1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
|
Return-Path: <earonesty@gmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id CF1D3C0032
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 25 Jul 2023 14:12:44 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id A93FB40BAD
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 25 Jul 2023 14:12:44 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A93FB40BAD
Authentication-Results: smtp2.osuosl.org;
dkim=pass (2048-bit key) header.d=q32-com.20221208.gappssmtp.com
header.i=@q32-com.20221208.gappssmtp.com header.a=rsa-sha256
header.s=20221208 header.b=jqXHlNae
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001,
HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=no autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id A3glHg0Y0xGM
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 25 Jul 2023 14:12:43 +0000 (UTC)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com
[IPv6:2607:f8b0:4864:20::b2b])
by smtp2.osuosl.org (Postfix) with ESMTPS id 4B86440B91
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 25 Jul 2023 14:12:43 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4B86440B91
Received: by mail-yb1-xb2b.google.com with SMTP id
3f1490d57ef6-cfebdba63cdso821858276.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 25 Jul 2023 07:12:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=q32-com.20221208.gappssmtp.com; s=20221208; t=1690294362; x=1690899162;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=B6OKeaSQJ0TNolxBXAXC+O9p1oARizz0xyZ0UXTgrdc=;
b=jqXHlNae9EwcjcvHiw5n0ToMZcZPkHw3bGdwCjkNPJYibSW1BKoNWz+kxml72PX0aH
4i79zVJEOdGqCLfT7djTO4ODsEvafHrcNOZZ1IC9wfgR2MsA9+jCecq4lfE+QDoj09Zz
hLz/wnImLtBZp4RkzbEIuo4kpkHmRRABLOX7SMazKZwD1FtjbYtXl3uu9X8Emggs5vVI
I5x12yQE2peKiUydfW8m6zUx5JBpTRA9OPdEcRLzqXz3uJ7bLYxOMKx2uz7YwE14wuSR
ZosP3xHHySDqyjTvuKT9ofrtZVaRU2LWjWcSzFuxocAFykC/pceMeBHjSN7GUjyHxN17
Pr9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1690294362; x=1690899162;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=B6OKeaSQJ0TNolxBXAXC+O9p1oARizz0xyZ0UXTgrdc=;
b=NnGjtsvurQb31eTK2GEvGUIeldkiTt/xVeN0/MdmQIGI1TKQtla5c9VbmX/NlQMJNj
fTC3FC7hcP43p52iaHyzGIKDYJA43yyo+2OfujpNJZsr86YROJXOx7ai+NDfxHaM47MI
5z6ghym9o1+SbL5mLXMj9WlUN3JgtO99EcgTBC0mmZgKhYnqC2hA5h/xdRtnB+xRqypP
2A5fUqF8OPnDZPQJH8eL+iTESBHncUqWGPMu0xoqGS7mRIx3dMAH9z/aQNL11gAZPT7S
UlKGId1ZnFem+68sKSOnBoublbg3QFXlIPVd6zygzxXH8D1rA2AjTKahNLFtNUnH1ErC
L8ug==
X-Gm-Message-State: ABy/qLYoCczl576jhTjf4rwSWaFUchuQHCp3oWiIKiARE0+Krmie9X0T
sWk2FI3JEkKkQjQZtPLLDRlSAmYPgYKF08CZT28Qif4=
X-Google-Smtp-Source: APBJJlEolS2e9ekEV0u3qZb3ow2+1tzc9W8MFK1MprMwX/Yxv2bYrV8/zU9e7RVX2B0EEbCdFBZWjIcKnxYG42urgVE=
X-Received: by 2002:a25:b0a6:0:b0:d1a:cfb0:1805 with SMTP id
f38-20020a25b0a6000000b00d1acfb01805mr365711ybj.0.1690294362104; Tue, 25 Jul
2023 07:12:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAJvkSsc_rKneeVrLkTqXJDKcr+VQNBHVJyXVe=7PkkTZ+SruFQ@mail.gmail.com>
<ca674cee-6fe9-f325-7e09-f3efda082b6b@gmail.com>
<YwMiFAEImHAJfAHHU7WbN1C1JuHjh0vC18Hn61QplFOlY5mEgKmjsAlj2geV1-28E36_wgfL9_QHTRJsbtOLt73o9C4JfoVt8scvYGzKHOI=@protonmail.com>
In-Reply-To: <YwMiFAEImHAJfAHHU7WbN1C1JuHjh0vC18Hn61QplFOlY5mEgKmjsAlj2geV1-28E36_wgfL9_QHTRJsbtOLt73o9C4JfoVt8scvYGzKHOI=@protonmail.com>
From: Erik Aronesty <erik@q32.com>
Date: Tue, 25 Jul 2023 10:12:31 -0400
Message-ID: <CAJowKgJ61nWBHMfNVx7J+C1QwZZMQ9zUaFQnAw1roXiPfi5O6A@mail.gmail.com>
To: AdamISZ <AdamISZ@protonmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000004ecfb0601505307"
X-Mailman-Approved-At: Tue, 25 Jul 2023 21:18:41 +0000
Cc: Tom Trevethan <tom@commerceblock.com>
Subject: Re: [bitcoin-dev] Blinded 2-party Musig2
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2023 14:12:44 -0000
--00000000000004ecfb0601505307
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
posk is "proof of secret key". so you cannot use wagner to select R
On Mon, Jul 24, 2023 at 1:59=E2=80=AFPM AdamISZ via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> @ZmnSCPxj:
>
> yes, Wagner is the attack you were thinking of.
>
> And yeah, to avoid it, you should have the 3rd round of MuSig1, i.e. the =
R
> commitments.
>
> @Tom:
> As per above it seems you were more considering MuSig1 here, not MuSig2.
> At least in this version. So you need the initial commitments to R.
>
> Jonas' reply clearly has covered a lot of what matters here, but I wanted
> to mention (using your notation):
>
> in s1 =3D c * a1 * x1 + r1, you expressed the idea that the challenge c
> could be given to the server, to construct s1, but since a1 =3D H(L, X1) =
and
> L is the serialization of all (in this case, 2) keys, that wouldn't work
> for blinding the final key, right?
> But, is it possible that this addresses the other problem?
> If the server is given c1*a1 instead as the challenge for signing (with
> their "pure" key x1), then perhaps it avoids the issue? Given what's on t=
he
> blockchain ends up allowing calculation of 'c' and the aggregate key a1X1=
+
> a2X2, is it the case that you cannot find a1 and therefore you cannot
> correlate the transaction with just the quantity 'c1*a1' which the server
> sees?
>
> But I agree with Jonas that this is just the start, i.e. the fundamental
> requirement of a blind signing scheme is there has to be some guarantee o=
f
> no 'one more forgery' possibility, so presumably there has to be some pro=
of
> that the signing request is 'well formed' (Jonas expresses it below as a
> ZKP of a SHA2 preimage .. it does not seem pretty but I agree that on the
> face of it, that is what's needed).
>
> @Jonas, Erik:
> 'posk' is probably meant as 'proof of secret key' which may(?) be a mixup
> with what is sometimes referred to in the literature as "KOSK" (iirc they
> used it in FROST for example). It isn't clear to me yet how that factors
> into this scenario, although ofc it is for sure a potential building bloc=
k
> of these constructions.
>
> Sent with Proton Mail secure email.
>
> ------- Original Message -------
> On Monday, July 24th, 2023 at 08:12, Jonas Nick via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>
> > Hi Tom,
> >
> > I'm not convinced that this works. As far as I know blind musig is stil=
l
> an open
> > research problem. What the scheme you propose appears to try to prevent
> is that
> > the server signs K times, but the client ends up with K+1 Schnorr
> signatures for
> > the aggregate of the server's and the clients key. I think it's possibl=
e
> to
> > apply a variant of the attack that makes MuSig1 insecure if the nonce
> commitment
> > round was skipped or if the message isn't determined before sending the
> nonce.
> > Here's how a malicious client would do that:
> >
> > - Obtain K R-values R1[0], ..., R1[K-1] from the server
> > - Let
> > R[i] :=3D R1[i] + R2[i] for all i <=3D K-1
> > R[K] :=3D R1[0] + ... + R1[K-1]
> > c[i] :=3D H(X, R[i], m[i]) for all i <=3D K.
> > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
> > c[0] + ... + c[K-1] =3D c[K].
> > - Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1].
> > - Let
> > s[K] =3D s[0] + ... + s[K-1].
> > Then (s[K], R[K]) is a valid signature from the server, since
> > s[K]G =3D R[K] + c[K]a1X1,
> > which the client can complete to a signature for public key X.
> >
> > What may work in your case is the following scheme:
> > - Client sends commitment to the public key X2, nonce R2 and message m
> to the
> > server.
> > - Server replies with nonce R1 =3D k1G
> > - Client sends c to the server and proves in zero knowledge that c =3D
> > SHA256(X1 + X2, R1 + R2, m).
> > - Server replies with s1 =3D k1 + c*x1
> >
> > However, this is just some quick intuition and I'm not sure if this
> actually
> > works, but maybe worth exploring.
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--00000000000004ecfb0601505307
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">posk is "proof of secret key".=C2=A0 =C2=A0so yo=
u cannot use wagner to select R</div><br><div class=3D"gmail_quote"><div di=
r=3D"ltr" class=3D"gmail_attr">On Mon, Jul 24, 2023 at 1:59=E2=80=AFPM Adam=
ISZ via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation=
.org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><blockq=
uote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1p=
x solid rgb(204,204,204);padding-left:1ex">@ZmnSCPxj:<br>
<br>
yes, Wagner is the attack you were thinking of.<br>
<br>
And yeah, to avoid it, you should have the 3rd round of MuSig1, i.e. the R =
commitments.<br>
<br>
@Tom:<br>
As per above it seems you were more considering MuSig1 here, not MuSig2. At=
least in this version. So you need the initial commitments to R.<br>
<br>
Jonas' reply clearly has covered a lot of what matters here, but I want=
ed to mention (using your notation):<br>
<br>
in s1 =3D c * a1 * x1 + r1, you expressed the idea that the challenge c cou=
ld be given to the server, to construct s1, but since a1 =3D H(L, X1) and L=
is the serialization of all (in this case, 2) keys, that wouldn't work=
for blinding the final key, right?<br>
But, is it possible that this addresses the other problem?<br>
If the server is given c1*a1 instead as the challenge for signing (with the=
ir "pure" key x1), then perhaps it avoids the issue? Given what&#=
39;s on the blockchain ends up allowing calculation of 'c' and the =
aggregate key a1X1 + a2X2, is it the case that you cannot find a1 and there=
fore you cannot correlate the transaction with just the quantity 'c1*a1=
' which the server sees?<br>
<br>
But I agree with Jonas that this is just the start, i.e. the fundamental re=
quirement of a blind signing scheme is there has to be some guarantee of no=
'one more forgery' possibility, so presumably there has to be some=
proof that the signing request is 'well formed' (Jonas expresses i=
t below as a ZKP of a SHA2 preimage .. it does not seem pretty but I agree =
that on the face of it, that is what's needed).<br>
<br>
@Jonas, Erik:<br>
'posk' is probably meant as 'proof of secret key' which may=
(?) be a mixup with what is sometimes referred to in the literature as &quo=
t;KOSK" (iirc they used it in FROST for example). It isn't clear t=
o me yet how that factors into this scenario, although ofc it is for sure a=
potential building block of these constructions.<br>
<br>
Sent with Proton Mail secure email.<br>
<br>
------- Original Message -------<br>
On Monday, July 24th, 2023 at 08:12, Jonas Nick via bitcoin-dev <<a href=
=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin=
-dev@lists.linuxfoundation.org</a>> wrote:<br>
<br>
<br>
> Hi Tom,<br>
> <br>
> I'm not convinced that this works. As far as I know blind musig is=
still an open<br>
> research problem. What the scheme you propose appears to try to preven=
t is that<br>
> the server signs K times, but the client ends up with K+1 Schnorr sign=
atures for<br>
> the aggregate of the server's and the clients key. I think it'=
s possible to<br>
> apply a variant of the attack that makes MuSig1 insecure if the nonce =
commitment<br>
> round was skipped or if the message isn't determined before sendin=
g the nonce.<br>
> Here's how a malicious client would do that:<br>
> <br>
> - Obtain K R-values R1[0], ..., R1[K-1] from the server<br>
> - Let<br>
> R[i] :=3D R1[i] + R2[i] for all i <=3D K-1<br>
> R[K] :=3D R1[0] + ... + R1[K-1]<br>
> c[i] :=3D H(X, R[i], m[i]) for all i <=3D K.<br>
> Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that<br>
> c[0] + ... + c[K-1] =3D c[K].<br>
> - Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1].<br=
>
> - Let<br>
> s[K] =3D s[0] + ... + s[K-1].<br>
> Then (s[K], R[K]) is a valid signature from the server, since<br>
> s[K]G =3D R[K] + c[K]a1X1,<br>
> which the client can complete to a signature for public key X.<br>
> <br>
> What may work in your case is the following scheme:<br>
> - Client sends commitment to the public key X2, nonce R2 and message m=
to the<br>
> server.<br>
> - Server replies with nonce R1 =3D k1G<br>
> - Client sends c to the server and proves in zero knowledge that c =3D=
<br>
> SHA256(X1 + X2, R1 + R2, m).<br>
> - Server replies with s1 =3D k1 + c*x1<br>
> <br>
> However, this is just some quick intuition and I'm not sure if thi=
s actually<br>
> works, but maybe worth exploring.<br>
> _______________________________________________<br>
> bitcoin-dev mailing list<br>
> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bl=
ank">bitcoin-dev@lists.linuxfoundation.org</a><br>
> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-=
dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org=
/mailman/listinfo/bitcoin-dev</a><br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--00000000000004ecfb0601505307--
|
