From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id EF861C0032 for ; Thu, 27 Jul 2023 08:08:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id BC47260E51 for ; Thu, 27 Jul 2023 08:08:02 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org BC47260E51 Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20221208 header.b=B4k+opdC X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8eOVmxq1YD-v for ; Thu, 27 Jul 2023 08:08:02 +0000 (UTC) Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) by smtp3.osuosl.org (Postfix) with ESMTPS id D45D16080B for ; Thu, 27 Jul 2023 08:08:01 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D45D16080B Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-4fe0c566788so1203510e87.0 for ; Thu, 27 Jul 2023 01:08:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690445279; x=1691050079; h=content-transfer-encoding:in-reply-to:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=mCf0M5nvbtzJjrzpatJ6a+Esjxprx3Mf00fYdS2XCWg=; b=B4k+opdCm4ENjec9GPReLcGkUq9Q0wsyGjX9iGgy0Fm8a80+2bIRIcNJGGOoZZ03Mn UuDFgbbdRQZiDKEG49SDaD27f7PKXHQCWPSJbWZs/UxASU6st9GfcxkIuJIOInrGQiH1 4rXN5PD3z4jqVIJgn7zp1kFkoUyWRkV9pnKAGTmhqIHhmt/9TG5vLISe9vorQMIsANzj zobVT09YI80A4wAZ7vWdu6tH2U5P9BnCs1DQVvVGG66gcArmwnTQqZeVRmKNFHe1ANh3 rNvbYreq9c5SRrFRYsoII5KCLN+bAoFQiWA/6locOnI/GjmFDjQa9unwyTqP3HB3sIYh XsoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690445279; x=1691050079; h=content-transfer-encoding:in-reply-to:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mCf0M5nvbtzJjrzpatJ6a+Esjxprx3Mf00fYdS2XCWg=; b=LZoaMgLHQrTnKtYpr1Aztn5u1qdiwqjmavI3DsZX5adBkPh4a4cNwfx1ik7xBHohWU 22nIkuv5uYcSlQ/ijyEvc4Bm3rJewRTpdWWq2jl1tnDM3hN0tJZbdn3JT4eq485O5I/n HCdcPVVWhJnRGmeoAWq/hadjhYkGoYJ9GUXzpooQ7PUnYphUhWkg+kuePoJnvc7VBFOh E1/rONAxV/jkRGkFHAhNBCXf+HVx5FUa/nBuvKDf+zdJzl2iGqfZ2uuWYXTXeJkwGc7D rRC0kCChXNt6SN8Gj5NQhMfYOBRmdRZy8huKAcDRuMes2f8iOEDCBHydGNNQ2H73Dnkn j4QQ== X-Gm-Message-State: ABy/qLYIzqYPjzDFBthrCNmhqz/ois7LtfI7ahB0SPYzltPrluOt2gvD 4zQZWFoH7Y/+0VzlIlaFFM4= X-Google-Smtp-Source: APBJJlEIddWB9DOpQVuyJuRvxBM4m5RY3Zuiv8UJwyA6bygVQzMYp781R6KqB9W0fBCu4bUG79x0KQ== X-Received: by 2002:a05:6512:3b13:b0:4fb:89ac:a967 with SMTP id f19-20020a0565123b1300b004fb89aca967mr1319329lfv.56.1690445279206; Thu, 27 Jul 2023 01:07:59 -0700 (PDT) Received: from [10.11.10.42] (p50879c84.dip0.t-ipconnect.de. [80.135.156.132]) by smtp.googlemail.com with ESMTPSA id l6-20020a5d4806000000b003143ac73fd0sm1313275wrq.1.2023.07.27.01.07.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 27 Jul 2023 01:07:58 -0700 (PDT) From: Jonas Nick X-Google-Original-From: Jonas Nick Message-ID: <7eae57c9-be42-ae07-9296-ae9e8e03c1b8@gmail.com> Date: Thu, 27 Jul 2023 08:07:58 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Tom Trevethan , Bitcoin Protocol Discussion References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 27 Jul 2023 08:29:00 +0000 Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2023 08:08:03 -0000 No, proof of knowledge of the r values used to generate each R does not prevent Wagner's attack. I wrote > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that > c[0] + ... + c[K-1] = c[K]. You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't make sense if he didn't.