From: Tom Trevethan <tom@commerceblock.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Blinded 2-party Musig2
Date: Wed, 30 Aug 2023 11:52:05 +0100 [thread overview]
Message-ID: <CAJvkSsfcp2shLjEdwRKtBJBO+wiV=m5X_Ys1sTwUZKZWg9-HeQ@mail.gmail.com> (raw)
In-Reply-To: <CAJvkSsduvkdhpi=KtTpzXan-wdZrCu9AMbfeZUjuZmfCY774mA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4197 bytes --]
An update on progress on the development of the blinded two-party Schnorr
scheme for statechains.
As stated previously, we believe that one-more-signature and Wagner attacks
are mitigated by the client committing the values of the blinding nonce
used (labeled f) and the value of R2 used in a signing session to the
server before the server responds with their value of R1. Then each time
the generated signature is verified (in our application this is a new
statecoin owner), the verifier retrieves the commitments and blinded
challenge value from the server (c, SHA256(f) and SHA256(R2)) and f and R2
from the co-signer, and verifies that the blinded challenge value c = f +
SHA256(X, R1 + R2 + f.X, m) and the commitments match f,R2. This ensures
the signer cannot have chosen the values of f and R2 after the value of R1
is randomly generated by the server.
This scheme has been implemented in a forked version of the secp256k1-zkp
library: https://github.com/ssantos21/secp256k1-zkp where a new function
has been added secp256k1_blinded_musig_nonce_process (
https://github.com/ssantos21/secp256k1-zkp/blob/ed08ad7603f211fdf39b5f6db9d7e99cf048a56c/src/modules/musig/session_impl.h#L580
) which is required for the client generation of the blinded challenge
value.
One issue that came up and had to be solved was ensuring the R (curve
point) is even (in MuSig2 the secret nonce is negated if R is odd) with the
point f.X added (and f committed to). We will add a complete explanation of
this to the updated spec.
The scheme is implemented in a blind server:
https://github.com/ssantos21/blinded-musig-sgx-server
And client:
https://github.com/ssantos21/blinded-musig2-client
Any comments or questions appreciated.
On Mon, Aug 7, 2023 at 1:55 AM Tom Trevethan <tom@commerceblock.com> wrote:
> A follow up to this, I have updated the blinded statechain protocol
> description to include the mitigation to the Wagner attack by requiring the
> server to send R1 values only after commitments made to the server of the
> R2 values used by the user, and that all the previous computed c values are
> verified by each new statecoin owner.
> https://github.com/commerceblock/mercury/blob/master/layer/protocol.md
>
> Essentially, the attack is possible because the server cannot verify that
> the blinded challenge (c) value it has been sent by the user has been
> computed honestly (i.e. c = SHA256(X1 + X2, R1 + R2, m) ), however this CAN
> be verified by each new owner of a statecoin for all the previous
> signatures.
>
> Each time an owner cooperates with the server to generate a signature on a
> backup tx, the server will require that the owner send a commitment to
> their R2 value: e.g. SHA256(R2). The server will store this value before
> responding with it's R1 value. This way, the owner cannot choose the value
> of R2 (and hence c).
>
> When the statecoin is received by a new owner, they will receive ALL
> previous signed backup txs for that coin from the sender, and all the
> corresponding R2 values used for each signature. They will then ask the
> server (for each previous signature), the commitments SHA256(R2) and the
> corresponding server generated R1 value and c value used. The new owner
> will then verify that each backup tx is valid, and that each c value was
> computed c = SHA256(X1 + X2, R1 + R2, m) and each commitment equals
> SHA256(R2). This ensures that a previous owner could not have generated
> more valid signatures than the server has partially signed.
>
> On Thu, Jul 27, 2023 at 2:25 PM Tom Trevethan <tom@commerceblock.com>
> wrote:
>
>>
>> On Thu, Jul 27, 2023 at 9:08 AM Jonas Nick <jonasdnick@gmail.com> wrote:
>>
>>> No, proof of knowledge of the r values used to generate each R does not
>>> prevent
>>> Wagner's attack. I wrote
>>>
>>> > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
>>> > c[0] + ... + c[K-1] = c[K].
>>>
>>> You can think of this as actually choosing scalars r2[0], ..., r2[K-1]
>>> and
>>> define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't
>>> make
>>> sense if he didn't.
>>>
>>
[-- Attachment #2: Type: text/html, Size: 5798 bytes --]
next prev parent reply other threads:[~2023-08-30 10:52 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-24 7:46 [bitcoin-dev] Blinded 2-party Musig2 Tom Trevethan
2023-07-24 10:50 ` ZmnSCPxj
2023-07-24 14:25 ` Erik Aronesty
2023-07-24 16:08 ` Tom Trevethan
2023-07-24 15:57 ` Tom Trevethan
2023-07-24 14:12 ` Jonas Nick
2023-07-24 14:40 ` Erik Aronesty
2023-07-24 15:40 ` Jonas Nick
2023-07-24 16:51 ` AdamISZ
2023-07-25 14:12 ` Erik Aronesty
2023-07-25 16:05 ` Tom Trevethan
2023-07-26 4:09 ` Erik Aronesty
2023-07-26 17:40 ` Andrew Poelstra
2023-07-26 19:59 ` Jonas Nick
2023-07-26 20:35 ` Tom Trevethan
2023-07-26 22:06 ` Erik Aronesty
2023-07-27 2:54 ` Lloyd Fournier
2023-07-27 8:07 ` Jonas Nick
[not found] ` <CAJvkSsfa8rzbwXiatZBpwQ6d4d94yLQifK8gyq3k-rq_1SH4OQ@mail.gmail.com>
2023-07-27 13:25 ` [bitcoin-dev] Fwd: " Tom Trevethan
2023-08-07 0:55 ` [bitcoin-dev] " Tom Trevethan
2023-08-08 17:44 ` moonsettler
2023-08-09 15:14 ` Tom Trevethan
2023-08-10 3:30 ` Lloyd Fournier
2023-08-10 11:59 ` Tom Trevethan
2023-08-14 6:31 ` Lloyd Fournier
2023-08-30 10:52 ` Tom Trevethan [this message]
2023-07-24 15:39 ` Jonas Nick
2023-07-24 16:22 ` Tom Trevethan
2023-07-26 9:44 ` moonsettler
2023-07-26 14:59 ` Jonas Nick
2023-07-26 19:19 ` AdamISZ
2023-07-26 19:28 ` moonsettler
2023-07-27 5:51 ` AdamISZ
[not found] <mailman.125690.1690381971.956.bitcoin-dev@lists.linuxfoundation.org>
2023-07-26 16:32 ` Tom Trevethan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJvkSsfcp2shLjEdwRKtBJBO+wiV=m5X_Ys1sTwUZKZWg9-HeQ@mail.gmail.com' \
--to=tom@commerceblock.com \
--cc=bitcoin-dev@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox