From: Gregory Maxwell <greg@xiph.org>
To: Erik Aronesty <erik@q32.com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Multiparty signatures
Date: Mon, 9 Jul 2018 16:58:38 +0000 [thread overview]
Message-ID: <CAAS2fgRrkzq6Fa5T_-YDwLDkwi30LpDtMObMEBE+Fmmj0LJpBw@mail.gmail.com> (raw)
In-Reply-To: <CAJowKgJjQ8EGgbCurOSjTh8ij42_BVeD6dE0y67tzN0Zop3pyg@mail.gmail.com>
On Mon, Jul 9, 2018 at 4:33 PM, Erik Aronesty <erik@q32.com> wrote:
>>> with security assumptions that match the original Schnorr construction more closely,
>> More closely than what?
> More closely than musig.
Musig is instructions on using the original schnorr construction for
multiparty signing which is secure against participants adaptively
choosing their keys, which is something the naive scheme of just
interpolating keys and shares is vulnerable to. It works as
preprocessing on the keys, then you continue on with the naive
protocol. The verifier (e.g. network consensus rules) is the same.
Now that you're back to using a cryptographic hash, I think what
you're suggesting is "use naive interpolation of schnorr signatures"
-- which you can do, including with the verifier proposed in the BIP,
but doing that alone is insecure against adaptive key choice (and
potentially adaptive R choice, depending on specifics which aren't
clear enough to me in your description). In particular, although it
seems surprising picking your interpolation locations with the hash of
each key isn't sufficient to prevent cancellation attacks due to the
remarkable power of wagner's algorithm.
next prev parent reply other threads:[~2018-07-09 16:58 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-08 14:19 [bitcoin-dev] Multiparty signatures Erik Aronesty
2018-07-08 15:16 ` Tim Ruffing
2018-07-08 18:23 ` Erik Aronesty
2018-07-08 21:01 ` Gregory Maxwell
2018-07-09 0:27 ` Erik Aronesty
2018-07-09 2:33 ` Pieter Wuille
2018-07-09 4:29 ` Erik Aronesty
2018-07-09 4:39 ` Pieter Wuille
[not found] ` <CAJowKg+=7nS4gNmtc8a4-2cu1uCOPqxjfchFwDVqUciKNMUYWQ@mail.gmail.com>
2018-07-09 15:02 ` Erik Aronesty
2018-07-09 15:57 ` Dan Robinson
2018-07-09 15:59 ` Gregory Maxwell
2018-07-09 16:33 ` Erik Aronesty
2018-07-09 16:58 ` Gregory Maxwell [this message]
2018-07-09 17:59 ` Erik Aronesty
2018-07-10 11:46 ` Erik Aronesty
2018-07-11 10:35 ` Adam Back
2018-07-11 14:45 ` Erik Aronesty
2018-07-19 12:16 ` Erik Aronesty
2018-07-19 12:24 ` Erik Aronesty
2018-07-19 13:11 ` Russell O'Connor
2018-07-20 16:25 ` Erik Aronesty
2018-07-20 17:34 ` Erik Aronesty
2018-07-20 20:18 ` Erik Aronesty
2018-07-26 2:05 ` Erik Aronesty
2018-07-09 16:21 ` Gregory Maxwell
2018-07-09 2:29 ` Pieter Wuille
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAS2fgRrkzq6Fa5T_-YDwLDkwi30LpDtMObMEBE+Fmmj0LJpBw@mail.gmail.com \
--to=greg@xiph.org \
--cc=bitcoin-dev@lists.linuxfoundation.org \
--cc=erik@q32.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox