public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [bitcoin-dev] Sum of the keys attack on taproot
@ 2021-05-15 10:21 vjudeu
  2021-05-15 20:25 ` Tim Ruffing
  0 siblings, 1 reply; 3+ messages in thread
From: vjudeu @ 2021-05-15 10:21 UTC (permalink / raw)
  To: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 724 bytes --]

We have some taproot address with private key "a" and public key "a*G", owned by Alice. Bob wants to take Alice's coins without her permission. He owns taproot address with private key "b" and public key "b*G". He knows "a*G" by exploring the chain and looking for P2TR outputs. To grab Alice's funds, he creates "(b-a)*G" taproot address and send some small amount to this address. Then, Bob can create a transaction with two inputs, taking coins from "a*G" and "(b-a)*G" addresses. All that is needed is producing a signature matching the sum of the public keys used in taproot, which is "(a+b-a)*G", reduced to "b*G", so Bob uses his "b" private key to produce Schnorr signature. Is there any protection from this attack?

[-- Attachment #2: Type: text/html, Size: 737 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [bitcoin-dev] Sum of the keys attack on taproot
  2021-05-15 10:21 [bitcoin-dev] Sum of the keys attack on taproot vjudeu
@ 2021-05-15 20:25 ` Tim Ruffing
  2021-05-15 20:35   ` Ruben Somsen
  0 siblings, 1 reply; 3+ messages in thread
From: Tim Ruffing @ 2021-05-15 20:25 UTC (permalink / raw)
  To: vjudeu, Bitcoin Protocol Discussion

On Sat, 2021-05-15 at 12:21 +0200, vjudeu via bitcoin-dev wrote:


>  All that is needed is producing a signature matching the sum of the
> public keys used in taproot, which is "(a+b-a)*G", 

This is simply not true.

Taproot does not enable this, or any other form of "cross-input
aggregation", i.e., spending multiple UTXOs with a single signature. 


Tim



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [bitcoin-dev] Sum of the keys attack on taproot
  2021-05-15 20:25 ` Tim Ruffing
@ 2021-05-15 20:35   ` Ruben Somsen
  0 siblings, 0 replies; 3+ messages in thread
From: Ruben Somsen @ 2021-05-15 20:35 UTC (permalink / raw)
  To: vjudeu; +Cc: Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 848 bytes --]

What Tim said is right. To add to that, you may also wish to read about
MuSig:
https://blockstream.com/2018/01/23/en-musig-key-aggregation-schnorr-signatures/

Cheers,
Ruben

On Sat, May 15, 2021 at 10:32 PM Tim Ruffing via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Sat, 2021-05-15 at 12:21 +0200, vjudeu via bitcoin-dev wrote:
>
>
> >  All that is needed is producing a signature matching the sum of the
> > public keys used in taproot, which is "(a+b-a)*G",
>
> This is simply not true.
>
> Taproot does not enable this, or any other form of "cross-input
> aggregation", i.e., spending multiple UTXOs with a single signature.
>
>
> Tim
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 1561 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-05-15 20:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-15 10:21 [bitcoin-dev] Sum of the keys attack on taproot vjudeu
2021-05-15 20:25 ` Tim Ruffing
2021-05-15 20:35   ` Ruben Somsen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox