Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id E079DC087F for ; Mon, 2 Dec 2019 02:05:09 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id CF055204EE for ; Mon, 2 Dec 2019 02:05:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q13rNwJHNehd for ; Mon, 2 Dec 2019 02:05:08 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) by silver.osuosl.org (Postfix) with ESMTPS id A312D20489 for ; Mon, 2 Dec 2019 02:05:07 +0000 (UTC) Date: Mon, 02 Dec 2019 02:05:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1575252305; bh=k/Fx64tZhSwQdmwOGQyjFO+q/0nZYRpVFLzFBgIX7iQ=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=vubTMORgP/1i9pe6CyQErsdKfFW7K6RcEm8IbPpBdCH2l1yud2D4en6KeRoZbrrYI 4706AzROVIqpstMTHinTfHUa5QlLsrZYoxhUp+lBjhXQ7KFQ7o4f7WWTetXuGn6Op1 RekQS6nquL2soPp3j2jmSiDlzmdAoeDVp9yc5ja8= To: Lloyd Fournier From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: References: Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Composable MuSig X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Dec 2019 02:05:10 -0000 Good morning Lloyd, and list, > Just a quick note: I think there is a way to commit to a point properly w= ith Pedersen commitments. Consider the following: > COM(X) =3D (y*G + z*H, y*G=C2=A0+ X)=C2=A0 where y and z are random and t= he opening is (y,z,X).=C2=A0 This seems to be a=C2=A0 unconditionally hidin= g and computationally binding homomorphic commitment scheme to a point base= d on the DL problem rather than DDH. So the Pedersen commitment commits to a tweak on `X`, which is revealed lat= er so we can un-tweak `X`. Am I correct in assuming that you propose to use `X` for the contribution t= o `R` for a participant? How is it different from using ElGamal commitments? ------- Some number of people have noted, including at least one MuSig author, that= in the ElGamal case it would be possible to prove your knowledge of the `q= ` behind `q * G`, and thus prevent the cancellation attack shown. We already have a general proof-of-knowledge-of-secret-key, the Schnorr sig= nature signing algorithm itself. Thus, together with `q * G` in the ElGamal commitment, we could include a S= chnorr signature using `q * G`, either of the target message itself, or any= constant string. This seems highly appropriate, yo dawg, I heard you like MuSig, so I put an= aggregate in your aggregate, so you could sign (singly) while you sign (mu= ltiply). In terms of a *composable* MuSig, e.g. MuSig(MuSig(A, B), C), both A and B = will select `q[a]` and `q[b]` and will generate a shared `q[ab] * G` as the= MuSig of `q[a] * G` and `q[b] * G`. Since they know the corresponding `q[a]` and `q[b]` they will also known th= e contributions they each will need to generate `q[ab] * H`, but note that = there is no proof of this until they reveal `q[a]` and `q[b]`, which may le= ad to further attacks, this time on `q[ab] * H` instead. So at least for `q` it seems not to be a good idea, though I have not put m= uch thought into this. Indeed, it seems to me that signatures using the contributions `R[a]` and `= R[b]` as public keys seems to be another way to commit to `R` while ensurin= g that your own `R` cannot have cancelled the other participant `R`. You would have to exchange the (single) signatures of `R[a]` and `R[b]` fir= st, however, otherwise a Wagner attack may be possible if you exchange `R[a= ]` and `R[b]` first (i.e. the signatures replace the `R` commitment phase o= f 3-phase MuSig). The complexity of either sign-while-you-sign idea, however, is much greater= . Your signing algorithm now requires delegating to another signing algorithm= , which while at least fair in that you are now signing while you sign beca= use you aggregated while you aggregated, is more complicated to implement p= ractically. Regards, ZmnSCPxj