Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7748CC0032 for ; Mon, 7 Aug 2023 00:55:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 4ECA381A73 for ; Mon, 7 Aug 2023 00:55:53 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 4ECA381A73 Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=commerceblock-com.20221208.gappssmtp.com header.i=@commerceblock-com.20221208.gappssmtp.com header.a=rsa-sha256 header.s=20221208 header.b=AKzXQYhU X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7yv9xCVn3N9p for ; Mon, 7 Aug 2023 00:55:52 +0000 (UTC) Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) by smtp1.osuosl.org (Postfix) with ESMTPS id EC0C68127D for ; Mon, 7 Aug 2023 00:55:51 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org EC0C68127D Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-31427ddd3fbso3101500f8f.0 for ; Sun, 06 Aug 2023 17:55:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=commerceblock-com.20221208.gappssmtp.com; s=20221208; t=1691369750; x=1691974550; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=VNgx+TId/IKNZQIZ/v0yXyst518Kgm+/D1UUX+Bv1yQ=; b=AKzXQYhUhOGmtI74/ZRjAlwejtkmTAVaSx21rKulOnUl+cR+QjNZBxVDVzmDH0lVib Iomf0e0baogBsE8Jq05jeNDU7rZ98DWy9osGvRu0i0HskCHUYKmjPOaGAqvTVlkSE8pg Is9A9bw7gEz/jMmrcQcaS5V8c1CaE9azOof79t0FzeXBwzv+73lOl1wZAupfAeHWxiMc QsoNBUlwaWnffX1c4j75cM0dGtcaIvGN9B1azFxVnkGlD+tOmdITIN/3SboRmRXtBf3J J8sWWWBokFpzd2bKiqNKwBcfKS9UMqWdXqZaFL1y22OSyeLT3Jqw2IbFCBhBY5TANyPS XeLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691369750; x=1691974550; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VNgx+TId/IKNZQIZ/v0yXyst518Kgm+/D1UUX+Bv1yQ=; b=krJBk5nUXr7SFjgufIe2f8YYl+oHp6EqNcf+bb2VWwLJyXSy1zTN8USklUjdWKZV8v BdJZC58ohSlpRzC370fvpRhz6sAsrQFK+o8m6/n5i9bLwx0RLUXAC51pJIDNGEtknAB3 odvAgpR8/KmT0EfSAjXucMP6nWA61BaD9RsJjTqh8hYH9/FkCXalH9mHkNLY2mEZm8CT n6YNafhM+pFGRWjd82SzylTT824C3cKyjcYQDNNcUXZDS6edNYy7j+sef3suXCFV4Dnv YLDPOstcuhjPSziksJw6/nvsLeVPXZyCbHkeg6gFnV4T5jOkS+OuKfYLUha5++RL/6Mr j7Yw== X-Gm-Message-State: AOJu0YxqDyfIB9bQMd3EqSxbju/KCUVcwv+7wRS6EH5644WLJZFM/8+F P9FjquERKgvcKieLyIVaFb5g2wjdgSSFtLYfM7rhpFOMMhwHxhpJrw== X-Google-Smtp-Source: AGHT+IGc4JVhfKaDNbYNetxFS2MSQjVH8ZYs2SrZhYXU/y1al6eQhjYFpM3urwGHQPSyUcxIlTNDTqUNXUAsyUWtrjw= X-Received: by 2002:a5d:42c4:0:b0:314:1d53:f3aa with SMTP id t4-20020a5d42c4000000b003141d53f3aamr4501732wrr.50.1691369749134; Sun, 06 Aug 2023 17:55:49 -0700 (PDT) MIME-Version: 1.0 References: <7eae57c9-be42-ae07-9296-ae9e8e03c1b8@gmail.com> In-Reply-To: From: Tom Trevethan Date: Mon, 7 Aug 2023 01:55:38 +0100 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000014d2eb06024ab5e3" X-Mailman-Approved-At: Tue, 08 Aug 2023 14:06:48 +0000 Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Aug 2023 00:55:53 -0000 --00000000000014d2eb06024ab5e3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable A follow up to this, I have updated the blinded statechain protocol description to include the mitigation to the Wagner attack by requiring the server to send R1 values only after commitments made to the server of the R2 values used by the user, and that all the previous computed c values are verified by each new statecoin owner. https://github.com/commerceblock/mercury/blob/master/layer/protocol.md Essentially, the attack is possible because the server cannot verify that the blinded challenge (c) value it has been sent by the user has been computed honestly (i.e. c =3D SHA256(X1 + X2, R1 + R2, m) ), however this C= AN be verified by each new owner of a statecoin for all the previous signatures. Each time an owner cooperates with the server to generate a signature on a backup tx, the server will require that the owner send a commitment to their R2 value: e.g. SHA256(R2). The server will store this value before responding with it's R1 value. This way, the owner cannot choose the value of R2 (and hence c). When the statecoin is received by a new owner, they will receive ALL previous signed backup txs for that coin from the sender, and all the corresponding R2 values used for each signature. They will then ask the server (for each previous signature), the commitments SHA256(R2) and the corresponding server generated R1 value and c value used. The new owner will then verify that each backup tx is valid, and that each c value was computed c =3D SHA256(X1 + X2, R1 + R2, m) and each commitment equals SHA256(R2). This ensures that a previous owner could not have generated more valid signatures than the server has partially signed. On Thu, Jul 27, 2023 at 2:25=E2=80=AFPM Tom Trevethan wrote: > > On Thu, Jul 27, 2023 at 9:08=E2=80=AFAM Jonas Nick = wrote: > >> No, proof of knowledge of the r values used to generate each R does not >> prevent >> Wagner's attack. I wrote >> >> > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that >> > c[0] + ... + c[K-1] =3D c[K]. >> >> You can think of this as actually choosing scalars r2[0], ..., r2[K-1] a= nd >> define R2[i] =3D r2[i]*G. The attacker chooses r2[i]. The attack wouldn'= t >> make >> sense if he didn't. >> > --00000000000014d2eb06024ab5e3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
A follow up to this, I have updated the blinded state= chain protocol description to include the mitigation to the Wagner attack b= y requiring=C2=A0the server to send R1 values only after commitments made t= o the server of the R2 values used by the user, and that all the previous c= omputed c values are verified by each new statecoin=C2=A0owner.=C2=A0
=

Essentially, the attack is possible b= ecause the server cannot verify that the blinded challenge (c) value it has= been sent by the user has been computed honestly=C2=A0(i.e. c =3D SHA256(X= 1 + X2, R1 + R2, m) ), however this CAN be verified by each new owner of a = statecoin=C2=A0for all the previous signatures.=C2=A0

<= div>Each time an owner cooperates with the server to generate a signature o= n a backup tx, the server will require that the owner send a commitment to = their R2 value: e.g. SHA256(R2). The server will store this value before re= sponding with it's R1 value. This way, the owner cannot choose the valu= e of R2 (and hence c).=C2=A0

When the statecoin is= received by a new owner, they will receive ALL previous signed backup txs = for that coin from the sender, and all the corresponding R2 values used for= each signature. They will then ask the server (for each previous signature= ), the commitments SHA256(R2) and the corresponding server generated R1 val= ue and c value used. The new owner will then verify that each backup tx is = valid, and that each c value was computed c =3D SHA256(X1 + X2, R1 + R2, m)= =C2=A0 and each commitment equals SHA256(R2). This ensures that a previous = owner could not have generated more valid signatures than the server has pa= rtially signed.=C2=A0

On Thu, Jul 27, 2023 at 2:25=E2=80=AFPM Tom= Trevethan <tom@commerceblock.c= om> wrote:

On Thu,= Jul 27, 2023 at 9:08=E2=80=AFAM Jonas Nick <jonasdnick@gmail.com> wrote:
No, proof of knowledge o= f the r values used to generate each R does not prevent
Wagner's attack. I wrote

=C2=A0>=C2=A0 =C2=A0Using Wagner's algorithm, choose R2[0], ..., R2[= K-1] such that
=C2=A0>=C2=A0 =C2=A0 c[0] + ... + c[K-1] =3D c[K].

You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and<= br> define R2[i] =3D r2[i]*G. The attacker chooses r2[i]. The attack wouldn'= ;t make
sense if he didn't.
--00000000000014d2eb06024ab5e3--