path: root/e2/991f6aba7f63f8523dafac82ee59bc20e8f416

Return-Path: <earonesty@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id CD40CC0032
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Jul 2023 14:40:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 9A56D81ED2
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Jul 2023 14:40:22 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9A56D81ED2
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=q32-com.20221208.gappssmtp.com
 header.i=@q32-com.20221208.gappssmtp.com header.a=rsa-sha256
 header.s=20221208 header.b=2R9NmIZN
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level: 
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001,
 HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
 autolearn=no autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 7gbaml9tNY81
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Jul 2023 14:40:21 +0000 (UTC)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com
 [IPv6:2607:f8b0:4864:20::233])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 8737581A9C
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Jul 2023 14:40:21 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8737581A9C
Received: by mail-oi1-x233.google.com with SMTP id
 5614622812f47-3a48ae22bb7so284757b6e.0
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Jul 2023 07:40:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=q32-com.20221208.gappssmtp.com; s=20221208; t=1690209620; x=1690814420;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :from:to:cc:subject:date:message-id:reply-to;
 bh=h4tElREw55X7jiqoTrcjvuErYK2bDmvqzkVoNobOZLQ=;
 b=2R9NmIZNd74Sj3iFh5CL1y7CiaMv95yf/zL6zQQOWFRgiMng3eDWWU07ziWIL7Ixoh
 3+fkI2YfqwlAoByN2nBnyV/Uoisf/lV40oDfcWRYA95RjQSMKAU68/ZaEObvkHGZMyjR
 GAe/+7C16PvWnmK6x6+O+6zfIp6PQzmXraExN3zrarcGlL/8csRgKvmbwyPx8YPiA6iR
 dCq4qGQtFZUk/8NPa4xHbwP2Bqt5wKa2sdbn1LaM/wLNdPDNiYxU78RD6UcKtDjyJwW7
 jkBgPmTwVREjUCAD9aWHLVtydMq5RBXDuJOvMIZaMc/JblOwg2Wbcxa84LFGLKCB8ZfE
 AcHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1690209620; x=1690814420;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=h4tElREw55X7jiqoTrcjvuErYK2bDmvqzkVoNobOZLQ=;
 b=TswVtjeFTxyqWtAMN9dz5DXM9DCKuj8jvB8KbAzFSsxrHQ1u+hny74uhQQF/HSc2PL
 zLh3IGquKvovWKdtkvabq7B8RUkrbQGV54Li3bN2Rp6FMNMETG4mMsopQ4WqCzUNL8Nr
 iKpRib0t9f55rltS1mciBhoIeyUXc7cJ/HrqXX9DaT9qCs3ppf2/B/47c7lHTvpgm55s
 J1CYylvRRgQ3L87UebgmFSjDC6PKpnvmnPDVMl+XN4yCSTIBkKwui3yYl2XBduqQj74d
 nC2mDxpt7O3SVjWa7iMCivKAVUcHMGVKbH+EJ54USbyxmILOzbTZZCst9RNKs8WlYj9g
 uQMw==
X-Gm-Message-State: ABy/qLZkCVbRPFd4Cx2RFVCFnPHj+qcSHYM8g/oCV8+kjvUacXHwXmH4
 uVUackTCfPB0GF21N4VRxUAXXyHGUXbZQTcVig323csUCC4e
X-Google-Smtp-Source: APBJJlHHYyINt0nrhoOoj0mJpKCCClTzLfYwUfSMVHOPr5pocAS43qUD6ATfBYH4eH/sqGt7YfsZvxh6VEA2O5A08cE=
X-Received: by 2002:a05:6808:2082:b0:3a3:a8d3:e01 with SMTP id
 s2-20020a056808208200b003a3a8d30e01mr8925639oiw.3.1690209620378; Mon, 24 Jul
 2023 07:40:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAJvkSsc_rKneeVrLkTqXJDKcr+VQNBHVJyXVe=7PkkTZ+SruFQ@mail.gmail.com>
 <ca674cee-6fe9-f325-7e09-f3efda082b6b@gmail.com>
In-Reply-To: <ca674cee-6fe9-f325-7e09-f3efda082b6b@gmail.com>
From: Erik Aronesty <erik@q32.com>
Date: Mon, 24 Jul 2023 10:40:10 -0400
Message-ID: <CAJowKgKM-8kz2b7W5qihYfNvdzGkUxF4T4puXK95MKMuu83xkA@mail.gmail.com>
To: Jonas Nick <jonasdnick@gmail.com>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000004c78b06013c987a"
X-Mailman-Approved-At: Mon, 24 Jul 2023 15:24:23 +0000
Subject: Re: [bitcoin-dev] Blinded 2-party Musig2
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2023 14:40:22 -0000

