- Using MuSig's solution for the blinding factor (e)
- Using interpolation to enhance MuSig to be M of N instead of M of M
References:
Each party:
1. Publishes public key G*xi, G*ki, where ki is a random nonce
3. Xi = H(G*xi) ... Xi is the parties x coordinate, for the purposes of interpolation
3. R = G*k = via interpolation of r1=Gk1, r2=Gk2... (see HomPrf)
4. L = H(X1,X2,…) (see MuSig)
5. X = sum of all H(L,Xi)Xi (see MuSig)
6. Computes e = H(R | M | X) .... standard schnorr e... not a share
7. Computes si = ki *e+ xi * e ... where si is a "share" of the sig, and xi is the private data, and e is the blinding factor
8. Publishes (si, e) as the share sig
If an attacker has multiple devices, e is safe, because of the musig construction.
But what protects k from the same multiparty birthday attack?
If an attacker has multiple devices, by carefully controlling the selection of private keys, the attacker can try to solve
the polynomial equation to force the selection of a "known k".
A "known k" would allow an attacker to sign messages on his own.
To fix this, we need to somehow "blind k as well".
Does this work?
The revision below seems to solve this problem.
1. Publishes public key G*xi, G*ki, where ki is a random nonce
3. Xi = H(G*xi) ... Xi is the parties x coordinate, for the purposes of interpolation
3. R = G*k = via interpolation of r1=Gk1, r2=Gk2... (see HomPrf)
4. L = H(X1,X2,…) (see MuSig)
5. L2 = H2(XN,XN-1,…) (see MuSig... H2 is a "second hash")
6. X = sum of all H(L,Xi)Xi (
see MuSig)
7. Computes e = H(R | M | X) .... standard schnorr e... not a share
8. Computes e2 = H(R | M | X2) ... a second blinding factor
9. Computes si = ki *e2 + xi * e ... where si is a "share" of the sig, and xi is the private data, and e, e2 are blinding factors
10. Publishes (si, e, e2) as the share sig
The final signature is computed via interpolation, and e2 is can be subtracted to recover a "normal" schnor sig for the set of participants.
Now there's no mechanism for a birthday attack on k.