summaryrefslogtreecommitdiff
path: root/ff/8c60f302814a3fd3b056dd2f0da2ad9db8d864
blob: 7098a75e9e774c3352f1984bc9b17bc2a9151b2b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
Return-Path: <jonasdnick@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 880D6E54
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  7 Sep 2018 08:09:57 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com
	[209.85.221.42])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 395858B
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  7 Sep 2018 08:09:56 +0000 (UTC)
Received: by mail-wr1-f42.google.com with SMTP id w11-v6so14015049wrc.5
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri, 07 Sep 2018 01:09:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:subject:to:references:openpgp:autocrypt:message-id:date
	:user-agent:mime-version:in-reply-to:content-language
	:content-transfer-encoding;
	bh=1wQ8QADiYcLcDgmD4qhWUunAIUCCuaoJzzlG2fferR0=;
	b=oqRaMIM2ntkvKW6vLlxFJ467a7b4HrzI71hBMBNRcDU3E6XnCwgLtIG+doz4phu3wt
	6m9Fjy38hbIOox88MSvJxf1MoMJkaELNXbycAbDed5OJfMsYnkGO9E+qNFaLmWA3O7Kb
	qmoi2gdr3yWZlQJsDwb3d/3ZL3N0WUQQNpUma2irYZ10Ymh/nYj9Wjnqc9QKTN79lGCx
	T/eR2gkdnd4TbvSHvxRPkO9uWuLkDKsOFQ8QIzLzEBbeEYqJTKAa+R2NHuVDiwuTtlDt
	PB62DCYrv5a3QxXsqCJD1hTBk+Ncr13zHZf9GtcKvM3H0OJoWTnVgqkM1CUJ1PgKwvr5
	tTbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:subject:to:references:openpgp:autocrypt
	:message-id:date:user-agent:mime-version:in-reply-to
	:content-language:content-transfer-encoding;
	bh=1wQ8QADiYcLcDgmD4qhWUunAIUCCuaoJzzlG2fferR0=;
	b=tkV+BFp2wrIP/psXuZfSJOvAHeTMoljxQm73yA/5zZngpcEo3EwMj+jUiGTIyU92OS
	kvDHrN8TwGaqKx/XZhozpEGETPN3KqIx7oV9ALe4h2kuE5TkJIwDXWohpCZxXGZsZ5RK
	BnQj6lWZgS86RMmWvElH/LDgXMKqmIPhMtM/88hJp2Fpwx+CTcTTOdER8j57zMw1yOke
	rxv56w7Bmgf+RSwU9c+c97a+de2ROUf2yAInjVmcPmRS88jA3HUqyXNMhUnreUihRq0W
	VXKLVGnsSR9Cr8YQrCDsq9L2chi2PguH1UDX3Oa05entsHL3+IIlx0FFNFNegW3reUXf
	q3zQ==
X-Gm-Message-State: APzg51AN6e1HuC8JVjeHoCLVACvBKb13WBBjYYKFMMod6hkvY3I8ae0L
	DeJEdsLLUxdEmQibb+JJQ51ycns5bUA=
X-Google-Smtp-Source: ANB0VdbzMB7O5pWbNBBtMjjYOg24XGQgrQLaGxec/2g0RSeMomxvfSI4qamFzBv7lsNA/pSrxz920g==
X-Received: by 2002:adf:a30a:: with SMTP id
	c10-v6mr5637298wrb.31.1536307794268; 
	Fri, 07 Sep 2018 01:09:54 -0700 (PDT)
Received: from [10.12.10.17] ([62.112.9.166])
	by smtp.googlemail.com with ESMTPSA id
	1-v6sm11574455wmf.47.2018.09.07.01.09.52
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 07 Sep 2018 01:09:53 -0700 (PDT)
From: Jonas Nick <jonasdnick@gmail.com>
X-Google-Original-From: Jonas Nick <jonasd.nick@gmail.com>
To: nakagat <nakagat@gmail.com>,
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <CAHk9a9ct_h485MY4gk7S++FAu5FEH3PL9pd9mrrh+wA8nWaVUA@mail.gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=jonasd.nick@gmail.com; prefer-encrypt=mutual; keydata=
	xsFNBFQ2o3oBEACv5N5WajlYk+i/4B8FmniipCB4biIKg38spMNt1EYM6RzTu+hbOrVOlJW8
	fq/ih+dvlpreGxRPQlX4jr75kwoJCykd3geywTUl3KPLeJ/JRQJ8fVkine4Wr5qB5Jwo3+wt
	inDVooaaF32Y0HolNacXVzT1x9uwn83Bz/ifg+iGATn/e1Si3ga/ytY5wYDzFz6aUDRW8ulu
	DcG8ARMAgtzmi66EuyQyIWwSyoWFU8wJ98slU9LKuTu23r6HdxFuV+P2H1omJm+z8cd4QBMj
	I23uHst0Wx1MyTeVhZCnQAghyasA3oopwzqRf5wwECAui1oZhr59R4R1DHJjn0PeWZXBSnOo
	XPQ1ERjz4nQrODiIDEabD5DClPHZ1bte0tswm1aYBtD8/me9ck+SJdoH5r0DJrXCTtNl1XG1
	9TTUINQe0eaQUOTakZmVaneCeSrw/pKOknkzudOCNCbmngKa2oJQOynrdsBuoigIYY+NQdot
	fk1nJljrBzyTh4sFktbHyA24x/hCykMX6FnIQxDnsGR+S3I+vzADBLBBMQQtZsUA+xnvPu4l
	6You5SZMVhgprQy38bKybeIGxSZtmPNtBf8ouKhAUpbIfOaq6BoP4EtueXk/vyieFxXiIkbF
	N6b3pjhkG7wVG17HqCqeVeHz1ZAQJUPcqDQAPaelBf38RXPbeQARAQABzSJKb25hcyBOaWNr
	IDxqb25hc2Qubmlja0BnbWFpbC5jb20+wsF/BBMBAgApAhsDBwsJCAcDAgEGFQgCCQoLBBYC
	AwECHgECF4AFAlYEdT0FCQdxbEMACgkQsacOT43NA2azdhAAkylnTYtnOrXbd0IPfbTSOQN7
	fBaur/z3/CvO3H26J78tyKncZ6ZTbGWjkBHbbC0Hcer00Mz+XxJnKW9tEQBPdjZ+eWpgAoNp
	mHyUDaeyy71H+zd+JGZwAIsg/e27TMymTrFPZc7Bc7b8CjK+iYjE2p+Q1bEDsAODqd2gAKT+
	DhV36NThpllDnJAmJZuF4Vh/otMn7BTBqw9WiHBPymMPyfC/f185+XSopN7za0gPN1Fc8xBd
	3JGrHTB7hi+49w3IVPs1dBLl+B46SzerlkMIpQPZ0y5WIEXae3uz8enLOI9jGIl7TQtFVFow
	KAZMO77advua/ih1rq1Or41oM1HJ+VovO4cI4uhCPYUAJWrSb99VzL78hl64sEu3IOTvX1p3
	S1RhJkaF9cAF2Domc9SA9s22J5yKx4dqk7uqCmelnm5vPEc59fdpRjb+DhYq+5eNRBxypSXh
	1ZfUzvszh20TOIgU+s3eDyJMI7G3MqZr8pKiDzmOdHYwICJP4VH/lguuwg5NT147OSorYk41
	pTBhM9gT0jJl3fsqfW4axeguqfHrwyVS9bD3ZdlveA+yg+MRJkNjw6yofCYuw9iTskqXJ/7S
	wjPhxd4gqLxmGNUyeqXQSytQc08gHMX6w91wVXjs3oFUHiBvaXqAis2pFA7528LI46WlZ3pf
	h/OZDthBG7bOwU0EWVEx3gEQAMH7dVvWR+idYEe3OVDY/SVV80wjfOe1zTDTOQ+qB8D5Fin8
	7v3Rpt8y0RxW3Y4Fbljoi635jhJo3/MoTHvZSes61LbnPzUjReYmIqMYprJ5HSF+IkskW9E5
	P078G6wI2hxwjRXXg4y+Z+oYk3C8GBH1Ejjs2i3lmYIPACMUKDba26ZIuxkjK5OB3tZHmTOu
	YRJ9eP5KltSD4P6Y6ZTgDlvUpQeJa0w52A4dOQARmyKDiGJ5z+x8gSeCK3IrYWyt79et364R
	SWZG4pFj34fnHIcHPebwOMX6gMZdPIyKNxaTwA62gnQp5loJoJJUTsgSTSOW1Dzvjjxm/4iW
	M2HlS6NT0f80fSw1GnfIxSSPrx2F4Iwg8ckAWzy/EYcGr7+pHJ28AVVN4q0EG/9WvTsL9iM9
	Zqbw9cI9faDTDuJfYtcxIorMgkmDF4u14GFdzSsx5loTO+/7VFZhFDLLCC1eHCzOvLjHFg+9
	XpR0N7eArpDiYBWPFWBVthHtb6JuXqAWyZ+0LZZw2JGM4/gzUdFr+1FznJX1MqtlwtrAggM4
	xrPlnIf4qwL6B074tr00vzr4YIzl0FUGti9Qx+xozqeO2NmKltXmfBYfBJZdnfanVHp8XMDS
	+z7CVKCzMkmnuyJ0QrY0jJVAxOvlwLQy363Nk5pRprrHna2R2+ZsTqf8Cw3dABEBAAHCwXwE
	GAEIACYWIQQ2xxo3ydmIveglCNmxpw5Pjc0DZgUCWVEx3gIbDAUJA8JnAAAKCRCxpw5Pjc0D
	ZgeWEACfP52WfyPUWMg8mZax834TW/RGBaUi9KQZc0tRX8lDrsD42aunTF+8va8t4/vw4Cfy
	kloL+5mcz9orWzp+9YVO98U0O2s76zDTxBIJC5pp8ZRoqCZbRhD2w7DBNxgazeChCmsSmADn
	/3ktkAztTI99I/xa/i7/PhVKn/MQJZ/vzFOwdvxaVar8W7jsWnzw43DFMVIVyWrwXeBaKVFe
	vBwvnltvbmNyvx8L+3W0dPP4biVsCbT6Fteki++c3XoAooCut7ld9wP0oNiYUUFMSd2rEErd
	QHPnaTGil/KAO2BMQEbcCXbDX7L9PX6rjonPwQIbaP3zNbuRfZj8LRKzz7ih+gOJRMPGGYX1
	eMUVXwoi8EQeofLM7wmOQikXlDbVR0a3+kKj/g6yKsBFvRbtSx73DeLg2Zp4EodoUnF/0W3V
	JqZCWeI794kfk6NFvKKn1GLfxdyj82wiqzzCNFnYe6H4l78kGCZ7E0yg0u0M0kCjtDfBlxHJ
	r1FDbWf3e4yX76QwxsQwR5yiY9mpWWo6Z6XFDT2Jz6HQX7y9oJhV/cLyAMzVz3Y7BSLm9tX5
	/pX1TjOC7jsEBBPYFk1XyLQ+Ip6ZT0TZx7nXNoF08GhTXFLLx7tSNzx1IE+Go0FXcA0vmYUy
	Ex981QeJInExpznDYCvx7pHU1PzImXcSLzWzqR8Anw==
Message-ID: <80e4e9b8-0cf3-b99e-7ac3-87ebbd8bb97c@gmail.com>
Date: Fri, 7 Sep 2018 08:11:56 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
	Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <CAHk9a9ct_h485MY4gk7S++FAu5FEH3PL9pd9mrrh+wA8nWaVUA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US-large
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 07 Sep 2018 13:46:18 +0000
Subject: Re: [bitcoin-dev] Multisignature for bip-schnorr
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Sep 2018 08:09:57 -0000

Your multisignature writeup appears to be vulnerable to key cancellation
attacks because the aggregated public key is just the sum of public keys (and
there is no proof of knowledge of the individual secret keys). Therefore, in a
multisignature between Alice and an attacker, the attacker can choose their key
to be -alice_key+attacker_key resulting in an aggregated key for which the
attacker can sign alone (without requiring Alice's partial signature). The
Schnorr BIP links to the MuSig paper which describes a secure key aggregation
scheme. See https://eprint.iacr.org/2018/068

On 8/7/18 6:35 AM, nakagat via bitcoin-dev wrote:
> Hi all,
> 
> I wrote a multisignature procedure using bip-schnorr.
> 
> If you have time to review and give feedback, I’d really appreciate it.
> Thanks in advance!
> 
> Multisignature
> https://gist.github.com/tnakagawa/0c3bc74a9a44bd26af9b9248dfbe598b
> 
> Original
> https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#Multisignatures_and_Threshold_Signatures
>