Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 873CCE7B for ; Mon, 9 Jul 2018 16:58:40 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-vk0-f43.google.com (mail-vk0-f43.google.com [209.85.213.43]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 096C5771 for ; Mon, 9 Jul 2018 16:58:39 +0000 (UTC) Received: by mail-vk0-f43.google.com with SMTP id s23-v6so10825431vks.7 for ; Mon, 09 Jul 2018 09:58:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=YwhGjueCl9B1b2Hh41Hf7f40KY+mlKCo05BWwjR9XAU=; b=TnrQROamnXMrBAgKZbPTSF0iWOFR0QO37QxualcEqn850+rkvGaQ58tfyzlnUyWnaZ qEh9pLqt9uz/n1qljqs0QsUt6JhEsevjGsxzN5e2pV2Gnp6l6s1jJMq19yVVNXRwlE8Q 5JKznu8Fd5Ofb4EeNy8VLV+4Iacs0nMegXvhePSJl8A1WH5/t32oRQiQquEj2V2I53ip HdpdJBwcPpOSqPWbzYDl/gdd2WchoRYf8/+zddjzQwOjpmJTvh1oEcZSsl+bOwfCoCoi bQh4AsoU8edHYBCLlZQohO+Hcx73mrVH2UMZ2XLAjtNvCN/+L7xy2ZthZQgpUiL2DFYp JDPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=YwhGjueCl9B1b2Hh41Hf7f40KY+mlKCo05BWwjR9XAU=; b=nd/3+a+w58eL42KImP1KSODHfaedzlZReHT63/iyQma4a41mYBE3lvaXnDTNyCxYEW dHb9Rajk9wwgXndqjAN4D/gjPJj24ebbPmq0S1q62irsinV6JAtYR4tnwJnnfrdlRErQ dSqT1LbPhIp9PRVCdXT0goZZAewpa2SYEpZ4UKWhj5aL4B8u4JSAuUBEyRT5VhqZz33a DqzNIJWwJC2oaYyIZmE1lN0kH9G9fZkl6UEiYFLkzGb0zIzK8pKpQ/Za/AgHPA5KXXKL JhZO5F2iXvlT6UotpBztUElQ8Qg6bZe07GjzkG5uW11bTX2retd+Q0z3OHeb03gHO/Jp f9NA== X-Gm-Message-State: AOUpUlEohtWR63qSrsikcXfgDK+g8jclnEkbXVpcQMEyq+pjSiFr/okM mLZwVRFiceXaX0jQYwky7uW59M15mQNK7I6gY70= X-Google-Smtp-Source: AAOMgpfxv2DNxO6uu7MsVHcxUom8Q+KNi5aTDYeeAXvYBfXoeF0mk/2S3iB7cqRiL8/Yr8+YLeR5bEOHF6Dfgj3srsE= X-Received: by 2002:a1f:cfc4:: with SMTP id f187-v6mr2559072vkg.116.1531155519121; Mon, 09 Jul 2018 09:58:39 -0700 (PDT) MIME-Version: 1.0 Sender: gmaxwell@gmail.com Received: by 2002:a67:51c9:0:0:0:0:0 with HTTP; Mon, 9 Jul 2018 09:58:38 -0700 (PDT) In-Reply-To: References: <08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de> From: Gregory Maxwell Date: Mon, 9 Jul 2018 16:58:38 +0000 X-Google-Sender-Auth: E7XUmrJnHvxhTrCZElkTUW2Hp7Q Message-ID: To: Erik Aronesty Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Multiparty signatures X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2018 16:58:40 -0000 On Mon, Jul 9, 2018 at 4:33 PM, Erik Aronesty wrote: >>> with security assumptions that match the original Schnorr construction more closely, >> More closely than what? > More closely than musig. Musig is instructions on using the original schnorr construction for multiparty signing which is secure against participants adaptively choosing their keys, which is something the naive scheme of just interpolating keys and shares is vulnerable to. It works as preprocessing on the keys, then you continue on with the naive protocol. The verifier (e.g. network consensus rules) is the same. Now that you're back to using a cryptographic hash, I think what you're suggesting is "use naive interpolation of schnorr signatures" -- which you can do, including with the verifier proposed in the BIP, but doing that alone is insecure against adaptive key choice (and potentially adaptive R choice, depending on specifics which aren't clear enough to me in your description). In particular, although it seems surprising picking your interpolation locations with the hash of each key isn't sufficient to prevent cancellation attacks due to the remarkable power of wagner's algorithm.