From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id DCB38C77 for ; Fri, 20 Jul 2018 17:34:32 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f54.google.com (mail-wm0-f54.google.com [74.125.82.54]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B3D85755 for ; Fri, 20 Jul 2018 17:34:31 +0000 (UTC) Received: by mail-wm0-f54.google.com with SMTP id o11-v6so10160613wmh.2 for ; Fri, 20 Jul 2018 10:34:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:cc; bh=tEjmQKMhB5d0vgFbIa5jABj3LlHCWF1Ad16sua/Ly0w=; b=u1WAegjZvMyI8SwzKeFcrKsFioN7zV93SNEVW/S9kfUoVPsNkqvxbFOv1517UcrT51 fWwp8HK36NhVTWEl4v01H2nwJFe3AQk/z8hr+qSCLBj9p38IODaXminRGVUmqCqVQA28 LzCJ+ihF0ooXh7S/BauJYSHt/mo+X/nh3FiZLz8yNmzdB+ISEpthVrLlBlFKNMXzHy4G Ey7LxNg6pn4VrykeanElw5kjz1OVuBeD9LL0q2W9UUxUVKRX4zdTXeEr2SIteRb5y9sm yy8RzhiyIj+pPZDBRn/uWX3bmQitaUrmVR6nZbyfnGLxU3Uu6Gxt9egiQmSjS1zqaS7A CF4A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:cc; bh=tEjmQKMhB5d0vgFbIa5jABj3LlHCWF1Ad16sua/Ly0w=; b=lyRKX11HuxVctyT2j74cBa8VZwMu6zMAcjRQRR62+ORDzrXAhmlmk2kkvcO+YtFvjf mqnZYn4rlNiFURgkVl5YeSP/x0fqG9rQ0qtEHPly11EtOP7RfBsWyfiBI8cmIOUZrfPr Kd2kvOX7CsBV/pML5h31rb1/bOnFAmTxBklJvfEy4nGQLweVaj7I/i4eYY67aJYaEMxk qsiUEGmKJUF/aqzTpyFopYqpXI390LQmevwR9hd+Tcks5J4lMJuL5H+YdM5hGRG+XOFI 5mGj8hT5mKSg5MC4GTNSAe9RZ9z8CGswDuMUl5aujdBELL9RzQxbR3Sp/sGQVZlxilyO d6lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:cc; bh=tEjmQKMhB5d0vgFbIa5jABj3LlHCWF1Ad16sua/Ly0w=; b=felHoePd+iOUdFZxysG1bjq6Wgk2xJ/Eno7elwlW54Ezj9m5vW9TA4pXwouFLTFEv/ SBDBwq4lFaernEEb5T+BI4E9inAJCM4M7uWr5il1cMIBRq8nUXiZnqqUbtCwlLScHGH8 1Kb1hS71q/oGe0YCZaQU4fy6V7l7RBOs63mewPTuIj0jmdBUhkxxqtP9CludytT2uPX7 he5fOH4uNRNFK2DxhwSLH5iU4WNQPjSx13f9VM+DQzDRcnR97e0XtqyMH8eppdx7COD1 n1m8Z4u6g6ffRy0pvy3D5hwfQT3hcCcDPIVPwvl4ufHq6bci4B+yCBiWPuLDL6yGzBES T6tA== X-Gm-Message-State: AOUpUlE01g/3ljvsRHeVjMc1dKzW1OyZgAxmPGSeGTKhAH4B2aPkn0kb c6dSN0QRzD7ZzrT6jXD6OmpY0gMMooFaSlK42eLJqlnJjO6K X-Google-Smtp-Source: AAOMgpegMYPIc8z2R+cwTXc6i3NGMULZwAAxC5XapCinbsjePA7VpNpsQwHrKUUnmBYAwT8/BzwikPEA2CPf5x4t+jQ= X-Received: by 2002:a1c:c019:: with SMTP id q25-v6mr2051965wmf.148.1532108070018; Fri, 20 Jul 2018 10:34:30 -0700 (PDT) MIME-Version: 1.0 Sender: earonesty@gmail.com Received: by 2002:a1c:b786:0:0:0:0:0 with HTTP; Fri, 20 Jul 2018 10:34:29 -0700 (PDT) In-Reply-To: References: <08201f2292587821e6d23f6cc201d95e6e5ad2cd.camel@timruffing.de> From: Erik Aronesty Date: Fri, 20 Jul 2018 13:34:29 -0400 X-Google-Sender-Auth: 8r5H00WkkfG-ZkTEstFcr8-08MU Message-ID: Cc: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000457f7d057171b53d" X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE, MISSING_HEADERS, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sun, 22 Jul 2018 12:50:59 +0000 Subject: Re: [bitcoin-dev] Multiparty signatures X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2018 17:34:33 -0000 --000000000000457f7d057171b53d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, thanks for all the help. I'm going to summarize again, and see if we've arrived at the correct solution for an M of N "single sig" extension of MuSig, which I think we have. - Using MuSig's solution for the blinding to solve the Wagner attack - Using interpolation to enhance MuSig to be M of N instead of M of M References: - MuSig https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures= .html - HomPrf http://crypto.stanford.edu/~dabo/papers/homprf.pdf (sections 7.1 and 7.4) Each party: 1. Publishes public key G*xi 3. Xi =3D H(G*xi) ... Xi is the parties x coordinate, for the purposes of interpolation 3. r =3D G*x =3D via interpolation of Gx1, Gx2... (see HomPrf) 4. L =3D H(X1,X2,=E2=80=A6) (see MuSig) 5. X =3D sum of all H(L,Xi)Xi (see MuSig) 6. Computes e =3D H(r | M | X) .... standard schnorr e... not a share 7. Computes si =3D xi - xe ... where si is a "share" of the sig, and xi is the private data 8. Publishes (si, e, G*Xi) Any party can then derive s from m of n shares, by interpolating, not adding. --000000000000457f7d057171b53d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi, thanks for all the help.=C2=A0 =C2=A0I'm going to s= ummarize again, and see if we've arrived at the correct solution for an= M of N "single sig" extension of MuSig, which I think we have.

- Using MuSig's solution = for the blinding to solve the Wagner attack
- Using in= terpolation to enhance MuSig to be M of N instead of M of M

References:

=
=C2=A0- HomPrf http://crypto.stanford.edu/~dabo/papers/homprf.pdf (sections= 7.1 and 7.4)

Each party:

1. Publishes public key G*xi
3. Xi =3D H(G*xi) ... Xi is the parties x coordinate, f= or the purposes of interpolation
3. r =3D G*x =3D via = interpolation of Gx1, Gx2... (see=C2=A0HomPrf)
4. L =3D H(X1,= X2,=E2=80=A6) (see MuSig)
5. X =3D sum of all H(L,= Xi)Xi (see MuS= ig)
6. Computes e =3D H(r | M | X) .... standar= d schnorr e... not a share
7. Computes si =3D xi - xe = ... where si is a "share" of the sig, and xi is the private data<= /div>
8. Publishes (si, e, G*Xi)

Any party can then derive s from m of n shares, by inte= rpolating, not adding.



--000000000000457f7d057171b53d--