Re: [bitcoin-dev] Composable MuSig

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Lloyd Fournier <lloyd.fourn@gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Composable MuSig
Date: Sun, 8 Dec 2019 17:10:00 +1100	[thread overview]
Message-ID: <CAH5Bsr1rdbTw16+FVo0NC0zqv3EDHmEd=ef7k3baLaQ+HMn2Cg@mail.gmail.com> (raw)
In-Reply-To: <5JbfLKwbVsIev2M33s366qbyuAGqz-ydB4gZ2KTFR_nCWbgZ0vWMm5UOU19jNVeMfYD3A0GPTpbuuYINwOv_F6fJS3NdxuPgMm8hGUnjbB0=@protonmail.com>

Hi ZmnSCPxj,

I think you're idea of allowing multiple Rs is a fine solution as it
would essentially mean that you were just doing a three party MuSig
with more specific communication structure. As you mentioned, this is
not quite ideal though.

> It seems to me that what is needed for a composable MuSig is to have a commitment scheme which is composable.

Maybe. Showing certain attacks don't work is a first step. It would
take some deeper analysis of the security model to figure out what
exactly the MuSig requires of the commitment scheme.

> To create a commitment `c[A]` on the point A, such that `A = a * G`, the committer:
>
> * Generates random scalars `r` and `m`.
> * Computes `R` as `r * G`.
> * Computes `s` as `r + h(R | m) * a`.
> * Gives `c[A]` as the tuple `(R, s)`.

This doesn't look binding. It's easy to find another ((A,a),m) which
would validate against (R,s). Just choose m and choose a = (s - r)
h(R||m)^-1.

Cheers,

LL

next prev parent reply	other threads:[~2019-12-08  6:10 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-25 11:00 [bitcoin-dev] Composable MuSig ZmnSCPxj
2019-11-29  5:50 ` Lloyd Fournier
2019-12-02  2:05   ` ZmnSCPxj
2019-12-02  3:30     ` Lloyd Fournier
2019-12-08  1:15       ` ZmnSCPxj
2019-12-08  6:10         ` Lloyd Fournier [this message]
2020-02-23  7:27 ` Erik Aronesty
2020-02-24 11:16   ` Tim Ruffing
2020-02-24 15:30     ` Erik Aronesty
2020-02-24 16:56       ` Tim Ruffing

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAH5Bsr1rdbTw16+FVo0NC0zqv3EDHmEd=ef7k3baLaQ+HMn2Cg@mail.gmail.com' \
    --to=lloyd.fourn@gmail.com \
    --cc=ZmnSCPxj@protonmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox