1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
Return-Path: <AdamISZ@protonmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id A60F2C002D
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 24 May 2022 19:06:52 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 802C1817E4
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 24 May 2022 19:06:52 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=protonmail.com
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 2GYG0KB3PB3m
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 24 May 2022 19:06:50 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch
[185.70.40.131])
by smtp1.osuosl.org (Postfix) with ESMTPS id 24642817D3
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 24 May 2022 19:06:50 +0000 (UTC)
Date: Tue, 24 May 2022 19:06:41 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1653419207; x=1653678407;
bh=0ya4IXRckNygdsC5XRTe+PFhm2xn+cvfsuc3x6Gjsi0=;
h=Date:To:From:Reply-To:Subject:Message-ID:In-Reply-To:References:
Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
Message-ID;
b=bgdIDwsrPR8yOBId9LoUWSqEWGDTFjm5GbzbXRmq5lo3Hhlx6D84706+7XlMdYmq/
P94BBFtyn54HtTG0Ug+CihVWct+FG4RgmAtBJ+V9MJuNd/draWc4n1TVHoRjJ/w8rE
2RKTxgxUOEZs/m6eMEM+REWX6wnAiJSlDpr/YNamSD8q2VnL00//8YCXTBSSmPMdVo
jZsQkpQn2BcgO5Gqj2/nIpjeXU2/hwKgcUt3MiMoJwXZcWMvacDBW+DnaIqLU1KLDC
UWSh96N+CJqaKnOS1vYnZw/vcJgfvmUE0brdeRzq9pd1PW6PG37xG86hpau3sjR/Z5
iMk7Pvp4w4e+A==
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
Jonas Nick <jonasdnick@gmail.com>
From: AdamISZ <AdamISZ@protonmail.com>
Reply-To: AdamISZ <AdamISZ@protonmail.com>
Message-ID: <XRFIZf_z1dKNoKvgFJmrgThHcIE_B0JW9mmJL7mE2B2afcgwZn7NuJaK_vXUAvVwWSZ2Nijwz9yhiwYpty6iI3mrJyivdLxL_CtWlEaAhMY=@protonmail.com>
In-Reply-To: <HPRdBVSvEmkPyHkS-175ZYEYyL-ULZAgmhSPh3uwVtfryFOKZUFKUM5QXnSXjwZy3b10sV55f9lhOkZ-ILShaWSWJ7GMN0JmKNweKY6kfLg=@protonmail.com>
References: <46175970-d2ab-a58e-7010-f29820849604@gmail.com>
<yitwgERAsaofLM5dheUZUYyFp0ncU8xyN98xTym3MkCxTch83DkweZN5JYyovVcfxA2Mo7DjTbv1Iku3wBApYiPG_cMwznTytKFpcjYa1O0=@protonmail.com>
<c2a9b488-8d29-d1c6-b2c3-bc17d12b7d65@gmail.com>
<HPRdBVSvEmkPyHkS-175ZYEYyL-ULZAgmhSPh3uwVtfryFOKZUFKUM5QXnSXjwZy3b10sV55f9lhOkZ-ILShaWSWJ7GMN0JmKNweKY6kfLg=@protonmail.com>
Feedback-ID: 11565511:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Tue, 24 May 2022 19:19:19 +0000
Subject: Re: [bitcoin-dev] MuSig2 BIP
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 19:06:52 -0000
------- Original Message -------
On Monday, May 23rd, 2022 at 17:09, AdamISZ via bitcoin-dev <bitcoin-dev@li=
sts.linuxfoundation.org> wrote:
> Jonas, all,:
>
> So I do want to ask a couple further clarifying questions on this point, =
but I got rather majorly sidetracked :)
> I wonder can you (and other list readers!) take a look at my attempt here=
to summarize what is described in Footnote 2 of the draft BIP (as it's rel=
ated to this discussion and also .. it's pretty interesting generally!):
>
> https://gist.github.com/AdamISZ/ca974ed67889cedc738c4a1f65ff620b
>
> (btw github gists have equation rendering now which is nice!)
>
> Thanks,
> waxwing/AdamISZ
>
Jonas, list,
So given that that's basically correct (see the comments), continuing on th=
is point of how to handle duplicate keys:
In https://github.com/jonasnick/bips/blob/musig2/bip-musig2.mediawiki#ident=
ifiying-disruptive-signers we have:
"If partial signatures are received over authenticated channels, this metho=
d can be used to identify disruptive signers and hold them accountable. Not=
e that partial signatures are not signatures. An adversary can forge a part=
ial signature, i.e., create a partial signature without knowing the secret =
key for the claimed public key."
(the gist in the previous message was just fleshing out what's stated there=
and in Footnote 2: if you get a "valid" partial sig at index i, it doesn't=
mean that the signer at index i knows the key for index i, *if* they also =
control index j; it just means they won't be able to produce "valid" partia=
l sigs for both indices i and j).
(scare quotes "valid" - there is no notion in MuSig2 of a partial signature=
as a signature, only the aggregate signature in toto is valid or invalid o=
r forged).
So we see in the above quote, that the concept of 'authenticated channels' =
is rather important. Consider 2 scenarios:
1. "Persistent": Every signer has a persistent identity across many signing=
sessions, and their communications are authenticated against that identity=
.
2. "Spontaneous": Signers join the protocol in some ad hoc way, but authent=
icate specifically inasmuch as they set up temporary nyms and use e.g. diff=
ie hellman to establish a confidential and authenticated channel for the pe=
riod of this signing session.
An example of "Spontaneous" might be: a variant of a multiparty channel con=
struction with anonymous participants on LN or LN* in which participants se=
t up such constructions ad hoc e.g. via liquidity markets .. in contrast, e=
.g. a hardware wallet multisig setup with a known provider might be a "Pers=
istent" case.
Not sure, but ... are we mainly talking about the "Spontaneous" case?
Because the "Persistent" case doesn't seem interesting: If I "know" the cou=
nterparty that I'm engaging in this protocol with, first, a Sybil at two in=
dices is kinda weird, so the occurrence of a duplicated key from them tells=
me something is wrong and manual intervention is needed (or equivalently s=
ome sanity check in the meta-protocol). Often (e.g. cold storage, devices) =
there'd be a way to know in advance what the keys *should* be. It's very li=
kely a bug. (I suppose you could argue waiting till the second signing roun=
d helps, because it helps us isolate the bug (except it might not, if in ce=
rtain protocols, both signers have access to some shared keys, but, meh) ..=
. but that doesn't seem convincing ... executing more of a protocol when yo=
u already know the implementation is broken seems unwise).
So, to the "Spontaneous" case: if we see two identical pubkeys from two pse=
ud/anonymous counterparties, I can see the argument for waiting until parti=
al sig sending occurs, before establishing misbehaviour. The main substance=
of the argument seems to be something like: we can't actually deduce adver=
sarial behaviour at key exchange time, so we *have* to wait for the partial=
signature step. I'm objecting to this on two fronts:
* A general principle of security should be 'abort early'. It's to me just =
sensibly conservative to not continue given the substantial risk of bugs (e=
sp. in systems exposed to nonce-fragility!)
* The claim that the protocol laid out in the BIP identifies misbehaviour s=
eems to be at best partially correct, it cannot be true in the general case=
.
Jonas has already countered my first bullet point by stating that this abor=
t-early (at key exchange) strategy opens up an unlimited DOS vector. My cou=
nter here is that that, because of the second bullet oint, the DOS vector r=
emains, in the "Spontaneous" case, anyway; and that the only way to close i=
t is to use either identities (switch to "Persistent": see e.g. Coinshuffle=
which registers identities via inputs), or cost.
(Why does the DOS vector remain? Because of the partial sig "validation" is=
sue as per my gist and Footnote2: if key 3 and key 4 are identical in a set=
of 5, we can wait, and then find that partial sig 3 verifies, and partial =
sig 4 *also* verifies, and only at index 5 do we see an 'invalid' partial s=
ig. If the adversary (as seems extremely likely.. I can't imagine it being =
otherwise) has used two *different* nyms for his two adversarial indices 4 =
and 5, then ejecting 5 doesn't really seem to close the DOS potential? If w=
e then restart and 'grab another anonymous nym' for the 5th index, can't it=
be the adversary again? And haven't we let the adversary stay, at index 4?=
(though I'm not sure the implications)).
Another way to look at it, I'm saying that this claim:
"In contrast, MuSig2 is designed to identify disruptive signers at signing =
time: any signer who prevents a signing session from completing successfull=
y by sending incorrect contributions in the session can be identified and h=
eld accountable (see below)."
isn't *fully* correct. That is, for sure the algorithm will identify a disr=
uptive signer who simply operates one key, but it doesn't (as current) alwa=
ys identify every key owned by a disruptive signer. So it doesn't close the=
DOS vector.
(To be clear the whole 'fake partial sig' adversarial behaviour is *not* sp=
ecific to having duplicate public keys; I'm just discussing whether the pro=
tocol should continue if duplicates are seen).
So overall I have the feeling that allowing duplicate keys at setup makes t=
he implementation messier (and this protocol is complex, so that matters a =
bit more), and it strikes me as risky in the inevitable presence of impleme=
ntation errors.
Cheers,
waxwing/AdamISZ
|