From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id CF1D3C0032 for ; Tue, 25 Jul 2023 14:12:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id A93FB40BAD for ; Tue, 25 Jul 2023 14:12:44 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A93FB40BAD Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=q32-com.20221208.gappssmtp.com header.i=@q32-com.20221208.gappssmtp.com header.a=rsa-sha256 header.s=20221208 header.b=jqXHlNae X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.399 X-Spam-Level: X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3glHg0Y0xGM for ; Tue, 25 Jul 2023 14:12:43 +0000 (UTC) Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) by smtp2.osuosl.org (Postfix) with ESMTPS id 4B86440B91 for ; Tue, 25 Jul 2023 14:12:43 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4B86440B91 Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-cfebdba63cdso821858276.0 for ; Tue, 25 Jul 2023 07:12:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20221208.gappssmtp.com; s=20221208; t=1690294362; x=1690899162; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=B6OKeaSQJ0TNolxBXAXC+O9p1oARizz0xyZ0UXTgrdc=; b=jqXHlNae9EwcjcvHiw5n0ToMZcZPkHw3bGdwCjkNPJYibSW1BKoNWz+kxml72PX0aH 4i79zVJEOdGqCLfT7djTO4ODsEvafHrcNOZZ1IC9wfgR2MsA9+jCecq4lfE+QDoj09Zz hLz/wnImLtBZp4RkzbEIuo4kpkHmRRABLOX7SMazKZwD1FtjbYtXl3uu9X8Emggs5vVI I5x12yQE2peKiUydfW8m6zUx5JBpTRA9OPdEcRLzqXz3uJ7bLYxOMKx2uz7YwE14wuSR ZosP3xHHySDqyjTvuKT9ofrtZVaRU2LWjWcSzFuxocAFykC/pceMeBHjSN7GUjyHxN17 Pr9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690294362; x=1690899162; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=B6OKeaSQJ0TNolxBXAXC+O9p1oARizz0xyZ0UXTgrdc=; b=NnGjtsvurQb31eTK2GEvGUIeldkiTt/xVeN0/MdmQIGI1TKQtla5c9VbmX/NlQMJNj fTC3FC7hcP43p52iaHyzGIKDYJA43yyo+2OfujpNJZsr86YROJXOx7ai+NDfxHaM47MI 5z6ghym9o1+SbL5mLXMj9WlUN3JgtO99EcgTBC0mmZgKhYnqC2hA5h/xdRtnB+xRqypP 2A5fUqF8OPnDZPQJH8eL+iTESBHncUqWGPMu0xoqGS7mRIx3dMAH9z/aQNL11gAZPT7S UlKGId1ZnFem+68sKSOnBoublbg3QFXlIPVd6zygzxXH8D1rA2AjTKahNLFtNUnH1ErC L8ug== X-Gm-Message-State: ABy/qLYoCczl576jhTjf4rwSWaFUchuQHCp3oWiIKiARE0+Krmie9X0T sWk2FI3JEkKkQjQZtPLLDRlSAmYPgYKF08CZT28Qif4= X-Google-Smtp-Source: APBJJlEolS2e9ekEV0u3qZb3ow2+1tzc9W8MFK1MprMwX/Yxv2bYrV8/zU9e7RVX2B0EEbCdFBZWjIcKnxYG42urgVE= X-Received: by 2002:a25:b0a6:0:b0:d1a:cfb0:1805 with SMTP id f38-20020a25b0a6000000b00d1acfb01805mr365711ybj.0.1690294362104; Tue, 25 Jul 2023 07:12:42 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Erik Aronesty Date: Tue, 25 Jul 2023 10:12:31 -0400 Message-ID: To: AdamISZ , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000004ecfb0601505307" X-Mailman-Approved-At: Tue, 25 Jul 2023 21:18:41 +0000 Cc: Tom Trevethan Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2023 14:12:44 -0000 --00000000000004ecfb0601505307 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable posk is "proof of secret key". so you cannot use wagner to select R On Mon, Jul 24, 2023 at 1:59=E2=80=AFPM AdamISZ via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > @ZmnSCPxj: > > yes, Wagner is the attack you were thinking of. > > And yeah, to avoid it, you should have the 3rd round of MuSig1, i.e. the = R > commitments. > > @Tom: > As per above it seems you were more considering MuSig1 here, not MuSig2. > At least in this version. So you need the initial commitments to R. > > Jonas' reply clearly has covered a lot of what matters here, but I wanted > to mention (using your notation): > > in s1 =3D c * a1 * x1 + r1, you expressed the idea that the challenge c > could be given to the server, to construct s1, but since a1 =3D H(L, X1) = and > L is the serialization of all (in this case, 2) keys, that wouldn't work > for blinding the final key, right? > But, is it possible that this addresses the other problem? > If the server is given c1*a1 instead as the challenge for signing (with > their "pure" key x1), then perhaps it avoids the issue? Given what's on t= he > blockchain ends up allowing calculation of 'c' and the aggregate key a1X1= + > a2X2, is it the case that you cannot find a1 and therefore you cannot > correlate the transaction with just the quantity 'c1*a1' which the server > sees? > > But I agree with Jonas that this is just the start, i.e. the fundamental > requirement of a blind signing scheme is there has to be some guarantee o= f > no 'one more forgery' possibility, so presumably there has to be some pro= of > that the signing request is 'well formed' (Jonas expresses it below as a > ZKP of a SHA2 preimage .. it does not seem pretty but I agree that on the > face of it, that is what's needed). > > @Jonas, Erik: > 'posk' is probably meant as 'proof of secret key' which may(?) be a mixup > with what is sometimes referred to in the literature as "KOSK" (iirc they > used it in FROST for example). It isn't clear to me yet how that factors > into this scenario, although ofc it is for sure a potential building bloc= k > of these constructions. > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Monday, July 24th, 2023 at 08:12, Jonas Nick via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > > > > Hi Tom, > > > > I'm not convinced that this works. As far as I know blind musig is stil= l > an open > > research problem. What the scheme you propose appears to try to prevent > is that > > the server signs K times, but the client ends up with K+1 Schnorr > signatures for > > the aggregate of the server's and the clients key. I think it's possibl= e > to > > apply a variant of the attack that makes MuSig1 insecure if the nonce > commitment > > round was skipped or if the message isn't determined before sending the > nonce. > > Here's how a malicious client would do that: > > > > - Obtain K R-values R1[0], ..., R1[K-1] from the server > > - Let > > R[i] :=3D R1[i] + R2[i] for all i <=3D K-1 > > R[K] :=3D R1[0] + ... + R1[K-1] > > c[i] :=3D H(X, R[i], m[i]) for all i <=3D K. > > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that > > c[0] + ... + c[K-1] =3D c[K]. > > - Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1]. > > - Let > > s[K] =3D s[0] + ... + s[K-1]. > > Then (s[K], R[K]) is a valid signature from the server, since > > s[K]G =3D R[K] + c[K]a1X1, > > which the client can complete to a signature for public key X. > > > > What may work in your case is the following scheme: > > - Client sends commitment to the public key X2, nonce R2 and message m > to the > > server. > > - Server replies with nonce R1 =3D k1G > > - Client sends c to the server and proves in zero knowledge that c =3D > > SHA256(X1 + X2, R1 + R2, m). > > - Server replies with s1 =3D k1 + c*x1 > > > > However, this is just some quick intuition and I'm not sure if this > actually > > works, but maybe worth exploring. > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000004ecfb0601505307 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
posk is "proof of secret key".=C2=A0 =C2=A0so yo= u cannot use wagner to select R

