1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
Return-Path: <gmaxwell@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 873CCE7B
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 9 Jul 2018 16:58:40 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-vk0-f43.google.com (mail-vk0-f43.google.com
[209.85.213.43])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 096C5771
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 9 Jul 2018 16:58:39 +0000 (UTC)
Received: by mail-vk0-f43.google.com with SMTP id s23-v6so10825431vks.7
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 09 Jul 2018 09:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:sender:in-reply-to:references:from:date:message-id
:subject:to:cc;
bh=YwhGjueCl9B1b2Hh41Hf7f40KY+mlKCo05BWwjR9XAU=;
b=TnrQROamnXMrBAgKZbPTSF0iWOFR0QO37QxualcEqn850+rkvGaQ58tfyzlnUyWnaZ
qEh9pLqt9uz/n1qljqs0QsUt6JhEsevjGsxzN5e2pV2Gnp6l6s1jJMq19yVVNXRwlE8Q
5JKznu8Fd5Ofb4EeNy8VLV+4Iacs0nMegXvhePSJl8A1WH5/t32oRQiQquEj2V2I53ip
HdpdJBwcPpOSqPWbzYDl/gdd2WchoRYf8/+zddjzQwOjpmJTvh1oEcZSsl+bOwfCoCoi
bQh4AsoU8edHYBCLlZQohO+Hcx73mrVH2UMZ2XLAjtNvCN/+L7xy2ZthZQgpUiL2DFYp
JDPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
:date:message-id:subject:to:cc;
bh=YwhGjueCl9B1b2Hh41Hf7f40KY+mlKCo05BWwjR9XAU=;
b=nd/3+a+w58eL42KImP1KSODHfaedzlZReHT63/iyQma4a41mYBE3lvaXnDTNyCxYEW
dHb9Rajk9wwgXndqjAN4D/gjPJj24ebbPmq0S1q62irsinV6JAtYR4tnwJnnfrdlRErQ
dSqT1LbPhIp9PRVCdXT0goZZAewpa2SYEpZ4UKWhj5aL4B8u4JSAuUBEyRT5VhqZz33a
DqzNIJWwJC2oaYyIZmE1lN0kH9G9fZkl6UEiYFLkzGb0zIzK8pKpQ/Za/AgHPA5KXXKL
JhZO5F2iXvlT6UotpBztUElQ8Qg6bZe07GjzkG5uW11bTX2retd+Q0z3OHeb03gHO/Jp
f9NA==
X-Gm-Message-State: AOUpUlEohtWR63qSrsikcXfgDK+g8jclnEkbXVpcQMEyq+pjSiFr/okM
mLZwVRFiceXaX0jQYwky7uW59M15mQNK7I6gY70=
X-Google-Smtp-Source: AAOMgpfxv2DNxO6uu7MsVHcxUom8Q+KNi5aTDYeeAXvYBfXoeF0mk/2S3iB7cqRiL8/Yr8+YLeR5bEOHF6Dfgj3srsE=
X-Received: by 2002:a1f:cfc4:: with SMTP id
f187-v6mr2559072vkg.116.1531155519121;
Mon, 09 Jul 2018 09:58:39 -0700 (PDT)
MIME-Version: 1.0
Sender: gmaxwell@gmail.com
Received: by 2002:a67:51c9:0:0:0:0:0 with HTTP;
Mon, 9 Jul 2018 09:58:38 -0700 (PDT)
In-Reply-To: <CAJowKgJjQ8EGgbCurOSjTh8ij42_BVeD6dE0y67tzN0Zop3pyg@mail.gmail.com>
References: <CAJowKgLrSe77sqO2iB7mYboo_HW=YjO4=AFdv7L5FUi2vygMiQ@mail.gmail.com>
<08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de>
<CAAS2fgSPUc7xRq36rZ9BVLjUTdd152Fgho4sjJXLhfrc71vPMw@mail.gmail.com>
<CAJowKgL-nRcruXhWdGWrT4x+oV7i3jYST2Wa3bF5m6iT_mOyMw@mail.gmail.com>
<CAPg+sBjdu4mnda-P0y7Ddu-rN7a1GiUt0hY_wYGsy_bJLKOYMA@mail.gmail.com>
<CAJowKgLSQZ1LrZayDi7EFc-NSfK_AD+zBdyaF7jBeQRP7tOwYQ@mail.gmail.com>
<CAPg+sBizrx20XShpeZRvZd4bfq1=E+MFUDmSC9X-xK1CSbV5kQ@mail.gmail.com>
<CAJowKg+=7nS4gNmtc8a4-2cu1uCOPqxjfchFwDVqUciKNMUYWQ@mail.gmail.com>
<CAJowKgJ3K=wmCEtoZXJZhrnnA8XJcHYg788KP+7MCeP4Mxf-0w@mail.gmail.com>
<CAAS2fgSmA02s6Vdk_FYv6NJ4smLBgxnuT4jRYU44G7=bbzv2MA@mail.gmail.com>
<CAJowKgJjQ8EGgbCurOSjTh8ij42_BVeD6dE0y67tzN0Zop3pyg@mail.gmail.com>
From: Gregory Maxwell <greg@xiph.org>
Date: Mon, 9 Jul 2018 16:58:38 +0000
X-Google-Sender-Auth: E7XUmrJnHvxhTrCZElkTUW2Hp7Q
Message-ID: <CAAS2fgRrkzq6Fa5T_-YDwLDkwi30LpDtMObMEBE+Fmmj0LJpBw@mail.gmail.com>
To: Erik Aronesty <erik@q32.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Multiparty signatures
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 16:58:40 -0000
On Mon, Jul 9, 2018 at 4:33 PM, Erik Aronesty <erik@q32.com> wrote:
>>> with security assumptions that match the original Schnorr construction more closely,
>> More closely than what?
> More closely than musig.
Musig is instructions on using the original schnorr construction for
multiparty signing which is secure against participants adaptively
choosing their keys, which is something the naive scheme of just
interpolating keys and shares is vulnerable to. It works as
preprocessing on the keys, then you continue on with the naive
protocol. The verifier (e.g. network consensus rules) is the same.
Now that you're back to using a cryptographic hash, I think what
you're suggesting is "use naive interpolation of schnorr signatures"
-- which you can do, including with the verifier proposed in the BIP,
but doing that alone is insecure against adaptive key choice (and
potentially adaptive R choice, depending on specifics which aren't
clear enough to me in your description). In particular, although it
seems surprising picking your interpolation locations with the hash of
each key isn't sufficient to prevent cancellation attacks due to the
remarkable power of wagner's algorithm.
|
