From: Tom Trevethan <tom@commerceblock•com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Blinded 2-party Musig2
Date: Mon, 7 Aug 2023 01:55:38 +0100 [thread overview]
Message-ID: <CAJvkSsduvkdhpi=KtTpzXan-wdZrCu9AMbfeZUjuZmfCY774mA@mail.gmail.com> (raw)
In-Reply-To: <CAJvkSsea+aKJFkNpNxHPAGCxrYwU+8wXOzV-8yH=qacGta++ig@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2275 bytes --]
A follow up to this, I have updated the blinded statechain protocol
description to include the mitigation to the Wagner attack by requiring the
server to send R1 values only after commitments made to the server of the
R2 values used by the user, and that all the previous computed c values are
verified by each new statecoin owner.
https://github.com/commerceblock/mercury/blob/master/layer/protocol.md
Essentially, the attack is possible because the server cannot verify that
the blinded challenge (c) value it has been sent by the user has been
computed honestly (i.e. c = SHA256(X1 + X2, R1 + R2, m) ), however this CAN
be verified by each new owner of a statecoin for all the previous
signatures.
Each time an owner cooperates with the server to generate a signature on a
backup tx, the server will require that the owner send a commitment to
their R2 value: e.g. SHA256(R2). The server will store this value before
responding with it's R1 value. This way, the owner cannot choose the value
of R2 (and hence c).
When the statecoin is received by a new owner, they will receive ALL
previous signed backup txs for that coin from the sender, and all the
corresponding R2 values used for each signature. They will then ask the
server (for each previous signature), the commitments SHA256(R2) and the
corresponding server generated R1 value and c value used. The new owner
will then verify that each backup tx is valid, and that each c value was
computed c = SHA256(X1 + X2, R1 + R2, m) and each commitment equals
SHA256(R2). This ensures that a previous owner could not have generated
more valid signatures than the server has partially signed.
On Thu, Jul 27, 2023 at 2:25 PM Tom Trevethan <tom@commerceblock•com> wrote:
>
> On Thu, Jul 27, 2023 at 9:08 AM Jonas Nick <jonasdnick@gmail•com> wrote:
>
>> No, proof of knowledge of the r values used to generate each R does not
>> prevent
>> Wagner's attack. I wrote
>>
>> > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
>> > c[0] + ... + c[K-1] = c[K].
>>
>> You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and
>> define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't
>> make
>> sense if he didn't.
>>
>
[-- Attachment #2: Type: text/html, Size: 3110 bytes --]
next prev parent reply other threads:[~2023-08-07 0:55 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-24 7:46 Tom Trevethan
2023-07-24 10:50 ` ZmnSCPxj
2023-07-24 14:25 ` Erik Aronesty
2023-07-24 16:08 ` Tom Trevethan
2023-07-24 15:57 ` Tom Trevethan
2023-07-24 14:12 ` Jonas Nick
2023-07-24 14:40 ` Erik Aronesty
2023-07-24 15:40 ` Jonas Nick
2023-07-24 16:51 ` AdamISZ
2023-07-25 14:12 ` Erik Aronesty
2023-07-25 16:05 ` Tom Trevethan
2023-07-26 4:09 ` Erik Aronesty
2023-07-26 17:40 ` Andrew Poelstra
2023-07-26 19:59 ` Jonas Nick
2023-07-26 20:35 ` Tom Trevethan
2023-07-26 22:06 ` Erik Aronesty
2023-07-27 2:54 ` Lloyd Fournier
2023-07-27 8:07 ` Jonas Nick
[not found] ` <CAJvkSsfa8rzbwXiatZBpwQ6d4d94yLQifK8gyq3k-rq_1SH4OQ@mail.gmail.com>
2023-07-27 13:25 ` [bitcoin-dev] Fwd: " Tom Trevethan
2023-08-07 0:55 ` Tom Trevethan [this message]
2023-08-08 17:44 ` [bitcoin-dev] " moonsettler
2023-08-09 15:14 ` Tom Trevethan
2023-08-10 3:30 ` Lloyd Fournier
2023-08-10 11:59 ` Tom Trevethan
2023-08-14 6:31 ` Lloyd Fournier
2023-08-30 10:52 ` Tom Trevethan
2023-07-24 15:39 ` Jonas Nick
2023-07-24 16:22 ` Tom Trevethan
2023-07-26 9:44 ` moonsettler
2023-07-26 14:59 ` Jonas Nick
2023-07-26 19:19 ` AdamISZ
2023-07-26 19:28 ` moonsettler
2023-07-27 5:51 ` AdamISZ
[not found] <mailman.125690.1690381971.956.bitcoin-dev@lists.linuxfoundation.org>
2023-07-26 16:32 ` Tom Trevethan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJvkSsduvkdhpi=KtTpzXan-wdZrCu9AMbfeZUjuZmfCY774mA@mail.gmail.com' \
--to=tom@commerceblock$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox