From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WMLFP-0002RU-EP for bitcoin-development@lists.sourceforge.net; Sat, 08 Mar 2014 17:41:19 +0000 X-ACL-Warn: Received: from mout.perfora.net ([74.208.4.194]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WMLFO-0000ug-3s for bitcoin-development@lists.sourceforge.net; Sat, 08 Mar 2014 17:41:19 +0000 Received: from netbook (108-193-6-130.lightspeed.sntcca.sbcglobal.net [108.193.6.130]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0MYwiB-1WhSkb3MkF-00VtYZ; Sat, 08 Mar 2014 12:41:10 -0500 Received: by netbook (Postfix, from userid 1000) id 212042E50BC; Sat, 8 Mar 2014 09:41:05 -0800 (PST) Received: by flare (hashcash-sendmail, from uid 1000); Sat, 8 Mar 2014 09:41:02 -0800 Date: Sat, 8 Mar 2014 09:41:01 -0800 From: Adam Back To: Joel Kaartinen Message-ID: <20140308174101.GA21902@netbook.cypherspace.org> References: <531AD080.40501@gmail.com> <531AF2EA.50904@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <531AF2EA.50904@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Hashcash: 1:20:140308:joel.kaartinen@gmail.com::8Gxp9qsw9sjtHJA0:0000000000000 0000000000000000000000009lYd X-Hashcash: 1:20:140308:bitcoin-development@lists.sourceforge.net::2OrPjJChDmnOm /9Y:000000000000000000001Fpg X-Hashcash: 1:20:140308:adam@cypherspace.org::50dPkpLrAlElRdM9:00000000000000000 0000000000000000000000001WHo X-Provags-ID: V02:K0:oEtAQOo+BzRTQ1KeCkBi2LKqeUzZeLggbS832Grp7KS N1Q3+eyIYr+IGq3kdRj4a4Cagwt4+urN99VKODuh54xllrcALI 34jazW+M+B82QKmZ/YjlXgNSYKU2hxtN6MblesFubhSoDOS9GC A1aZqlAdczIMK3nQFEIzHBcXQQ66vMHA36FGfO7DK6Oc/dNSDS btGt0mC4VUlF7GOj+B56QTCywWiZkBR4N5oDXKEx9x78xUktIy 2fGcx15gMfy9AopotTwLHi1KRYxOJ9rZFOQ3i4PMaq6xo72pMa K0OX2gszu2y3Aw4mnGUbu6THgGBbOtjyowLQM70dlOV3dP0J17 6bJTAIhWFs8uJ3LJYm33t6LrE+7oqEvCPfjt6OOkK X-Spam-Score: -0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.208.4.194 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1WMLFO-0000ug-3s Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol) X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Mar 2014 17:41:19 -0000 Also the other limitation for ECDSA is that there is no known protocol to create a signture with a+b (where keys P=aG, Q=bG, R=P+Q=(a+b)G). without either a sending its private key to b or viceversa (or both to a third party). With Schnorr sigs you can do it, but the k^-1 term in ECDSA makes a (secure) direct multiparty signature quite difficult. ps probably only 1 party needs to hash their key P=aG H(P) -> <- Q=bG P -> Adam On Sat, Mar 08, 2014 at 12:37:30PM +0200, Joel Kaartinen wrote: > If both parties insist on seeing a hash of the other party's public key > before they'll show their own public key, they can be sure that the > public key is not chosen based on the public key they themselves > presented.