Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 12422C0032 for ; Mon, 24 Jul 2023 16:22:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id D12A5403C8 for ; Mon, 24 Jul 2023 16:22:29 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org D12A5403C8 Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=commerceblock-com.20221208.gappssmtp.com header.i=@commerceblock-com.20221208.gappssmtp.com header.a=rsa-sha256 header.s=20221208 header.b=5dgagnNt X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q37X9hIhKhyA for ; Mon, 24 Jul 2023 16:22:29 +0000 (UTC) Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by smtp2.osuosl.org (Postfix) with ESMTPS id DC0454031E for ; Mon, 24 Jul 2023 16:22:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org DC0454031E Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-5221cf2bb8cso3474691a12.1 for ; Mon, 24 Jul 2023 09:22:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=commerceblock-com.20221208.gappssmtp.com; s=20221208; t=1690215746; x=1690820546; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=rGXUDL0CEOfrXAyZExJjUL/QkAwdjS+oYMxrqXeUZkk=; b=5dgagnNtdQ76veDMh8uT78bFqCg+sxdey9SxoWb1iYXgsAHv0DJa6kRhEuqTJDQ27Y TVKN4Tne9ZoV+WUkVbqpFUBF1RrKzvOL7fu0Vq2X2d0lTnnVV6KwZUjWI8WwTXdaUCSF ZyGmJ8cIHHEscGqNNGgszr/yFiUzOq3hDxyvB9p1/rbf6Gpfw+ls/4MwC4xg06j7dNvV Jzg4/+iZ7GqQBmsxfq1wD+qCC89zBGIykHvJ9Rp8YD8I0halcIMoIStt2DQFhTnyzDKn Z8AnLSGTcBAJUy+V4Rajp5Zg0HHON0WS233uf53sV08gO+nRMibWcpJPYw5Nq4YVaTUB TxkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690215746; x=1690820546; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rGXUDL0CEOfrXAyZExJjUL/QkAwdjS+oYMxrqXeUZkk=; b=MzCGoVmB/IEIZdxn0bHDAFlXhi8//tBHJFw1JJXayOo9r9Deu9zqezePNVlSNC3rMv ZoeB/s3dyniyJCe8b2e4B1rFREaV4csbThKSNaiOQrsrxPORTA5Tt8eojosHRyGBN/EM 0cyhYxKRhPgC2a3ZI0UQxW7fIfcJmtzDAvubZ2Bojtzi6VhZxuLulEoCZ/3GCHUktic0 7pY5F6yiKkqWokYXHBqLLmJeWk3W2H1/LpfHdj8GExlgwZmlC+g0ixcBoZcprYhzfSnB yEnERwSHtsQ0hZwigieHsC+kXdHbNBZGjlj34oFswY9FlOcO22fXdFubw+t+xf9y83+v LimA== X-Gm-Message-State: ABy/qLadLNW+1Xu7Q3IrL03rwz/TxcE5PUgzyOhMKW5qKJooyflNadPp xzZjhkWIPKbE/l1D+odbLbhxNLwXjFCY/gysmFCDlZmzkBO4bJ0= X-Google-Smtp-Source: APBJJlGraKIbV6u0o3t3v06ik/K3PFWGcsrzwA2OekkEvmkmsDm+0t+0DXRTYz2Zotx+Pn2qVdRVw3tDpFhNmguch4I= X-Received: by 2002:aa7:d502:0:b0:521:8d64:df1c with SMTP id y2-20020aa7d502000000b005218d64df1cmr9767155edq.0.1690215746674; Mon, 24 Jul 2023 09:22:26 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Tom Trevethan Date: Mon, 24 Jul 2023 17:22:15 +0100 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000002cbc5c06013e05de" X-Mailman-Approved-At: Mon, 24 Jul 2023 16:37:34 +0000 Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2023 16:22:30 -0000 --0000000000002cbc5c06013e05de Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Jonas, Seems you are right: for every tx, compute c from the on-chain data, and the server can match the c to the m (tx). So there would need to be a method for blinding the value of c. On Mon, Jul 24, 2023 at 4:39=E2=80=AFPM Jonas Nick w= rote: > > Party 1 never learns the final value of (R,s1+s2) or m. > > Actually, it seems like a blinding step is missing. Assume the server > (party 1) > received some c during the signature protocol. Can't the server scan the > blockchain for signatures, compute corresponding hashes c' =3D H(R||X||m)= as > in > signature verification and then check c =3D=3D c'? If true, then the serv= er > has the > preimage for the c received from the client, including m. > --0000000000002cbc5c06013e05de Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Jonas,

Seems you are right: for ever= y tx, compute c from the on-chain data, and the server can match the c to t= he m (tx). So there would need to be a method for blinding the value of c.= =C2=A0

On Mon, Jul 24, 2023 at 4:39=E2=80=AFPM Jonas Nick <jonasdnick@gmail.com> wrote:
=C2=A0> Party 1 nev= er learns the final value of (R,s1+s2) or m.

Actually, it seems like a blinding step is missing. Assume the server (part= y 1)
received some c during the signature protocol. Can't the server scan th= e
blockchain for signatures, compute corresponding hashes c' =3D H(R||X||= m) as in
signature verification and then check c =3D=3D c'? If true, then the se= rver has the
preimage for the c received from the client, including m.
--0000000000002cbc5c06013e05de--