--00000000000004c78b06013c987a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

You can't choose R if you provide posk

On Mon, Jul 24, 2023 at 10:31=E2=80=AFAM Jonas Nick via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hi Tom,
>
> I'm not convinced that this works. As far as I know blind musig is still
> an open
> research problem. What the scheme you propose appears to try to prevent i=
s
> that
> the server signs K times, but the client ends up with K+1 Schnorr
> signatures for
> the aggregate of the server's and the clients key. I think it's possible =
to
> apply a variant of the attack that makes MuSig1 insecure if the nonce
> commitment
> round was skipped or if the message isn't determined before sending the
> nonce.
> Here's how a malicious client would do that:
>
> - Obtain K R-values R1[0], ..., R1[K-1] from the server
> - Let
>      R[i] :=3D R1[i] + R2[i] for all i <=3D K-1
>      R[K] :=3D R1[0] + ... + R1[K-1]
>      c[i] :=3D H(X, R[i], m[i]) for all i <=3D K.
>    Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
>      c[0] + ... + c[K-1] =3D c[K].
> - Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1].
> - Let
>      s[K] =3D s[0] + ... + s[K-1].
>    Then (s[K], R[K]) is a valid signature from the server, since
>      s[K]*G =3D R[K] + c[K]*a1*X1,
>    which the client can complete to a signature for public key X.
>
> What may work in your case is the following scheme:
> - Client sends commitment to the public key X2, nonce R2 and message m to
> the
>    server.
> - Server replies with nonce R1 =3D k1*G
> - Client sends c to the server and proves in zero knowledge that c =3D
>    SHA256(X1 + X2, R1 + R2, m).
> - Server replies with s1 =3D k1 + c*x1
>
> However, this is just some quick intuition and I'm not sure if this
> actually
> works, but maybe worth exploring.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--00000000000004c78b06013c987a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">You can&#39;t choose R if you provide posk</div><br><div c=
lass=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jul 24, =
2023 at 10:31=E2=80=AFAM Jonas Nick via bitcoin-dev &lt;<a href=3D"mailto:b=
itcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org=
</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">=
Hi Tom,<br>
<br>
I&#39;m not convinced that this works. As far as I know blind musig is stil=
l an open<br>
research problem. What the scheme you propose appears to try to prevent is =
that<br>
the server signs K times, but the client ends up with K+1 Schnorr signature=
s for<br>
the aggregate of the server&#39;s and the clients key. I think it&#39;s pos=
sible to<br>
apply a variant of the attack that makes MuSig1 insecure if the nonce commi=
tment<br>
round was skipped or if the message isn&#39;t determined before sending the=
 nonce.<br>
Here&#39;s how a malicious client would do that:<br>
<br>
- Obtain K R-values R1[0], ..., R1[K-1] from the server<br>
- Let<br>
=C2=A0 =C2=A0 =C2=A0R[i] :=3D R1[i] + R2[i] for all i &lt;=3D K-1<br>
=C2=A0 =C2=A0 =C2=A0R[K] :=3D R1[0] + ... + R1[K-1]<br>
=C2=A0 =C2=A0 =C2=A0c[i] :=3D H(X, R[i], m[i]) for all i &lt;=3D K.<br>
=C2=A0 =C2=A0Using Wagner&#39;s algorithm, choose R2[0], ..., R2[K-1] such =
that<br>
=C2=A0 =C2=A0 =C2=A0c[0] + ... + c[K-1] =3D c[K].<br>
- Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1].<br>
- Let<br>
=C2=A0 =C2=A0 =C2=A0s[K] =3D s[0] + ... + s[K-1].<br>
=C2=A0 =C2=A0Then (s[K], R[K]) is a valid signature from the server, since<=
br>
=C2=A0 =C2=A0 =C2=A0s[K]*G =3D R[K] + c[K]*a1*X1,<br>
=C2=A0 =C2=A0which the client can complete to a signature for public key X.=
<br>
<br>
What may work in your case is the following scheme:<br>
- Client sends commitment to the public key X2, nonce R2 and message m to t=
he<br>
=C2=A0 =C2=A0server.<br>
- Server replies with nonce R1 =3D k1*G<br>
- Client sends c to the server and proves in zero knowledge that c =3D<br>
=C2=A0 =C2=A0SHA256(X1 + X2, R1 + R2, m).<br>
- Server replies with s1 =3D k1 + c*x1<br>
<br>
However, this is just some quick intuition and I&#39;m not sure if this act=
ually<br>
works, but maybe worth exploring.<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--00000000000004c78b06013c987a--