From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5600EC077D for ; Sun, 8 Dec 2019 06:10:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 954C686DFF for ; Sun, 8 Dec 2019 06:10:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kocoZLlsBTNS for ; Sun, 8 Dec 2019 06:10:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-io1-f46.google.com (mail-io1-f46.google.com [209.85.166.46]) by whitealder.osuosl.org (Postfix) with ESMTPS id D517D86C5C for ; Sun, 8 Dec 2019 06:10:26 +0000 (UTC) Received: by mail-io1-f46.google.com with SMTP id s2so11434674iog.10 for ; Sat, 07 Dec 2019 22:10:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z+wYCLmzoXGakbxe62plNIHzj1Z4+DdIPHeOGoPtz/A=; b=UbxBVfrtwhbhcQ0L18iL6q7WE6TlXXEAgo1iC0SeDCiGBAdCL3cbEv9jIwWVRlViDR TQUZJErAFmNQnMCVAS3meDh2y4q0SN7vpcX7xvu/Ot5RevK6+fRtFITPBx59q8C8dsgh h2hWI1DWm9IY15hnHjYcUVsVT9bS0KHVu8Oj58wQaG1gSlQAXw5fekgk1vxfvB/IrAN6 cuqOaRQytii0AQnXlopXvW0mHQOEONX+N2Lo8hUcp0Rjk9lkon+qfuK0xgwmXQfGquEk J5rsOZeMR9nNnHi3LbBX1sgaQiql0ylZaljt5NG9mH/pyNrJdGki+HvxPDsWHTQ6qFuL pCvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z+wYCLmzoXGakbxe62plNIHzj1Z4+DdIPHeOGoPtz/A=; b=ewZkhNWMwtOSE0WXMZnQWc9mQvWk4vvkXN7aAr3IekqaqkdPnKz2zHeFqNNO2wT1Od Z8Fecwg6JX2CtVeONxrz+jA+a6kH2S6x93gKw5+HG/Opp0McnYkf2gfWPKOl2jIWYJKd 5PnAnEvZQ/XAn5V6N9M/pkmekhhp0bwuQliuhnRjnZBX2h/8d+KacZt0C487xYxONivv 0x3I4GGRtQgO1O1iTIlElQftt54fA7YKwtf3c9XeZGGnCv8vpDWZn9F6bywjNZtzP9OD +Sbd2ydck7Z6C1f0528OxhM9VjUiZTLvorwzGk6P+N7y4Xb0IUETHlybH+K1gm4jIqYA 0UxQ== X-Gm-Message-State: APjAAAWgT2bTgt3zu1CQR0MlwOLDl3bS1AoTnQcdFxr5vkArnk6Wud3S woACT2gESZouxMThK3cS0d+muGu5Z/vNDFi15Pk= X-Google-Smtp-Source: APXvYqxyWNAA/6BglAE7T2zO96JIMTHbhnT31NtNJbwViLwKIG59BbPj57OmvSTpZUbf1JsEACo1cWFtQmGg/VuRGbE= X-Received: by 2002:a5e:8505:: with SMTP id i5mr16418140ioj.158.1575785426050; Sat, 07 Dec 2019 22:10:26 -0800 (PST) MIME-Version: 1.0 References: <5JbfLKwbVsIev2M33s366qbyuAGqz-ydB4gZ2KTFR_nCWbgZ0vWMm5UOU19jNVeMfYD3A0GPTpbuuYINwOv_F6fJS3NdxuPgMm8hGUnjbB0=@protonmail.com> In-Reply-To: <5JbfLKwbVsIev2M33s366qbyuAGqz-ydB4gZ2KTFR_nCWbgZ0vWMm5UOU19jNVeMfYD3A0GPTpbuuYINwOv_F6fJS3NdxuPgMm8hGUnjbB0=@protonmail.com> From: Lloyd Fournier Date: Sun, 8 Dec 2019 17:10:00 +1100 Message-ID: To: ZmnSCPxj Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Sun, 08 Dec 2019 17:22:55 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Composable MuSig X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Dec 2019 06:10:32 -0000 Hi ZmnSCPxj, I think you're idea of allowing multiple Rs is a fine solution as it would essentially mean that you were just doing a three party MuSig with more specific communication structure. As you mentioned, this is not quite ideal though. > It seems to me that what is needed for a composable MuSig is to have a commitment scheme which is composable. Maybe. Showing certain attacks don't work is a first step. It would take some deeper analysis of the security model to figure out what exactly the MuSig requires of the commitment scheme. > To create a commitment `c[A]` on the point A, such that `A = a * G`, the committer: > > * Generates random scalars `r` and `m`. > * Computes `R` as `r * G`. > * Computes `s` as `r + h(R | m) * a`. > * Gives `c[A]` as the tuple `(R, s)`. This doesn't look binding. It's easy to find another ((A,a),m) which would validate against (R,s). Just choose m and choose a = (s - r) h(R||m)^-1. Cheers, LL