[bitcoindev] Re: DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: waxwing/ AdamISZ <ekaggata@gmail•com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Re: DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures
Date: Sat, 19 Apr 2025 09:28:52 -0700 (PDT)	[thread overview]
Message-ID: <242c6fdd-f629-4a2a-900c-7b1d770eedbbn@googlegroups.com> (raw)
In-Reply-To: <be3813bf-467d-4880-9383-2a0b0223e7e5@gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 3624 bytes --]

Hi Jonas and list.

So I'm reading the paper and it's very interesting. I have other questions 
but this one seems more important so I'll just stick with this one:

Appendix A2 explains an attack on Musig2-IAS, in which you can forge a 
partial signature on a tweaked key of the honest signer. I don't understand 
why this same attack cannot be applied to MuSig2 itself?

the multisig-to-IAS "translation" makes sense, given the caveat of the 
weakness identified in the 2018 paper and explained here in detail, other 
than that it's basically about the message being a concat of the individual 
messages (and keys). But surely that doesn't change the structure of the 
attack? (i.e. multiply your R-vals by a2/a1, then take partial sig and 
multiply by a2/a1 and add the tweak). I note that 3 round musig is not 
vulnerable to it, nor would some PoK of R be.

Obviously I missed something.

Cheers,
AdamISZ/waxwing

On Thursday, April 17, 2025 at 10:38:46 AM UTC-6 Jonas Nick wrote:

> Hi list,
>
> Cross-Input Signature Aggregation (CISA) has been a recurring topic here, 
> aiming
> to reduce transaction sizes and verification cost [0]. Tim Ruffing, Yannick
> Seurin and I recently published DahLIAS, the first interactive aggregate
> signature scheme with constant-size signatures (64 bytes) compatible with
> secp256k1.
>
> https://eprint.iacr.org/2025/692.pdf
>
> Recall that in an aggregate signature scheme, each signer contributes 
> their own
> message, which distinguishes it from multi- and threshold signatures, 
> where all
> signers sign the same message. This makes aggregate signature schemes the
> natural cryptographic primitive for cross-input signature aggregation 
> because
> each transaction input typically requires signing a different message.
>
> Previous candidates for constant-size aggregate signatures either:
> - Required cryptographic assumptions quite different from the discrete 
> logarithm
> problem on secp256k1 currently used in Bitcoin signatures (e.g., groups 
> with
> efficient pairings).
> - Were "folklore" constructions, lacking detailed descriptions and security
> proofs.
>
> Besides presenting DahLIAS, the paper provides a proof that a class of 
> these
> folklore constructions are indeed secure if the signer does _not_ use key
> tweaking (e.g., no Taproot commitments or BIP 32 derivation). Moreover, we 
> show
> that there exists a concrete attack against a folklore aggregate signature
> scheme derived from MuSig2 when key tweaking is used.
>
> In contrast, DahLIAS is proven to be compatible with key tweaking. 
> Moreover, it
> requires two rounds of communication for signing, where the first round 
> can be
> run before the messages to be signed are known. Verification of DahLIAS
> signatures is asymptotically twice as fast as half-aggregate Schnorr 
> signatures
> and as batch verification of individual Schnorr signatures.
>
> We believe DahLIAS offers an attractive building block for a potential CISA
> proposal and welcome any feedback or discussion.
>
> Jonas Nick, Tim Ruffing, Yannick Seurin
>
>
> [0] See, e.g., https://cisaresearch.org/ for a summary of various CISA
> discussions.
>

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/242c6fdd-f629-4a2a-900c-7b1d770eedbbn%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 4787 bytes --]

     prev parent reply	other threads:[~2025-04-19 16:35 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-17 16:27 [bitcoindev] " Jonas Nick
2025-04-19 16:28 ` waxwing/ AdamISZ [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=242c6fdd-f629-4a2a-900c-7b1d770eedbbn@googlegroups.com \
    --to=ekaggata@gmail$(echo .)com \
    --cc=bitcoindev@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox