1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
Return-Path: <gmaxwell@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 09391D3E
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 9 Jul 2018 16:22:01 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-vk0-f54.google.com (mail-vk0-f54.google.com
[209.85.213.54])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id AC567FC
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 9 Jul 2018 16:22:00 +0000 (UTC)
Received: by mail-vk0-f54.google.com with SMTP id 125-v6so10763320vke.11
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 09 Jul 2018 09:22:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:sender:in-reply-to:references:from:date:message-id
:subject:to; bh=Ccxj57NEv0EtvlmtAygOTbDBCU0SiZ1GmSgzz1a1bOk=;
b=AfaAAFnvUQGQJ0lDhdekutOGQ8Nk9wfn/48hRLqckgWWdJredNcXRFo3F3uwojfPaf
tXK5UIvl/JGeFl7i0WHcTUiUtnJGXWYcKf0xPlS/V79yJgRAirS5dzUYMqI3tIcW8M61
NWVe2Is1cOhf7Ng6h7dAITCXeOkcZoiJ57hOdrEIANC10NQELPiICzk69/VZ4QqnIc50
PE4mUicUuYI44YnKNuPlRYu0hRFzEiKHpkw1Bx2m0UCLaSXHBUVqpQha2aNd7hrGG0xW
4pN1ImGRhTx6sfyEs1O/n0zVb2szqYqA8ey3ixuARB5vvwR7VFfKw6pbVNrjUF+L59JB
v6sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
:date:message-id:subject:to;
bh=Ccxj57NEv0EtvlmtAygOTbDBCU0SiZ1GmSgzz1a1bOk=;
b=dEbhIN+OyGLQ5LxIB+XjU2hKqLNSTCk9sURsEgBlwJS3xQPewChbYeletYcVhFgb2i
1vntogoTPVM35l5ywhoFT2fR2kw6nuB7ZYkl6A85DkrPe7xFA46B/yTtMzQ8cxlGhQjo
NSRv+TfasPd1wh9/A3gRtqYo2pjvaEtTH17FjY3QQNDjsvt8UGibzOhFCY0XcY0fgjy2
GxaI2u54w37sngVZ+3pfG+lTokVLadyGaskq2voU0wuBhV7YVFlJJv3ATENIbWlfHvC4
UpZfaN2rxLoOf+jNMWLtk6l2rIWk7G2b3x5RGyu+fD8AVVPWR34EFMi6bGi1EvCR+8Fw
vU+A==
X-Gm-Message-State: APt69E0MmzafgEC1mTUhzdZNDDAaH0ktkvWTMaWkn7UyiCnFj1mF+rqo
RoLoXxgj+HF60zb2Erhnz16uVf/gHb86mnGWMyI=
X-Google-Smtp-Source: AAOMgpfILpU2cXs4m6gqGJ3rzGb6mGhp6mGk965DgZuaL4G7Q0rH/7iSHoZ0lrK6is69RpAVp9lQRAf4NjNvUiUDXiA=
X-Received: by 2002:a1f:9cc4:: with SMTP id
f187-v6mr11874306vke.87.1531153319812;
Mon, 09 Jul 2018 09:21:59 -0700 (PDT)
MIME-Version: 1.0
Sender: gmaxwell@gmail.com
Received: by 2002:a67:51c9:0:0:0:0:0 with HTTP;
Mon, 9 Jul 2018 09:21:59 -0700 (PDT)
In-Reply-To: <CAJowKgJ3K=wmCEtoZXJZhrnnA8XJcHYg788KP+7MCeP4Mxf-0w@mail.gmail.com>
References: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
<08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de>
<CAAS2fgSPUc7xRq36rZ9BVLjUTdd152Fgho4sjJXLhfrc71vPMw@mail.gmail.com>
<CAJowKgL-nRcruXhWdGWrT4x+oV7i3jYST2Wa3bF5m6iT_mOyMw@mail.gmail.com>
<CAPg+sBjdu4mnda-P0y7Ddu-rN7a1GiUt0hY_wYGsy_bJLKOYMA@mail.gmail.com>
<CAJowKgLSQZ1LrZayDi7EFc-NSfK_AD+zBdyaF7jBeQRP7tOwYQ@mail.gmail.com>
<CAPg+sBizrx20XShpeZRvZd4bfq1=E+MFUDmSC9X-xK1CSbV5kQ@mail.gmail.com>
<CAJowKg+=7nS4gNmtc8a4-2cu1uCOPqxjfchFwDVqUciKNMUYWQ@mail.gmail.com>
<CAJowKgJ3K=wmCEtoZXJZhrnnA8XJcHYg788KP+7MCeP4Mxf-0w@mail.gmail.com>
From: Gregory Maxwell <greg@xiph.org>
Date: Mon, 9 Jul 2018 16:21:59 +0000
X-Google-Sender-Auth: IFbcyZsN53oCln_anbmItiCZ8r0
Message-ID: <CAAS2fgTmEaM8XStQ3xQns2JpS3upJ==MQv65YfxYFtWKFNXi5Q@mail.gmail.com>
To: Erik Aronesty <erik@q32.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Multiparty signatures
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 16:22:01 -0000
On Mon, Jul 9, 2018 at 3:02 PM, Erik Aronesty via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> and where H(g*x) can
> be considered their public index for the purposes of Shamir polynomial
> interpolation
This is isomorphic to the insecure musig variant where keys are
blinded by H(g*x) instead of a commitment to all keys. It is insecure
because it vulnerable to an attacker knowing a victim pubkey P who
uses wagner's algorithim to solve a random modular subset sum problem:
-1H(P) = H(aP)/a + H(bP)/b + H(cP)/c + ... for some a,b,c... then
claiming to be participants with keys aP, bP, cP, ..., xG (their own
key) and canceling out key P, allowing the value to just be signed for
with their key alone.
AFAICT your suggestion is using simple multiplication in the place of
a cryptographic hash. E.g. you have just suggested a schnorr
signature where H() is just r*m in the field of size n. It doesn't
have any new properties about how you can use it. The same linearities
do and don't apply as the normal schnorr construction, but for any of
the security proofs to hold we'd have to believe that multiplication
in the field of n is a suitable random oracle-- which is not very
plausible.
|