C8dsgh
h2hWI1DWm9IY15hnHjYcUVsVT9bS0KHVu8Oj58wQaG1gSlQAXw5fekgk1vxfvB/IrAN6
cuqOaRQytii0AQnXlopXvW0mHQOEONX+N2Lo8hUcp0Rjk9lkon+qfuK0xgwmXQfGquEk
J5rsOZeMR9nNnHi3LbBX1sgaQiql0ylZaljt5NG9mH/pyNrJdGki+HvxPDsWHTQ6qFuL
pCvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=Z+wYCLmzoXGakbxe62plNIHzj1Z4+DdIPHeOGoPtz/A=;
b=ewZkhNWMwtOSE0WXMZnQWc9mQvWk4vvkXN7aAr3IekqaqkdPnKz2zHeFqNNO2wT1Od
Z8Fecwg6JX2CtVeONxrz+jA+a6kH2S6x93gKw5+HG/Opp0McnYkf2gfWPKOl2jIWYJKd
5PnAnEvZQ/XAn5V6N9M/pkmekhhp0bwuQliuhnRjnZBX2h/8d+KacZt0C487xYxONivv
0x3I4GGRtQgO1O1iTIlElQftt54fA7YKwtf3c9XeZGGnCv8vpDWZn9F6bywjNZtzP9OD
+Sbd2ydck7Z6C1f0528OxhM9VjUiZTLvorwzGk6P+N7y4Xb0IUETHlybH+K1gm4jIqYA
0UxQ==
X-Gm-Message-State: APjAAAWgT2bTgt3zu1CQR0MlwOLDl3bS1AoTnQcdFxr5vkArnk6Wud3S
woACT2gESZouxMThK3cS0d+muGu5Z/vNDFi15Pk=
X-Google-Smtp-Source: APXvYqxyWNAA/6BglAE7T2zO96JIMTHbhnT31NtNJbwViLwKIG59BbPj57OmvSTpZUbf1JsEACo1cWFtQmGg/VuRGbE=
X-Received: by 2002:a5e:8505:: with SMTP id i5mr16418140ioj.158.1575785426050;
Sat, 07 Dec 2019 22:10:26 -0800 (PST)
MIME-Version: 1.0
References: <u1IeyK5A7zyklXzl26UpCliJrFEsDp5SXUGbtXGBCrEWw6Wi7vNcoy4HNv2WXUTG_SBuMURDLhvh3YCwL2r53rL0Yj19TZpumYFD5WqmYL8=@protonmail.com>
<CAH5Bsr2rsiU9gV6VsGH3ZCWGRoTz=g5hXNq37P3P6HB+MmxUAA@mail.gmail.com>
<tvK5ZI4GmQzBkGfcYFOaUI4kgLBv7N615LV-yvyUOeYU49Ig2krXbyPOrTSwiiYNZpPYNv6GtLrSRTQf_MRwqmYeXY1VTLzinq93wNW9ex8=@protonmail.com>
<CAH5Bsr07ZxxneRngGO=C56qODxu7FQ3r1c7NmcXYY3BZ2VEokA@mail.gmail.com>
<5JbfLKwbVsIev2M33s366qbyuAGqz-ydB4gZ2KTFR_nCWbgZ0vWMm5UOU19jNVeMfYD3A0GPTpbuuYINwOv_F6fJS3NdxuPgMm8hGUnjbB0=@protonmail.com>
In-Reply-To: <5JbfLKwbVsIev2M33s366qbyuAGqz-ydB4gZ2KTFR_nCWbgZ0vWMm5UOU19jNVeMfYD3A0GPTpbuuYINwOv_F6fJS3NdxuPgMm8hGUnjbB0=@protonmail.com>
From: Lloyd Fournier <lloyd.fourn@gmail.com>
Date: Sun, 8 Dec 2019 17:10:00 +1100
Message-ID: <CAH5Bsr1rdbTw16+FVo0NC0zqv3EDHmEd=ef7k3baLaQ+HMn2Cg@mail.gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailman-Approved-At: Sun, 08 Dec 2019 17:22:55 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Composable MuSig
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2019 06:10:32 -0000
Hi ZmnSCPxj,
I think you're idea of allowing multiple Rs is a fine solution as it
would essentially mean that you were just doing a three party MuSig
with more specific communication structure. As you mentioned, this is
not quite ideal though.
> It seems to me that what is needed for a composable MuSig is to have a commitment scheme which is composable.
Maybe. Showing certain attacks don't work is a first step. It would
take some deeper analysis of the security model to figure out what
exactly the MuSig requires of the commitment scheme.
> To create a commitment `c[A]` on the point A, such that `A = a * G`, the committer:
>
> * Generates random scalars `r` and `m`.
> * Computes `R` as `r * G`.
> * Computes `s` as `r + h(R | m) * a`.
> * Gives `c[A]` as the tuple `(R, s)`.
This doesn't look binding. It's easy to find another ((A,a),m) which
would validate against (R,s). Just choose m and choose a = (s - r)
h(R||m)^-1.
Cheers,
LL
|