Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id AE54BC0001 for ; Sat, 15 May 2021 10:21:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 94B80405FA for ; Sat, 15 May 2021 10:21:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 0.603 X-Spam-Level: X-Spam-Status: No, score=0.603 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=gazeta.pl Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uylq-t5rk3rt for ; Sat, 15 May 2021 10:21:10 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from smtpo98.poczta.onet.pl (smtpo105.poczta.onet.pl [213.180.149.158]) by smtp4.osuosl.org (Postfix) with ESMTPS id DC811405FF for ; Sat, 15 May 2021 10:21:09 +0000 (UTC) Received: from pmq5v.m5r2.onet (pmq5v.m5r2.onet [10.174.35.25]) by smtp.poczta.onet.pl (Onet) with ESMTP id 4Fj1d86frbzlg9XB for ; Sat, 15 May 2021 12:21:00 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gazeta.pl; s=2013; t=1621074060; bh=kBje+5H9EKJHOVNnougOBxTZH2bV2+Bav8bJNduwXk0=; h=From:To:Date:Subject:From; b=nfuMOEoPvvf1IIZ49VfMen6894Ftq7k7+AQZWBDB4pzIS5gttcOp9ZM0FkUQYhavt pe8+lSEwT8QJxkP2bQOjk3ZLoKAQuMLRKsPwPCb0GVQAhdT0viFtR0f157O2fhp8Ug Al74ktP3hzx4SVwSfRYO/js2kCh5gwZj7emF1YW8= Content-Type: multipart/alternative; boundary="===============9157412476175007549==" MIME-Version: 1.0 Received: from [5.173.243.232] by pmq5v.m5r2.onet via HTTP id 202105151219572225010001; Sat, 15 May 2021 12:21:00 +0200 From: vjudeu X-Priority: 3 To: "bitcoin-dev@lists.linuxfoundation.org" Date: Sat, 15 May 2021 12:21:00 +0200 Message-Id: <131606955-6366ea10aec2eec765339d72e7c936ab@pmq5v.m5r2.onet> X-Mailer: onet.poczta X-Onet-PMQ: ;5.173.243.232;PL;1 X-Mailman-Approved-At: Sat, 15 May 2021 20:17:33 +0000 Subject: [bitcoin-dev] Sum of the keys attack on taproot X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 May 2021 10:21:11 -0000 This is a multi-part message in MIME format. --===============9157412476175007549== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable We have some taproot address with private key "a" and public key "a*G", own= ed by Alice. Bob wants to take Alice's coins without her permission. He own= s taproot address with private key "b" and public key "b*G". He knows "a*G"= by exploring the chain and looking for P2TR outputs. To grab Alice's funds= , he creates "(b-a)*G" taproot address and send some small amount to this a= ddress. Then, Bob can create a transaction with two inputs, taking coins fr= om "a*G" and "(b-a)*G" addresses. All that is needed is producing a signatu= re matching the sum of the public keys used in taproot, which is "(a+b-a)*G= ", reduced to "b*G", so Bob uses his "b" private key to produce Schnorr sig= nature. Is there any protection from this attack? --===============9157412476175007549== Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
We have some taproot address with private key "a" and public key "a*G"= , owned by Alice. Bob wants to take Alice's coins without her permission. H= e owns taproot address with private key "b" and public key "b*G". He knows = "a*G" by exploring the chain and looking for P2TR outputs. To grab Alice's = funds, he creates "(b-a)*G" taproot address and send some small amount to t= his address. Then, Bob can create a transaction with two inputs, taking coi= ns from "a*G" and "(b-a)*G" addresses. All that is needed is producing a si= gnature matching the sum of the public keys used in taproot, which is "(a+b= -a)*G", reduced to "b*G", so Bob uses his "b" private key to produce Schnor= r signature. Is there any protection from this attack?
--===============9157412476175007549==--