1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
Return-Path: <jonasdnick@gmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id 181FDC0032
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 14:59:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id DA40040135
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 14:59:49 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org DA40040135
Authentication-Results: smtp2.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20221208 header.b=SH7HH6qn
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id DHYNww8msfTJ
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 14:59:46 +0000 (UTC)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com
[IPv6:2a00:1450:4864:20::12c])
by smtp2.osuosl.org (Postfix) with ESMTPS id 4B40C4174A
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 14:59:46 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4B40C4174A
Received: by mail-lf1-x12c.google.com with SMTP id
2adb3069b0e04-4fddd4e942eso10332824e87.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 26 Jul 2023 07:59:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20221208; t=1690383584; x=1690988384;
h=content-transfer-encoding:in-reply-to:references:to
:content-language:subject:user-agent:mime-version:date:message-id
:from:from:to:cc:subject:date:message-id:reply-to;
bh=wBDal9jOYf73xnh4l7oi5gBacUeF7K7+kf5qTjlhoHM=;
b=SH7HH6qn0pc379bCdpO0+TyZMzI/r0fBBbJLXBw22Zuk9EcNI1X1lHfASve3kNcmkN
FHa1pQpPGj0P7Zs6XNP0MghKgQscvk3J/aPsCmhQwd8Fl6glroo7TmJFe4OfGZV580Sd
wybT/vxzYeREVh0YC8s/LBiVL0Wc1rh2zkE/eJOafCFz83W3b92ASFnjNttbh3uwGC9m
NTOLWPk+hF7OGXoCLea/fm9ovK1weqGLPZzyCgf++koN0pzPH/mPEO4+4NrOyjFi5egD
C16qf3HWJdcgiD6NZ7SJLvjRs61uUwOj7x34N6PTlT6cjcmKMxlyFdOJwxBjOiSSp0nn
hleA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1690383584; x=1690988384;
h=content-transfer-encoding:in-reply-to:references:to
:content-language:subject:user-agent:mime-version:date:message-id
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=wBDal9jOYf73xnh4l7oi5gBacUeF7K7+kf5qTjlhoHM=;
b=aokzGwfQGtF2P6lNG3dGDYtJ8WdbuokTxCg6okCAMG70PzIgKNV5CdU2DRRPyilH5D
4wjnudSsZM0KXHA9pmxYtt+e+61JwYVKDPEOHz1IFTI0wZiXm+2zh/zru8it8i5i3cE0
BJyD/spWnXTzuKLrmIex5P+w0W7CsP5p5FgSiE+4nFDsNyLOGqUw2D3gndRxKkcku4p9
59B5fMKHwya6DktRkyjlAOMzVFCplMs0u1LY35K1pvl8jTblkoe0jQ/s6xhApu0qXgAG
/XjG6KllInsrvd+IyJiu+PszOQVeLTS1R+c1UKJg8QCRGcTW0rDtJxMSzvYVLVlBG3rx
Qg2w==
X-Gm-Message-State: ABy/qLYmGVsxLlYjjyCpluenK+vfspLVZRbFMyf6CX/0cJi69ur0EQp4
zyaxhuXbMttpp4gtKw9wov4=
X-Google-Smtp-Source: APBJJlGAspCZtH1PgGrrz1mBqKJafA/W2vcueZSIuiGg6K0otoorXfs0ORFH1kltWSOEjcqxdhSYew==
X-Received: by 2002:a19:4f4b:0:b0:4fb:8bea:f5f6 with SMTP id
a11-20020a194f4b000000b004fb8beaf5f6mr1602536lfk.34.1690383583740;
Wed, 26 Jul 2023 07:59:43 -0700 (PDT)
Received: from [10.11.10.42] (p50879c84.dip0.t-ipconnect.de. [80.135.156.132])
by smtp.googlemail.com with ESMTPSA id
w17-20020a05600c015100b003fbfef555d2sm2209492wmm.23.2023.07.26.07.59.43
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Wed, 26 Jul 2023 07:59:43 -0700 (PDT)
From: Jonas Nick <jonasdnick@gmail.com>
X-Google-Original-From: Jonas Nick <jonasd.nick@gmail.com>
Message-ID: <d1db8481-140b-a0b4-8c24-4486f8a1cab6@gmail.com>
Date: Wed, 26 Jul 2023 14:59:42 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: moonsettler <moonsettler@protonmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <CAJvkSsc_rKneeVrLkTqXJDKcr+VQNBHVJyXVe=7PkkTZ+SruFQ@mail.gmail.com>
<b770096c-e8c4-70f7-8cd7-d74c27181413@gmail.com>
<O3LTbUbjNa3SLUfJzSKDNLBCIhED_6rdOcmgLpYB9byX6HBVg3BMu3hrvY37fH4SGL8th8oJaVV6_ogl_ZOA0qTXgENq8xqQNSRB-VsHem4=@protonmail.com>
In-Reply-To: <O3LTbUbjNa3SLUfJzSKDNLBCIhED_6rdOcmgLpYB9byX6HBVg3BMu3hrvY37fH4SGL8th8oJaVV6_ogl_ZOA0qTXgENq8xqQNSRB-VsHem4=@protonmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 26 Jul 2023 15:34:47 +0000
Subject: Re: [bitcoin-dev] Blinded 2-party Musig2
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 14:59:50 -0000
While this may solve blinding, I don't see how it solves the problem that the
client can forge signatures because the client is in control of challenge e'.
This is not special to MuSig(2), but is also the reason why original blind
Schnorr signatures are insecure (as demonstrated in David Wagner's "A
Generalized Birthday Problem" paper).
For some more recent work on blind Schnorr signatures, see:
- https://eprint.iacr.org/2019/877.pdf Blind Schnorr Signatures and Signed
ElGamal Encryption in the Algebraic Group Mode
- https://eprint.iacr.org/2020/1071.pdf On Pairing-Free Blind Signature Schemes
in the Algebraic Group Model
In particular, the first paper proposes a less-efficient variant of blind
Schnorr signatures that is secure under concurrent signing if the "mROS" problem
is hard (which is imho plausible). Another potential approach is using
commitments and a ZKP as I mentioned earlier in this thread. This scheme is
"folklore", in the sense that it is being discussed from time to time but isn't
specified and does not have a security proof as far as I am aware.
|