On Mon, Jul 24, 2023 at 1:59=E2=80=AFPM Adam= ISZ via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
@ZmnSCPxj:

yes, Wagner is the attack you were thinking of.

And yeah, to avoid it, you should have the 3rd round of MuSig1, i.e. the R = commitments.

@Tom:
As per above it seems you were more considering MuSig1 here, not MuSig2. At= least in this version. So you need the initial commitments to R.

Jonas' reply clearly has covered a lot of what matters here, but I want= ed to mention (using your notation):

in s1 =3D c * a1 * x1 + r1, you expressed the idea that the challenge c cou= ld be given to the server, to construct s1, but since a1 =3D H(L, X1) and L= is the serialization of all (in this case, 2) keys, that wouldn't work= for blinding the final key, right?
But, is it possible that this addresses the other problem?
If the server is given c1*a1 instead as the challenge for signing (with the= ir "pure" key x1), then perhaps it avoids the issue? Given what&#= 39;s on the blockchain ends up allowing calculation of 'c' and the = aggregate key a1X1 + a2X2, is it the case that you cannot find a1 and there= fore you cannot correlate the transaction with just the quantity 'c1*a1= ' which the server sees?

But I agree with Jonas that this is just the start, i.e. the fundamental re= quirement of a blind signing scheme is there has to be some guarantee of no= 'one more forgery' possibility, so presumably there has to be some= proof that the signing request is 'well formed' (Jonas expresses i= t below as a ZKP of a SHA2 preimage .. it does not seem pretty but I agree = that on the face of it, that is what's needed).

@Jonas, Erik:
'posk' is probably meant as 'proof of secret key' which may= (?) be a mixup with what is sometimes referred to in the literature as &quo= t;KOSK" (iirc they used it in FROST for example). It isn't clear t= o me yet how that factors into this scenario, although ofc it is for sure a= potential building block of these constructions.

Sent with Proton Mail secure email.

------- Original Message -------
On Monday, July 24th, 2023 at 08:12, Jonas Nick via bitcoin-dev <bitcoin= -dev@lists.linuxfoundation.org> wrote:


> Hi Tom,
>
> I'm not convinced that this works. As far as I know blind musig is= still an open
> research problem. What the scheme you propose appears to try to preven= t is that
> the server signs K times, but the client ends up with K+1 Schnorr sign= atures for
> the aggregate of the server's and the clients key. I think it'= s possible to
> apply a variant of the attack that makes MuSig1 insecure if the nonce = commitment
> round was skipped or if the message isn't determined before sendin= g the nonce.
> Here's how a malicious client would do that:
>
> - Obtain K R-values R1[0], ..., R1[K-1] from the server
> - Let
> R[i] :=3D R1[i] + R2[i] for all i <=3D K-1
> R[K] :=3D R1[0] + ... + R1[K-1]
> c[i] :=3D H(X, R[i], m[i]) for all i <=3D K.
> Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
> c[0] + ... + c[K-1] =3D c[K].
> - Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1]. > - Let
> s[K] =3D s[0] + ... + s[K-1].
> Then (s[K], R[K]) is a valid signature from the server, since
> s[K]G =3D R[K] + c[K]a1X1,
> which the client can complete to a signature for public key X.
>
> What may work in your case is the following scheme:
> - Client sends commitment to the public key X2, nonce R2 and message m= to the
> server.
> - Server replies with nonce R1 =3D k1G
> - Client sends c to the server and proves in zero knowledge that c =3D=
> SHA256(X1 + X2, R1 + R2, m).
> - Server replies with s1 =3D k1 + c*x1
>
> However, this is just some quick intuition and I'm not sure if thi= s actually
> works, but maybe worth exploring.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org= /mailman/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--00000000000004ecfb0601505307--