Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 181FDC0032 for ; Wed, 26 Jul 2023 14:59:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id DA40040135 for ; Wed, 26 Jul 2023 14:59:49 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org DA40040135 Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20221208 header.b=SH7HH6qn X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DHYNww8msfTJ for ; Wed, 26 Jul 2023 14:59:46 +0000 (UTC) Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) by smtp2.osuosl.org (Postfix) with ESMTPS id 4B40C4174A for ; Wed, 26 Jul 2023 14:59:46 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4B40C4174A Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-4fddd4e942eso10332824e87.3 for ; Wed, 26 Jul 2023 07:59:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690383584; x=1690988384; h=content-transfer-encoding:in-reply-to:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=wBDal9jOYf73xnh4l7oi5gBacUeF7K7+kf5qTjlhoHM=; b=SH7HH6qn0pc379bCdpO0+TyZMzI/r0fBBbJLXBw22Zuk9EcNI1X1lHfASve3kNcmkN FHa1pQpPGj0P7Zs6XNP0MghKgQscvk3J/aPsCmhQwd8Fl6glroo7TmJFe4OfGZV580Sd wybT/vxzYeREVh0YC8s/LBiVL0Wc1rh2zkE/eJOafCFz83W3b92ASFnjNttbh3uwGC9m NTOLWPk+hF7OGXoCLea/fm9ovK1weqGLPZzyCgf++koN0pzPH/mPEO4+4NrOyjFi5egD C16qf3HWJdcgiD6NZ7SJLvjRs61uUwOj7x34N6PTlT6cjcmKMxlyFdOJwxBjOiSSp0nn hleA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690383584; x=1690988384; h=content-transfer-encoding:in-reply-to:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wBDal9jOYf73xnh4l7oi5gBacUeF7K7+kf5qTjlhoHM=; b=aokzGwfQGtF2P6lNG3dGDYtJ8WdbuokTxCg6okCAMG70PzIgKNV5CdU2DRRPyilH5D 4wjnudSsZM0KXHA9pmxYtt+e+61JwYVKDPEOHz1IFTI0wZiXm+2zh/zru8it8i5i3cE0 BJyD/spWnXTzuKLrmIex5P+w0W7CsP5p5FgSiE+4nFDsNyLOGqUw2D3gndRxKkcku4p9 59B5fMKHwya6DktRkyjlAOMzVFCplMs0u1LY35K1pvl8jTblkoe0jQ/s6xhApu0qXgAG /XjG6KllInsrvd+IyJiu+PszOQVeLTS1R+c1UKJg8QCRGcTW0rDtJxMSzvYVLVlBG3rx Qg2w== X-Gm-Message-State: ABy/qLYmGVsxLlYjjyCpluenK+vfspLVZRbFMyf6CX/0cJi69ur0EQp4 zyaxhuXbMttpp4gtKw9wov4= X-Google-Smtp-Source: APBJJlGAspCZtH1PgGrrz1mBqKJafA/W2vcueZSIuiGg6K0otoorXfs0ORFH1kltWSOEjcqxdhSYew== X-Received: by 2002:a19:4f4b:0:b0:4fb:8bea:f5f6 with SMTP id a11-20020a194f4b000000b004fb8beaf5f6mr1602536lfk.34.1690383583740; Wed, 26 Jul 2023 07:59:43 -0700 (PDT) Received: from [10.11.10.42] (p50879c84.dip0.t-ipconnect.de. [80.135.156.132]) by smtp.googlemail.com with ESMTPSA id w17-20020a05600c015100b003fbfef555d2sm2209492wmm.23.2023.07.26.07.59.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 26 Jul 2023 07:59:43 -0700 (PDT) From: Jonas Nick X-Google-Original-From: Jonas Nick Message-ID: Date: Wed, 26 Jul 2023 14:59:42 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: moonsettler , Bitcoin Protocol Discussion References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 26 Jul 2023 15:34:47 +0000 Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2023 14:59:50 -0000 While this may solve blinding, I don't see how it solves the problem that the client can forge signatures because the client is in control of challenge e'. This is not special to MuSig(2), but is also the reason why original blind Schnorr signatures are insecure (as demonstrated in David Wagner's "A Generalized Birthday Problem" paper). For some more recent work on blind Schnorr signatures, see: - https://eprint.iacr.org/2019/877.pdf Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Mode - https://eprint.iacr.org/2020/1071.pdf On Pairing-Free Blind Signature Schemes in the Algebraic Group Model In particular, the first paper proposes a less-efficient variant of blind Schnorr signatures that is secure under concurrent signing if the "mROS" problem is hard (which is imho plausible). Another potential approach is using commitments and a ZKP as I mentioned earlier in this thread. This scheme is "folklore", in the sense that it is being discussed from time to time but isn't specified and does not have a security proof as far as I am aware.