1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
Return-Path: <lloyd.fourn@gmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id CA942C0032
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 27 Jul 2023 02:54:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id 983DF404C3
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 27 Jul 2023 02:54:47 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 983DF404C3
Authentication-Results: smtp2.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20221208 header.b=OjHWwNKD
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id BJZZYCoC-mBe
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 27 Jul 2023 02:54:45 +0000 (UTC)
Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com
[IPv6:2607:f8b0:4864:20::112c])
by smtp2.osuosl.org (Postfix) with ESMTPS id 7D81B40134
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 27 Jul 2023 02:54:45 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 7D81B40134
Received: by mail-yw1-x112c.google.com with SMTP id
00721157ae682-5768a7e3adbso24684417b3.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 19:54:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20221208; t=1690426484; x=1691031284;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=Qp9Qm38gclfbH0pqF/GNPxUKMk06s9SRCPKTm9SzQiQ=;
b=OjHWwNKDlgCv4f4JfFg12bXwa+Rq/8bMl8OXkHM638fy5Yes5bgy4JhIKOLSlZvePm
uk5PoabDF4m3nOH4JuLczXx9uO5RXpp7ORGyAJJVll2elVy64c1oVo7eLJH1qFGEdCOx
hkgq+CD4CHaHo1gU5oWdC7nFCbHPloICuAHu6NPy4RB2kd9C2F2HsTEpx+FGN4M/heov
2r60h+yga5/tY+7FxQSnIPEsxHLiagLVi5WtoNq1vIMMF+IIloq73aGAsPAN4rL/XgcM
4zHGSNKKkKBJGGhTmBWSTkwpa44FgY4r0hzZzdlCQZSBqXDm7RL833CvuprZptm7JGyK
5fAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1690426484; x=1691031284;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=Qp9Qm38gclfbH0pqF/GNPxUKMk06s9SRCPKTm9SzQiQ=;
b=XA1cA+BeFidK+Y7xnhhmZkmf4K6zzmVEVzc6AroLuo1d1GHpbNpyDFSByNdok7/0/p
MRQNqlDiq0GmEM0r5ODm25TXX8CKLx39Zam8/ePXyhRiOVMqiaPeIw6kji1GtLjA7e6R
3ljga255FsX2rm7GgOXSNG4CY+QXWmObuIzxYlZ71E3ZJKJ9L+L1uCC3jgtcpRezz032
IOfzPq24+zaznKzXCQXPpl//BfFA5mIjTzZmBvB3SuOGRHN3g+qBKUBxbssdi5tfn/Ht
8qYheO0mCKvBhFo6Lt2iQKefUTBlCKF556N0gQdOV6RL5Gwmb9i94S5MUsmn6xT6MIIt
PZjg==
X-Gm-Message-State: ABy/qLaAkFoWHtOyAMRCxF8NnaoR00drQ/mpEmAyDmOamzT3emX/LfNO
BAscFACU49qyLvqZJK7DXALKWEU8rdCZ3vr6hkzX0Lqs3Uc=
X-Google-Smtp-Source: APBJJlGULI6vnGOpQ325JYirWNZNE4HbD5wIOK+SYwwpNmlJJfruXB14CODcnBStvj/+hCHBUECTFZ4GZ+RODQFmW/E=
X-Received: by 2002:a25:c7d3:0:b0:cec:2bed:f7da with SMTP id
w202-20020a25c7d3000000b00cec2bedf7damr2150668ybe.5.1690426484111; Wed, 26
Jul 2023 19:54:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAJvkSsc_rKneeVrLkTqXJDKcr+VQNBHVJyXVe=7PkkTZ+SruFQ@mail.gmail.com>
<ca674cee-6fe9-f325-7e09-f3efda082b6b@gmail.com>
<YwMiFAEImHAJfAHHU7WbN1C1JuHjh0vC18Hn61QplFOlY5mEgKmjsAlj2geV1-28E36_wgfL9_QHTRJsbtOLt73o9C4JfoVt8scvYGzKHOI=@protonmail.com>
<CAJowKgJ61nWBHMfNVx7J+C1QwZZMQ9zUaFQnAw1roXiPfi5O6A@mail.gmail.com>
<CAJvkSsdAVFf44XXXXhXqV7JcnmV796vttHEtNEp=v-zxehUofw@mail.gmail.com>
<CAJowKgJFHzXEtJij4K0SR_KvatTZMDfUEU40noMzR2ubj8OSvA@mail.gmail.com>
<c5ae9d75-e64f-1565-93d0-e2b5df45d3f4@gmail.com>
<CAJvkSsdRCHA6pB0mMY-7SE4GbDodAR34_RMgPrhEZAAq_8O2Aw@mail.gmail.com>
<CAJowKg+wjq8kTOmhEuu--hS2s_FvYEg61z8C_SOvFLsANesc7g@mail.gmail.com>
In-Reply-To: <CAJowKg+wjq8kTOmhEuu--hS2s_FvYEg61z8C_SOvFLsANesc7g@mail.gmail.com>
From: Lloyd Fournier <lloyd.fourn@gmail.com>
Date: Thu, 27 Jul 2023 10:54:17 +0800
Message-ID: <CAH5Bsr2xcp5Hy2DZAWy6PyRMbD9P-8ynmKAGFHgukdLv7VrpQw@mail.gmail.com>
To: Erik Aronesty <erik@q32.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000001abd1c06016f163c"
X-Mailman-Approved-At: Thu, 27 Jul 2023 08:29:00 +0000
Cc: Tom Trevethan <tom@commerceblock.com>
Subject: Re: [bitcoin-dev] Blinded 2-party Musig2
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jul 2023 02:54:47 -0000
--0000000000001abd1c06016f163c
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hello all,
1. No proof of knowledge of each R does *NOT* prevent wagner's attack.
2. In my mind, A generic blind signing service is sufficient for doing
blinded MuSig, Muig2, FROST or whatever without the blind signing service
knowing. You don't need a specialized MuSig2 blind singing service to
extract MuSig2 compatible shares from it. You can just add the MuSig tweak
(and/or BIP32 etc) to their key when you do the blind signing request (this
seemed to be what the OP was suggesting). Making the server have multiple
nonces like in MuSig2 proper doesn't help the server's security at all. I
think the problem is simply reduced to creating a secure blind schnorr
signing service. Jonas mentioned some papers which show how to do that. The
question is mostly about whether you can practically integrate those tricks
into your protocol which might be tricky.
LL
On Thu, 27 Jul 2023 at 08:20, Erik Aronesty via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> correct. you cannot select R if it is shipped with a POP
>
> On Wed, Jul 26, 2023, 4:35 PM Tom Trevethan <tom@commerceblock.com> wrote=
:
>
>> Not 'signing' but 'secret' i.e. the r values (ephemeral keys). Proof of
>> knowledge of the r values used to generate each R used prevents the Wagn=
er
>> attack, no?
>>
>> On Wed, Jul 26, 2023 at 8:59=E2=80=AFPM Jonas Nick <jonasdnick@gmail.com=
> wrote:
>>
>>> None of the attacks mentioned in this thread so far (ZmnSCPxj mentioned
>>> an
>>> attack on the nonces, I mentioned an attack on the challenge c) can be
>>> prevented
>>> by proving knowledge of the signing key (usually known as proof of
>>> possession,
>>> PoP).
>>>
>> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--0000000000001abd1c06016f163c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Hello all,</div><div><br></div><div>1. No proof of kn=
owledge of each R does *NOT* prevent wagner's attack.</div><div>2. In m=
y mind, A generic blind signing service is sufficient for doing blinded MuS=
ig, Muig2, FROST or whatever without the blind signing service knowing. You=
don't need a specialized MuSig2 blind singing service to extract MuSig=
2 compatible shares from it. You can just add the MuSig tweak (and/or BIP32=
etc) to their key when you do the blind signing request (this seemed to be=
what the OP was suggesting). Making the server have multiple nonces like i=
n MuSig2 proper doesn't help the server's security at all. I think =
the problem is simply reduced to creating a secure blind schnorr signing se=
rvice. Jonas mentioned some papers which show how to do that. The question =
is mostly about whether you can practically integrate those tricks into you=
r protocol which might be tricky.</div><div><br></div><div>LL<br></div></di=
v><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On T=
hu, 27 Jul 2023 at 08:20, Erik Aronesty via bitcoin-dev <<a href=3D"mail=
to:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation=
.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1=
ex"><div dir=3D"auto">correct.=C2=A0 you cannot select R if it is shipped w=
ith a POP=C2=A0</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">On Wed, Jul 26, 2023, 4:35 PM Tom Trevethan <<a href=3D"=
mailto:tom@commerceblock.com" target=3D"_blank">tom@commerceblock.com</a>&g=
t; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0p=
x 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div d=
ir=3D"ltr">Not 'signing' but 'secret' i.e. the r values (ep=
hemeral keys). Proof of knowledge of the r values used to generate each R u=
sed prevents the Wagner attack, no?</div><br><div class=3D"gmail_quote"><di=
v dir=3D"ltr" class=3D"gmail_attr">On Wed, Jul 26, 2023 at 8:59=E2=80=AFPM =
Jonas Nick <<a href=3D"mailto:jonasdnick@gmail.com" rel=3D"noreferrer" t=
arget=3D"_blank">jonasdnick@gmail.com</a>> wrote:<br></div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli=
d rgb(204,204,204);padding-left:1ex">None of the attacks mentioned in this =
thread so far (ZmnSCPxj mentioned an<br>
attack on the nonces, I mentioned an attack on the challenge c) can be prev=
ented<br>
by proving knowledge of the signing key (usually known as proof of possessi=
on,<br>
PoP).<br>
</blockquote></div>
</blockquote></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--0000000000001abd1c06016f163c--
|
