public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Erik Aronesty <erik@q32.com>
To: Gregory Maxwell <greg@xiph.org>,
	 Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Schnorr signatures BIP
Date: Tue, 11 Sep 2018 12:34:11 -0400	[thread overview]
Message-ID: <CAJowKg+-45h6vraL1PpnqfhHSbG+G40L+FD7xN+C-Dn1E6Y_Vg@mail.gmail.com> (raw)
In-Reply-To: <CAAS2fgT0uBGbLBOW4TxA-qCzOLwoQ1qSV-R0dMKRzPLAm_UOqQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2731 bytes --]

 To answer points:

- I switched to the medium article so that I could correct, edit and
improve things to make them more clear.
- I responded to feedback by modifying the protocol to make it work - not
by ignoring it.
- I coded it up in python so I could be sure it worked, because I was
concerned that it was broken
- Yes, coding it up showed me that it's definitely interactive, and no
different than a "standard shnorr sig" in any meaningful way regarding the
security
- No special protocol support is needed over Schnorr signing itself.  The
e, s version can be made at least as secure as schnorr + DLP.  I haven't
researched the R,s version.
- An M-1 rogue-key attack would require the attacker would to either

  - attack the hash function to produce a predictable R based on a known
mesage
  - attack the DLP to influence x or k

Neither attack gives any particular advantage to someone who has M-1 keys.

I haven't tested whether the R,s version is susceptible though.


On Thu, Sep 6, 2018 at 9:15 AM Gregory Maxwell via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Wed, Sep 5, 2018 at 1:49 PM Erik Aronesty via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > Detailed explanation with code snippets:
> >
> > https://medium.com/@simulx/an-m-of-n-bitcoin-multisig-scheme-[snip]
>
> This appears to be a repost of the broken scheme you posted about on
> Bitcointalk, but then failed to respond to the response.
>
> https://bitcointalk.org/index.php?topic=4973123.0
>
> > The more I look into it and speak to professors about i, the more it
> seems "so trivial nobody really talks about it".
>
> I think you might be falling into the trap of ignoring feedback you
> don't like and and accepting that which sounds like "yea yea,
> something like that".
>
> Something "like that" does work: and is expressly and explicitly
> anticipated by the BIP but to be both secure and functional requires
> proper delineation (E.g. musig) _and_ interaction. What you're
> proposing is continually vague.  My best efforts at making sense of
> what you've written indicate that either it's non-interactive and
> not-actually functional at all,  OR it's interactive and just a less
> secure subset (no proper delinearization to prevent rogue key attacks)
> of what we already propose.
>
> When Poelstra suggests a CAS implementation he means something like
> this Sage notebook: http://bitcoin.ninja/secp256k1.ecdsa.sage  This
> provides for a method of communicating in both directions which is
> completely precise.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 4183 bytes --]

  reply	other threads:[~2018-09-11 16:34 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-06 18:08 [bitcoin-dev] Schnorr signatures BIP Pieter Wuille
2018-07-06 21:05 ` Russell O'Connor
2018-07-06 22:00   ` Gregory Maxwell
2018-07-06 22:01     ` Gregory Maxwell
2018-07-08 14:36     ` Russell O'Connor
2018-07-14 15:42 ` Sjors Provoost
2018-07-14 21:20   ` Pieter Wuille
2018-08-04 12:22     ` Russell O'Connor
2018-08-05 14:33       ` Russell O'Connor
2018-08-06  8:39         ` Anthony Towns
2018-08-06 14:00           ` Russell O'Connor
2018-08-06 21:12 ` Tim Ruffing
2018-08-12 16:37   ` Andrew Poelstra
2018-08-29 12:09     ` Erik Aronesty
2018-09-03  0:05       ` Andrew Poelstra
2018-09-05 12:26         ` Erik Aronesty
2018-09-05 13:05           ` Andrew Poelstra
2018-09-05 13:14             ` Erik Aronesty
2018-09-05 15:35           ` Gregory Maxwell
2018-09-11 16:34             ` Erik Aronesty [this message]
2018-09-11 17:00               ` Gregory Maxwell
2018-09-11 17:20                 ` Erik Aronesty
2018-09-11 17:27                   ` Gregory Maxwell
2018-09-11 17:37                     ` Erik Aronesty
2018-09-11 17:51                       ` Gregory Maxwell
2018-09-11 18:30                         ` Erik Aronesty
2018-09-13 18:46                       ` Andrew Poelstra
2018-09-13 20:20                         ` Erik Aronesty
2018-09-14 14:38                           ` Andrew Poelstra
2018-09-20 21:12 ` Russell O'Connor
2018-07-07  2:47 Артём Литвинович

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAJowKg+-45h6vraL1PpnqfhHSbG+G40L+FD7xN+C-Dn1E6Y_Vg@mail.gmail.com \
    --to=erik@q32.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=greg@xiph.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox