1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
Return-Path: <tom@commerceblock.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id 12422C0032
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 24 Jul 2023 16:22:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id D12A5403C8
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 24 Jul 2023 16:22:29 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org D12A5403C8
Authentication-Results: smtp2.osuosl.org;
dkim=pass (2048-bit key) header.d=commerceblock-com.20221208.gappssmtp.com
header.i=@commerceblock-com.20221208.gappssmtp.com header.a=rsa-sha256
header.s=20221208 header.b=5dgagnNt
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id q37X9hIhKhyA
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 24 Jul 2023 16:22:29 +0000 (UTC)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com
[IPv6:2a00:1450:4864:20::530])
by smtp2.osuosl.org (Postfix) with ESMTPS id DC0454031E
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 24 Jul 2023 16:22:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org DC0454031E
Received: by mail-ed1-x530.google.com with SMTP id
4fb4d7f45d1cf-5221cf2bb8cso3474691a12.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 24 Jul 2023 09:22:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=commerceblock-com.20221208.gappssmtp.com; s=20221208; t=1690215746;
x=1690820546;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:from:to:cc:subject:date:message-id:reply-to;
bh=rGXUDL0CEOfrXAyZExJjUL/QkAwdjS+oYMxrqXeUZkk=;
b=5dgagnNtdQ76veDMh8uT78bFqCg+sxdey9SxoWb1iYXgsAHv0DJa6kRhEuqTJDQ27Y
TVKN4Tne9ZoV+WUkVbqpFUBF1RrKzvOL7fu0Vq2X2d0lTnnVV6KwZUjWI8WwTXdaUCSF
ZyGmJ8cIHHEscGqNNGgszr/yFiUzOq3hDxyvB9p1/rbf6Gpfw+ls/4MwC4xg06j7dNvV
Jzg4/+iZ7GqQBmsxfq1wD+qCC89zBGIykHvJ9Rp8YD8I0halcIMoIStt2DQFhTnyzDKn
Z8AnLSGTcBAJUy+V4Rajp5Zg0HHON0WS233uf53sV08gO+nRMibWcpJPYw5Nq4YVaTUB
TxkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1690215746; x=1690820546;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=rGXUDL0CEOfrXAyZExJjUL/QkAwdjS+oYMxrqXeUZkk=;
b=MzCGoVmB/IEIZdxn0bHDAFlXhi8//tBHJFw1JJXayOo9r9Deu9zqezePNVlSNC3rMv
ZoeB/s3dyniyJCe8b2e4B1rFREaV4csbThKSNaiOQrsrxPORTA5Tt8eojosHRyGBN/EM
0cyhYxKRhPgC2a3ZI0UQxW7fIfcJmtzDAvubZ2Bojtzi6VhZxuLulEoCZ/3GCHUktic0
7pY5F6yiKkqWokYXHBqLLmJeWk3W2H1/LpfHdj8GExlgwZmlC+g0ixcBoZcprYhzfSnB
yEnERwSHtsQ0hZwigieHsC+kXdHbNBZGjlj34oFswY9FlOcO22fXdFubw+t+xf9y83+v
LimA==
X-Gm-Message-State: ABy/qLadLNW+1Xu7Q3IrL03rwz/TxcE5PUgzyOhMKW5qKJooyflNadPp
xzZjhkWIPKbE/l1D+odbLbhxNLwXjFCY/gysmFCDlZmzkBO4bJ0=
X-Google-Smtp-Source: APBJJlGraKIbV6u0o3t3v06ik/K3PFWGcsrzwA2OekkEvmkmsDm+0t+0DXRTYz2Zotx+Pn2qVdRVw3tDpFhNmguch4I=
X-Received: by 2002:aa7:d502:0:b0:521:8d64:df1c with SMTP id
y2-20020aa7d502000000b005218d64df1cmr9767155edq.0.1690215746674; Mon, 24 Jul
2023 09:22:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAJvkSsc_rKneeVrLkTqXJDKcr+VQNBHVJyXVe=7PkkTZ+SruFQ@mail.gmail.com>
<b770096c-e8c4-70f7-8cd7-d74c27181413@gmail.com>
In-Reply-To: <b770096c-e8c4-70f7-8cd7-d74c27181413@gmail.com>
From: Tom Trevethan <tom@commerceblock.com>
Date: Mon, 24 Jul 2023 17:22:15 +0100
Message-ID: <CAJvkSscdAw8-Z7quKexjFk1gdXmwpKpP5Q1XEuHbHROGdMBpKg@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000002cbc5c06013e05de"
X-Mailman-Approved-At: Mon, 24 Jul 2023 16:37:34 +0000
Subject: Re: [bitcoin-dev] Blinded 2-party Musig2
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2023 16:22:30 -0000
--0000000000002cbc5c06013e05de
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Jonas,
Seems you are right: for every tx, compute c from the on-chain data, and
the server can match the c to the m (tx). So there would need to be a
method for blinding the value of c.
On Mon, Jul 24, 2023 at 4:39=E2=80=AFPM Jonas Nick <jonasdnick@gmail.com> w=
rote:
> > Party 1 never learns the final value of (R,s1+s2) or m.
>
> Actually, it seems like a blinding step is missing. Assume the server
> (party 1)
> received some c during the signature protocol. Can't the server scan the
> blockchain for signatures, compute corresponding hashes c' =3D H(R||X||m)=
as
> in
> signature verification and then check c =3D=3D c'? If true, then the serv=
er
> has the
> preimage for the c received from the client, including m.
>
--0000000000002cbc5c06013e05de
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Jonas,<div><br></div><div>Seems you are right: for ever=
y tx, compute c from the on-chain data, and the server can match the c to t=
he m (tx). So there would need to be a method for blinding the value of c.=
=C2=A0</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"=
gmail_attr">On Mon, Jul 24, 2023 at 4:39=E2=80=AFPM Jonas Nick <<a href=
=3D"mailto:jonasdnick@gmail.com">jonasdnick@gmail.com</a>> wrote:<br></d=
iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex">=C2=A0> Party 1 nev=
er learns the final value of (R,s1+s2) or m.<br>
<br>
Actually, it seems like a blinding step is missing. Assume the server (part=
y 1)<br>
received some c during the signature protocol. Can't the server scan th=
e<br>
blockchain for signatures, compute corresponding hashes c' =3D H(R||X||=
m) as in<br>
signature verification and then check c =3D=3D c'? If true, then the se=
rver has the<br>
preimage for the c received from the client, including m.<br>
</blockquote></div>
--0000000000002cbc5c06013e05de--
|