1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
Return-Path: <AdamISZ@protonmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id C8DC6C0032
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 19:27:03 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 94FAA41E55
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 19:27:03 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 94FAA41E55
Authentication-Results: smtp4.osuosl.org;
dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
header.a=rsa-sha256 header.s=protonmail3 header.b=fqxvrsvg
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id I0YHcL4Jj5N7
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 19:27:02 +0000 (UTC)
X-Greylist: delayed 429 seconds by postgrey-1.37 at util1.osuosl.org;
Wed, 26 Jul 2023 19:27:02 UTC
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 41FC441E52
Received: from mail-4321.protonmail.ch (mail-4321.protonmail.ch [185.70.43.21])
by smtp4.osuosl.org (Postfix) with ESMTPS id 41FC441E52
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 19:27:02 +0000 (UTC)
Date: Wed, 26 Jul 2023 19:19:44 +0000
Authentication-Results: mail-4321.protonmail.ch;
dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
header.b="fqxvrsvg"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1690399190; x=1690658390;
bh=nC5qu8x5v0IB8BI5Np//aoFvIm3jKHQ2niFoPJNCgXY=;
h=Date:To:From:Subject:Message-ID:In-Reply-To:References:
Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
Message-ID:BIMI-Selector;
b=fqxvrsvgz4KjXnhuv0I7ZbKvWpHkICS58yghyjp/kcD7FJFgKYIdUDsZmrrJzkiZy
1JPm9vPAYFIgoZYMXPnJLOTc7tb5SAOzbs20clxz54T6ZsHn5PvjtMf7/O8G/rXJzJ
SxoD6e2v+dfPukzi6FSnzYWref/flTWdYjF6p5CZLka1DM/bhr/PSMB7m4v18ASQMP
R8owBPCZgDKvHpPKiGaO/H/pmLZUrWjI/1fEDxnK3xVN7zIn0VnSXI7TfDpGHs1b09
khnWcesrbceuoNGdh87xnJnH1Uskh1+MaaLP7X+LU61ak7mYwMZdd6EuPG7QRd12LA
8paluEne52GuA==
To: moonsettler <moonsettler@protonmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: AdamISZ <AdamISZ@protonmail.com>
Message-ID: <cxOYS8sb23ZEN0txrLfT5nyJBuwk06I-Zo7SdzVifb4Am2dgVSlcwF2JXYIIRDsHfSyB0AMv5EeyHEVUboHAXfZg39RbrNhff-d1PKJzLq0=@protonmail.com>
In-Reply-To: <O3LTbUbjNa3SLUfJzSKDNLBCIhED_6rdOcmgLpYB9byX6HBVg3BMu3hrvY37fH4SGL8th8oJaVV6_ogl_ZOA0qTXgENq8xqQNSRB-VsHem4=@protonmail.com>
References: <CAJvkSsc_rKneeVrLkTqXJDKcr+VQNBHVJyXVe=7PkkTZ+SruFQ@mail.gmail.com>
<b770096c-e8c4-70f7-8cd7-d74c27181413@gmail.com>
<O3LTbUbjNa3SLUfJzSKDNLBCIhED_6rdOcmgLpYB9byX6HBVg3BMu3hrvY37fH4SGL8th8oJaVV6_ogl_ZOA0qTXgENq8xqQNSRB-VsHem4=@protonmail.com>
Feedback-ID: 11565511:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 27 Jul 2023 00:19:01 +0000
Subject: Re: [bitcoin-dev] Blinded 2-party Musig2
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 19:27:03 -0000
It's an interesting idea for a protocol. If I get it right, your basic idea=
here is to kind of "shoehorn" in a 2FA authentication, and that the blind-=
signing server has no other function than to check the 2FA?
This makes it different from most uses of blind signing, where *counting* t=
he number of signatures matters (hence 'one more forgery etc). Here, you ar=
e just saying "I'll sign whatever the heck you like, as long as you're auth=
orized with this 2FA procedure".
Going to ignore the details of practically what that means - though I'm sur=
e that's where most of the discussion would end up - but just looking at yo=
ur protocol in the gist:
It seems you're not checking K values against attacks, so for example this =
would allow someone to extract the server's key from one signing:
1 Alice, after receiving K2, sets K1 =3D K1' - K2, where the secret key of =
K1' is k1'.
2 Chooses b as normal, sends e' as normal.
3 Receiving s2, calculate s =3D s1 + s2 as normal.
So since s =3D k + ex =3D (k' + bx) + ex =3D k' + e'x, and you know s, k' a=
nd e', you can derive x. Then x2 =3D x - x1.
(Gist I'm referring to: https://gist.github.com/moonsettler/05f5948291ba8db=
a63a3985b786233bb)
Sent with Proton Mail secure email.
------- Original Message -------
On Wednesday, July 26th, 2023 at 03:44, moonsettler via bitcoin-dev <bitcoi=
n-dev@lists.linuxfoundation.org> wrote:
> Hi All,
>=20
> I believe it's fairly simple to solve the blinding (sorry for the bastard=
notation!):
>=20
> Signing:
>=20
> X =3D X1 + X2
> K1 =3D k1G
> K2 =3D k2G
>=20
> R =3D K1 + K2 + bX
> e =3D hash(R||X||m)
>=20
> e' =3D e + b
> s =3D (k1 + e'*x1) + (k2 + e'*x2)
> s =3D (k1 + k2 + b(x1 + x2)) + e(x1 + x2)
>=20
> sG =3D (K1 + K2 + bX) + eX
> sG =3D R + eX
>=20
> Verification:
>=20
> Rv =3D sG - eX
> ev =3D hash(R||X||m)
> e ?=3D ev
>=20
> https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb
>=20
> Been trying to get a review on this for a while, please let me know if I =
got it wrong!
>=20
> BR,
> moonsettler
>=20
>=20
> ------- Original Message -------
> On Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev bitcoin=
-dev@lists.linuxfoundation.org wrote:
>=20
>=20
>=20
> > > Party 1 never learns the final value of (R,s1+s2) or m.
> >=20
> > Actually, it seems like a blinding step is missing. Assume the server (=
party 1)
> > received some c during the signature protocol. Can't the server scan th=
e
> > blockchain for signatures, compute corresponding hashes c' =3D H(R||X||=
m) as in
> > signature verification and then check c =3D=3D c'? If true, then the se=
rver has the
> > preimage for the c received from the client, including m.
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>=20
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|
