From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <moonsettler@protonmail.com> Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id CC8E7C0032 for <bitcoin-dev@lists.linuxfoundation.org>; Wed, 26 Jul 2023 19:29:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A7E0983131 for <bitcoin-dev@lists.linuxfoundation.org>; Wed, 26 Jul 2023 19:29:08 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A7E0983131 Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=WVQHHKfp X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6orB7SCLjNS for <bitcoin-dev@lists.linuxfoundation.org>; Wed, 26 Jul 2023 19:29:07 +0000 (UTC) X-Greylist: delayed 71632 seconds by postgrey-1.37 at util1.osuosl.org; Wed, 26 Jul 2023 19:29:07 UTC DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 84DDA830C5 Received: from mail-4027.protonmail.ch (mail-4027.protonmail.ch [185.70.40.27]) by smtp1.osuosl.org (Postfix) with ESMTPS id 84DDA830C5 for <bitcoin-dev@lists.linuxfoundation.org>; Wed, 26 Jul 2023 19:29:07 +0000 (UTC) Date: Wed, 26 Jul 2023 19:28:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1690399745; x=1690658945; bh=ZjqeIj6V4BZzgg7JPSbPwW+8J46WVSZeF7IzQS3eE/M=; h=Date:To:From:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=WVQHHKfpvNipUx8A6GgM5ZJzEeHJAoWw5Y/Ki1aG6DejcdHqmiAH49L1AzVR7sV6m YZt9ouLqSYsx+8a3UT0jLKv4S5d1DooGQMnkMMJOL3Epwjecebe2FtGznXTy80LROh 1Nq+vjSiiZlTFV2G824aiSC5c4FuDe8MWknhrxWmzigMKTcthVpwz318walraVjyN0 49MCgOsHyuoid0ixjTaPis9qllDbXksSoeqW0kp2ellKkNUxRHMX/KWtKbHlQcydyB v7wO9q4uOXLnWWc70c0+JLeEaKpg2yZY3H+e0BxEXaINXvhtRWaeE1IkqdeiuZE/Cy 70GyeQ29e9p5g== To: AdamISZ <AdamISZ@protonmail.com>, "bitcoin-dev@lists.linuxfoundation.org" <bitcoin-dev@lists.linuxfoundation.org> From: moonsettler <moonsettler@protonmail.com> Message-ID: <NUH-svf2Bz96uxe5zYehmG8sQ7uLc3GwlFSBrN3-Sdfroj0iL4C2bTV2vxqAsFM9yHr7fi0C_74ThNPGKerQAuDlW2b0ljwXud_uiUDQ8RA=@protonmail.com> In-Reply-To: <cxOYS8sb23ZEN0txrLfT5nyJBuwk06I-Zo7SdzVifb4Am2dgVSlcwF2JXYIIRDsHfSyB0AMv5EeyHEVUboHAXfZg39RbrNhff-d1PKJzLq0=@protonmail.com> References: <CAJvkSsc_rKneeVrLkTqXJDKcr+VQNBHVJyXVe=7PkkTZ+SruFQ@mail.gmail.com> <b770096c-e8c4-70f7-8cd7-d74c27181413@gmail.com> <O3LTbUbjNa3SLUfJzSKDNLBCIhED_6rdOcmgLpYB9byX6HBVg3BMu3hrvY37fH4SGL8th8oJaVV6_ogl_ZOA0qTXgENq8xqQNSRB-VsHem4=@protonmail.com> <cxOYS8sb23ZEN0txrLfT5nyJBuwk06I-Zo7SdzVifb4Am2dgVSlcwF2JXYIIRDsHfSyB0AMv5EeyHEVUboHAXfZg39RbrNhff-d1PKJzLq0=@protonmail.com> Feedback-ID: 38540639:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Thu, 27 Jul 2023 00:19:01 +0000 Subject: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> X-List-Received-Date: Wed, 26 Jul 2023 19:29:08 -0000 Yes, thank you! There I assume if someone has your private key, and can satisfy the 2FA, he= will just steal your coins, and not bother with extracting the co-signers = key that is specific to you. I can see, how this assumption is not useful g= enerally. BR, moonsettler Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, July 26th, 2023 at 9:19 PM, AdamISZ <AdamISZ@protonmail.com> = wrote: > It's an interesting idea for a protocol. If I get it right, your basic id= ea here is to kind of "shoehorn" in a 2FA authentication, and that the blin= d-signing server has no other function than to check the 2FA? >=20 > This makes it different from most uses of blind signing, where counting t= he number of signatures matters (hence 'one more forgery etc). Here, you ar= e just saying "I'll sign whatever the heck you like, as long as you're auth= orized with this 2FA procedure". >=20 > Going to ignore the details of practically what that means - though I'm s= ure that's where most of the discussion would end up - but just looking at = your protocol in the gist: >=20 > It seems you're not checking K values against attacks, so for example thi= s would allow someone to extract the server's key from one signing: >=20 > 1 Alice, after receiving K2, sets K1 =3D K1' - K2, where the secret key o= f K1' is k1'. > 2 Chooses b as normal, sends e' as normal. > 3 Receiving s2, calculate s =3D s1 + s2 as normal. >=20 > So since s =3D k + ex =3D (k' + bx) + ex =3D k' + e'x, and you know s, k'= and e', you can derive x. Then x2 =3D x - x1. >=20 > (Gist I'm referring to: https://gist.github.com/moonsettler/05f5948291ba8= dba63a3985b786233bb) >=20 >=20 >=20 >=20 > Sent with Proton Mail secure email. >=20 >=20 > ------- Original Message ------- > On Wednesday, July 26th, 2023 at 03:44, moonsettler via bitcoin-dev bitco= in-dev@lists.linuxfoundation.org wrote: >=20 >=20 >=20 > > Hi All, > >=20 > > I believe it's fairly simple to solve the blinding (sorry for the basta= rd notation!): > >=20 > > Signing: > >=20 > > X =3D X1 + X2 > > K1 =3D k1G > > K2 =3D k2G > >=20 > > R =3D K1 + K2 + bX > > e =3D hash(R||X||m) > >=20 > > e' =3D e + b > > s =3D (k1 + e'*x1) + (k2 + e'*x2) > > s =3D (k1 + k2 + b(x1 + x2)) + e(x1 + x2) > >=20 > > sG =3D (K1 + K2 + bX) + eX > > sG =3D R + eX > >=20 > > Verification: > >=20 > > Rv =3D sG - eX > > ev =3D hash(R||X||m) > > e ?=3D ev > >=20 > > https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb > >=20 > > Been trying to get a review on this for a while, please let me know if = I got it wrong! > >=20 > > BR, > > moonsettler > >=20 > > ------- Original Message ------- > > On Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev bitco= in-dev@lists.linuxfoundation.org wrote: > >=20 > > > > Party 1 never learns the final value of (R,s1+s2) or m. > > >=20 > > > Actually, it seems like a blinding step is missing. Assume the server= (party 1) > > > received some c during the signature protocol. Can't the server scan = the > > > blockchain for signatures, compute corresponding hashes c' =3D H(R||X= ||m) as in > > > signature verification and then check c =3D=3D c'? If true, then the = server has the > > > preimage for the c received from the client, including m. > > > _______________________________________________ > > > bitcoin-dev mailing list > > > bitcoin-dev@lists.linuxfoundation.org > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > >=20 > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev