public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: waxwing/ AdamISZ <ekaggata@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Re: DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures
Date: Wed, 8 Jul 2026 12:05:58 -0700 (PDT)	[thread overview]
Message-ID: <76f2e760-37a7-42ca-b8c2-38659dc94c40n@googlegroups.com> (raw)
In-Reply-To: <e15cf0db-bc04-454d-8d63-029bd864d08b@gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 5542 bytes --]

A couple of other minor comments:

On list ordering, I was tempted to write "why not include a default 
ordering algorithm", but ... I can see why that's not worth bothering with, 
since the design includes the untrusted coordinator role, so in that sense 
it really doesn't matter.

Security argument: the paper's security claim is a reduction to the 
algebraic variant of the one-more-discrete-log assumption under the random 
oracle model for the hash_sig (AOMDL under ROM). Obviously there's only so 
much to be written there, but following on from BIP340 and BIP327 I think 
it's reasonable to briefly describe the security claim somewhere, and what 
its kind of "ancestry" is. As there, pointing out that AOMDL is a weaker 
(better) assumption is probably worth mentioning. You could also add a 
note, though it's unlikely any BIP reader would be confused about this 
point, that the scheme is *not* intended to be post-quantum secure.

(Is it worth mentioning the co-EUF-CMA definition here? Perhaps in a 
footnote? While it's both in the weeds, and also has no direct implication 
for implementation, it nicely shows why the technical problem to solve here 
is different from what the paper calls "IMS" vs "IAS".)

About nonce gen: this is obviously a tricky but hugely important point, 
just as it was for BIP327. The first comment I want to make is, why do you 
link 
to https://medium.com/blockstream/musig-dn-schnorr-multisignatures-with-verifiably-deterministic-nonces-27424b5df9d6#e3b6 
in the section where you're saying "don't use deterministic nonce 
generation"? The main point of that blog post is to show a way that that 
*can* done in MuSig2, even though, by default, it's insecure. But aren't 
you mainly trying to point out that, as in BIP327, in this BIP, we don't 
have security with deterministic nonces? (rather than making a Musig-DN 
recommendation)?

(Hmm, I guess you used that link because it nicely describes the attack? If 
so maybe another link's better as it could be misleading perhaps).

Separately you do point out the statelessness requirement can be dropped 
for one signer, which is a nice detail. ... I'm just wondering, why does 
this not apply to BIP327 also? (I guess in some general sense it does, but 
maybe it was not interesting there for some reason? Is it just because the 
'special last signer deterministic' subcase subsumes it?)

Cheers,
AdamISZ/waxwing

On Thursday, July 17, 2025 at 10:34:49 AM UTC-3 Jonas Nick wrote:

> Hi waxwing,
>
> Thanks again for your comments.
>
> > My initial reaction would be, since it's not worsening the scaling of the
> > verifier, does it matter?
>
> I think saving time in signing does matter (3 group exponentiations 
> requiring
> O(1) group operations in total vs. O(n/log n) group operations); for 
> example, in
> constrained signing devices as you mention. In particular, the "single-b"
> variant with the larger signing cost doesn't appear to have advantages (see
> below) compared to "multi-b" which has lower signing cost.
>
> > The scheme is explicitly not limited to Bitcoin, nor blockchains, though,
> > so there's that; is that relevant here?
>
> The scheme is not limited to Bitcoin, but the main application we designed 
> for
> is Bitcoin. I agree that verification performance is of primary 
> importance. We
> would choose a scheme with lower signing performance, if it gives us a 
> better
> verification performance in return (if the trade-off is reasonable).
>
> > Yes, those are some interesting points to consider. On one detail: "In 
> any
> > case, identifying disruptive participants will work reliably only if the
> > coordinator is honest, so let's assume this." -- this could also be 
> addressed
> > with proofs of knowledge, no?
>
> Maybe I misunderstand what you're getting at, but I don't understand how 
> proofs
> of knowledge would get rid of the honest coordinator requirement for 
> identifying
> disruptive signers. Moreover, both R_{2,i} and R_{2,j} could have a valid 
> proof
> of knowledge attached (for example, if parties i and j share the dlog of 
> R_{2,i}
> = R_{2,j}).
>
> > Anyway, for me it was more a sort of preference for purely algebraic
> > algorithms. It's a little fanciful, but algebraic algorithms are easier 
> to
> > encode in circuits in zero knowledge (though things like equality checks 
> are
> > entirely doable ofc!) and maybe easier to "encode" into modular schemes 
> that
> > use them as a building block. Maybe. Less conditional branches / loops to
> > traverse in the code?
>
> Why exactly would it be easier to encode the multi-b variant in a circuit? 
> The
> single-b variant requires checking whether there exists i such that R_{2,i}
> matches a fixed R_{2,j}. In the multi-b variant we'd need to compute the 
> product
> of all R_{2,i}^{b_i}, which, even with a multiexp implementation, requires 
> at
> least visiting all elements plus the actual multiexponentiation involving
> O(n/log n) group operations. So encoding the single-b variant appears to be
> strictly easier.
>

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/76f2e760-37a7-42ca-b8c2-38659dc94c40n%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 6303 bytes --]

  reply	other threads:[~2026-07-08 19:11 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-17 16:27 [bitcoindev] DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures Jonas Nick
2025-04-19 16:28 ` [bitcoindev] " waxwing/ AdamISZ
2025-04-22 15:29   ` Jonas Nick
2025-04-25 16:08 ` waxwing/ AdamISZ
2025-04-25 16:41   ` Jonas Nick
2025-04-26 15:30 ` waxwing/ AdamISZ
2025-04-26 17:05   ` waxwing/ AdamISZ
2025-04-30  7:59     ` Jonas Nick
2025-04-30 15:54       ` waxwing/ AdamISZ
2025-06-16 19:35         ` waxwing/ AdamISZ
2025-07-02 11:36           ` Tim Ruffing
2025-07-03 14:07             ` waxwing/ AdamISZ
2025-07-17 13:15               ` Jonas Nick
2026-07-08 19:05                 ` waxwing/ AdamISZ [this message]
2026-07-08 19:12                   ` waxwing/ AdamISZ

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=76f2e760-37a7-42ca-b8c2-38659dc94c40n@googlegroups.com \
    --to=ekaggata@gmail.com \
    --cc=bitcoindev@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox