1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
Return-Path: <gmaxwell@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 7008B10EA
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 11 Sep 2018 17:51:16 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ua1-f51.google.com (mail-ua1-f51.google.com
[209.85.222.51])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 14BD08D
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 11 Sep 2018 17:51:15 +0000 (UTC)
Received: by mail-ua1-f51.google.com with SMTP id u11-v6so21431057uan.13
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 11 Sep 2018 10:51:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=XHjBTvz/pqElurAqA1/RewyArqjCfKVvbueoRZFN7ms=;
b=hlVgzTE2WLdRnLp80VisLeEVkJ5qZv59/WoGfvhtqPUlg+835xmfqJXluYHc4XnT/5
CrhcIrALjiM2g5vc2cZtcA/798np7mpeNXfzblr1JDpQn48G4QK+poBK04BYyRxBzkmf
ExmMPuSNw1V0LSrO3ihNcg1Iss0vHuMunIWTEtPnEj/MRpOZnUXghM8UMAsBVBifviui
HoLtNaz74sSy1L/cZQmeBUHB7kQTH6mvjA4SnnEbkmAj6IgCzwsFZ4gxmLycvsclw//j
8jn97NC9nFB5Eh2HXEEpVxk7qji2Fl8sbCWf/zD/mOOOxY5y5dVMCMDT74nWBpxXlIgz
IFBA==
X-Gm-Message-State: APzg51DIPUAZrbHOg7OGlmv4Hs1vujpQ5hF2L48zsj4OvO9rH+e/M+nQ
3y9Y2msjnwG1ZWcidLLF5VLxEqk1SZp2+qSy0rM=
X-Google-Smtp-Source: ANB0VdZXxITWZltuce0diwz7+5VmgixxETf8CajrElkVGhkAgqA4PX30IlW+l9XXTpgGNGXcekgg1n3SSf9ceG2IX0Y=
X-Received: by 2002:a67:3fca:: with SMTP id q71-v6mr9070199vsi.1.1536688275205;
Tue, 11 Sep 2018 10:51:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAPg+sBj7f+=OYXuOMdNeJk3NBG67FSQSF8Xv3seFCvwxCWq69A@mail.gmail.com>
<2e620d305c86f65cbff44b5fba548dc85c118f84.camel@timruffing.de>
<20180812163734.GV499@boulet.lan>
<CAJowKg+h11YkwOo-gyWCw+87Oh-9K34LOnJ1730hhpoVR2m5sA@mail.gmail.com>
<20180903000518.GB18522@boulet.lan>
<CAJowKg+PDtEV3je_N9Ra6u3n4+ZQ3ozYapt8ivxGYYU28Qad+w@mail.gmail.com>
<CAAS2fgT0uBGbLBOW4TxA-qCzOLwoQ1qSV-R0dMKRzPLAm_UOqQ@mail.gmail.com>
<CAJowKg+-45h6vraL1PpnqfhHSbG+G40L+FD7xN+C-Dn1E6Y_Vg@mail.gmail.com>
<CAAS2fgSfdfQ2CiEabjrjspQGQufwzk84f1mzM1j_LRWqAPd8wA@mail.gmail.com>
<CAJowKgK3Pxev4pDH4xVLPvmHda8oAfq=fya4TY+_dodUJ7j9Nw@mail.gmail.com>
<CAAS2fgQOb4UJBkH=pMre=tsbAUmMNYx=4jkBawX4Rc_dKcpwZg@mail.gmail.com>
<CAJowKgK9UdavrGnKum43dx+DXe+LakHXuVU6bNhMFtEoy2U3Og@mail.gmail.com>
In-Reply-To: <CAJowKgK9UdavrGnKum43dx+DXe+LakHXuVU6bNhMFtEoy2U3Og@mail.gmail.com>
From: Gregory Maxwell <greg@xiph.org>
Date: Tue, 11 Sep 2018 17:51:01 +0000
Message-ID: <CAAS2fgTRmsws4y7yz=584QXvjsVawY84je=jOEoXm2RK_jieXQ@mail.gmail.com>
To: Erik Aronesty <erik@q32.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 12 Sep 2018 13:40:16 +0000
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Schnorr signatures BIP
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2018 17:51:16 -0000
On Tue, Sep 11, 2018 at 5:38 PM Erik Aronesty <erik@q32.com> wrote:
>
> - Musig, by being M of M, is inherently prone to loss.
M of M is a particular threshold. If you want M of M (there are
plenty of cases where M of M _must_ be used) then you get the
consequences of M of M, which presumably you want.
This has nothing to do with musig. If you want a threshold other than
M of M then you use a threshold other than M of M.
No one is under the impression that M of M is somehow a replacement
for other thresholds. We've spent more time talking about M of M in
some writeups in the past because it's exactly the case you need for
signature aggregation in Bitcoin and because it's a simpler case to
explain.
> - Having the senders of the G*x pubkey shares sign their messages with the associated private key share should be sufficient to prevent them from using wagner's algorithm to attack the combined key.
Yes, that is one possibility which is described in the musig paper,
but it requires users communicate an extra signature per key. So, for
example, if used with aggregate signature it would completely
eliminate the communications efficiency gains from aggregation, making
aggregation worse than pointless. It also has somewhat worse failure
properties than delinearization, because a signer that fails to
validate other's share signatures behaves behaves exactly the same as
a correct one, on honest inputs. That approach has its uses but I
think that in any case where delinearization can be used it's a better
option.
|
