public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: AdamISZ <AdamISZ@protonmail•com>
To: Tom Trevethan <tom@commerceblock•com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Blinded 2-party Musig2
Date: Mon, 24 Jul 2023 16:51:44 +0000	[thread overview]
Message-ID: <YwMiFAEImHAJfAHHU7WbN1C1JuHjh0vC18Hn61QplFOlY5mEgKmjsAlj2geV1-28E36_wgfL9_QHTRJsbtOLt73o9C4JfoVt8scvYGzKHOI=@protonmail.com> (raw)
In-Reply-To: <ca674cee-6fe9-f325-7e09-f3efda082b6b@gmail.com>

@ZmnSCPxj:

yes, Wagner is the attack you were thinking of.

And yeah, to avoid it, you should have the 3rd round of MuSig1, i.e. the R commitments.

@Tom:
As per above it seems you were more considering MuSig1 here, not MuSig2. At least in this version. So you need the initial commitments to R.

Jonas' reply clearly has covered a lot of what matters here, but I wanted to mention (using your notation):

in s1 = c * a1 * x1 + r1, you expressed the idea that the challenge c could be given to the server, to construct s1, but since a1 = H(L, X1) and L is the serialization of all (in this case, 2) keys, that wouldn't work for blinding the final key, right?
But, is it possible that this addresses the other problem?
If the server is given c1*a1 instead as the challenge for signing (with their "pure" key x1), then perhaps it avoids the issue? Given what's on the blockchain ends up allowing calculation of 'c' and the aggregate key a1X1 + a2X2, is it the case that you cannot find a1 and therefore you cannot correlate the transaction with just the quantity 'c1*a1' which the server sees?

But I agree with Jonas that this is just the start, i.e. the fundamental requirement of a blind signing scheme is there has to be some guarantee of no 'one more forgery' possibility, so presumably there has to be some proof that the signing request is 'well formed' (Jonas expresses it below as a ZKP of a SHA2 preimage .. it does not seem pretty but I agree that on the face of it, that is what's needed).

@Jonas, Erik:
'posk' is probably meant as 'proof of secret key' which may(?) be a mixup with what is sometimes referred to in the literature as "KOSK" (iirc they used it in FROST for example). It isn't clear to me yet how that factors into this scenario, although ofc it is for sure a potential building block of these constructions.

Sent with Proton Mail secure email.

------- Original Message -------
On Monday, July 24th, 2023 at 08:12, Jonas Nick via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:


> Hi Tom,
> 
> I'm not convinced that this works. As far as I know blind musig is still an open
> research problem. What the scheme you propose appears to try to prevent is that
> the server signs K times, but the client ends up with K+1 Schnorr signatures for
> the aggregate of the server's and the clients key. I think it's possible to
> apply a variant of the attack that makes MuSig1 insecure if the nonce commitment
> round was skipped or if the message isn't determined before sending the nonce.
> Here's how a malicious client would do that:
> 
> - Obtain K R-values R1[0], ..., R1[K-1] from the server
> - Let
> R[i] := R1[i] + R2[i] for all i <= K-1
> R[K] := R1[0] + ... + R1[K-1]
> c[i] := H(X, R[i], m[i]) for all i <= K.
> Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
> c[0] + ... + c[K-1] = c[K].
> - Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1].
> - Let
> s[K] = s[0] + ... + s[K-1].
> Then (s[K], R[K]) is a valid signature from the server, since
> s[K]G = R[K] + c[K]a1X1,
> which the client can complete to a signature for public key X.
> 
> What may work in your case is the following scheme:
> - Client sends commitment to the public key X2, nonce R2 and message m to the
> server.
> - Server replies with nonce R1 = k1G
> - Client sends c to the server and proves in zero knowledge that c =
> SHA256(X1 + X2, R1 + R2, m).
> - Server replies with s1 = k1 + c*x1
> 
> However, this is just some quick intuition and I'm not sure if this actually
> works, but maybe worth exploring.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


  parent reply	other threads:[~2023-07-24 17:00 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-24  7:46 Tom Trevethan
2023-07-24 10:50 ` ZmnSCPxj
2023-07-24 14:25   ` Erik Aronesty
2023-07-24 16:08     ` Tom Trevethan
2023-07-24 15:57   ` Tom Trevethan
2023-07-24 14:12 ` Jonas Nick
2023-07-24 14:40   ` Erik Aronesty
2023-07-24 15:40     ` Jonas Nick
2023-07-24 16:51   ` AdamISZ [this message]
2023-07-25 14:12     ` Erik Aronesty
2023-07-25 16:05       ` Tom Trevethan
2023-07-26  4:09         ` Erik Aronesty
2023-07-26 17:40           ` Andrew Poelstra
2023-07-26 19:59           ` Jonas Nick
2023-07-26 20:35             ` Tom Trevethan
2023-07-26 22:06               ` Erik Aronesty
2023-07-27  2:54                 ` Lloyd Fournier
2023-07-27  8:07               ` Jonas Nick
     [not found]                 ` <CAJvkSsfa8rzbwXiatZBpwQ6d4d94yLQifK8gyq3k-rq_1SH4OQ@mail.gmail.com>
2023-07-27 13:25                   ` [bitcoin-dev] Fwd: " Tom Trevethan
2023-08-07  0:55                     ` [bitcoin-dev] " Tom Trevethan
2023-08-08 17:44                       ` moonsettler
2023-08-09 15:14                         ` Tom Trevethan
2023-08-10  3:30                           ` Lloyd Fournier
2023-08-10 11:59                             ` Tom Trevethan
2023-08-14  6:31                               ` Lloyd Fournier
2023-08-30 10:52                       ` Tom Trevethan
2023-07-24 15:39 ` Jonas Nick
2023-07-24 16:22   ` Tom Trevethan
2023-07-26  9:44   ` moonsettler
2023-07-26 14:59     ` Jonas Nick
2023-07-26 19:19     ` AdamISZ
2023-07-26 19:28       ` moonsettler
2023-07-27  5:51         ` AdamISZ
     [not found] <mailman.125690.1690381971.956.bitcoin-dev@lists.linuxfoundation.org>
2023-07-26 16:32 ` Tom Trevethan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='YwMiFAEImHAJfAHHU7WbN1C1JuHjh0vC18Hn61QplFOlY5mEgKmjsAlj2geV1-28E36_wgfL9_QHTRJsbtOLt73o9C4JfoVt8scvYGzKHOI=@protonmail.com' \
    --to=adamisz@protonmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=tom@commerceblock$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox