From: waxwing/ AdamISZ <ekaggata@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Reiterating centralized coinjoin (Wasabi & Samourai) deanonymization attacks
Date: Fri, 24 Jan 2025 08:38:47 -0800 (PST) [thread overview]
Message-ID: <5fcbe15c-2793-44a7-88d1-e708c224f2fdn@googlegroups.com> (raw)
In-Reply-To: <Z5JtilN2k7HwRRXt@petertodd.org>
[-- Attachment #1.1: Type: text/plain, Size: 2176 bytes --]
> The only question left for this technique is a cryptography one:
> Is it possible to create an alternate pubkey p', that such that a valid
signature s signed by arbitrary pubkey p for message m, also validates
for p' for signature s and message m? I believe the answer is no for
schnorr. But I'm not a cryptography expert, and I may have missed
something.
I've been thinking about this (to some extent digging up old analyses from
a few years back). I'm pretty sure that because of Schnorr's key-prefixing,
it is indeed not possible to do this: (specifically: given a tuple (m,
(R,s), P) that exists and for which the signature is valid, create a *new*
pubkey P2 s.t. (m, (R, s), P2) is valid. Notice this is not quite the same
as the definition of strong unforgeability (in which we analyze a specific
given key), which is an established property of Schnorr under the ROM.
Still, my argument would be that: a new P2 for which this is valid
satisfies: sG = R + e' P2, where e'=H(R,P2,m) and we previously had sG = R
+ eP, so that we require P2 = e/e' * P, but e' = H(R,P2,m) so that this
equation is insoluble under the preimage resistance of the hash function.
Does this same argument apply to ECDSA? No, definitely not because ECDSA
does not fix the pubkey into the hashing (which is of course why pubkey
recovery is possible in ECDSA, for example). From just looking at the
verification equation sR = H(m)G + R_x P, though, I guess that we cannot
actually create a new P2 for the same (R,s),m tuple, but for different
reasons: while a negation of s is still valid, that is not the issue. If we
cannot change R or s or m, we cannot change P. Apparently it's debatable
how important the ECDSA case will be, but, it's for sure interesting!
Regards,
AdamISZ/waxwing
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/5fcbe15c-2793-44a7-88d1-e708c224f2fdn%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 2699 bytes --]
prev parent reply other threads:[~2025-01-24 17:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-21 14:16 [bitcoindev] Reiterating centralized coinjoin (Wasabi & Samourai) deanonymization attacks Yuval Kogman
2025-01-06 13:07 ` Sjors Provoost
2025-01-06 14:30 ` Yuval Kogman
2025-01-07 15:56 ` waxwing/ AdamISZ
2025-01-07 21:33 ` Yuval Kogman
2025-01-23 16:25 ` Peter Todd
2025-01-24 16:00 ` Peter Todd
2025-01-24 16:38 ` waxwing/ AdamISZ [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5fcbe15c-2793-44a7-88d1-e708c224f2fdn@googlegroups.com \
--to=ekaggata@gmail.com \
--cc=bitcoindev@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox