From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id DC3CAC0032 for ; Mon, 24 Jul 2023 17:00:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id A891C416D3 for ; Mon, 24 Jul 2023 17:00:32 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A891C416D3 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=MF7A061w X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.101 X-Spam-Level: X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zcPndbrTHy81 for ; Mon, 24 Jul 2023 17:00:30 +0000 (UTC) X-Greylist: delayed 504 seconds by postgrey-1.37 at util1.osuosl.org; Mon, 24 Jul 2023 17:00:30 UTC DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 20606416CD Received: from mail-41103.protonmail.ch (mail-41103.protonmail.ch [185.70.41.103]) by smtp4.osuosl.org (Postfix) with ESMTPS id 20606416CD for ; Mon, 24 Jul 2023 17:00:29 +0000 (UTC) Date: Mon, 24 Jul 2023 16:51:44 +0000 Authentication-Results: mail-41103.protonmail.ch; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.b="MF7A061w" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1690217514; x=1690476714; bh=R4j6LM84QpUFiCC6f63g1BRaGbNCjicwbAbHbKdmwIA=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=MF7A061wOBrH1hQxLCxYlsUc4QZdjtXi353sU7yLgZqLKO+xfQxsCU7l3+hFQbV+u g6FEp/Iiaq2wClur9WzPLVBGaUrqxGVhMJdGp26bwfbUZio5MHU+rrCkeFqaEp95Cq My1iGT0tgfEEr3iODOVrjyUuyYpcWm+16/16XA0y5LTp/0DktzUccVXH3MFa+LqynD Jwg5MGU9g7pGjSlKI8ywMe8+9vPaFP4c5zrY5uwyOj+N+Desod2Duk4FcuYawGRI4m agcUDrKUmMawTKgly3n6Xe1pOnwR4WClQ4uaWX3jwwMNhREUTRH65geBO7tZUrQCoY SjXqF1W+5M4Tg== To: Tom Trevethan , Bitcoin Protocol Discussion From: AdamISZ Message-ID: In-Reply-To: References: Feedback-ID: 11565511:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Mon, 24 Jul 2023 17:59:17 +0000 Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2023 17:00:32 -0000 @ZmnSCPxj: yes, Wagner is the attack you were thinking of. And yeah, to avoid it, you should have the 3rd round of MuSig1, i.e. the R = commitments. @Tom: As per above it seems you were more considering MuSig1 here, not MuSig2. At= least in this version. So you need the initial commitments to R. Jonas' reply clearly has covered a lot of what matters here, but I wanted t= o mention (using your notation): in s1 =3D c * a1 * x1 + r1, you expressed the idea that the challenge c cou= ld be given to the server, to construct s1, but since a1 =3D H(L, X1) and L= is the serialization of all (in this case, 2) keys, that wouldn't work for= blinding the final key, right? But, is it possible that this addresses the other problem? If the server is given c1*a1 instead as the challenge for signing (with the= ir "pure" key x1), then perhaps it avoids the issue? Given what's on the bl= ockchain ends up allowing calculation of 'c' and the aggregate key a1X1 + a= 2X2, is it the case that you cannot find a1 and therefore you cannot correl= ate the transaction with just the quantity 'c1*a1' which the server sees? But I agree with Jonas that this is just the start, i.e. the fundamental re= quirement of a blind signing scheme is there has to be some guarantee of no= 'one more forgery' possibility, so presumably there has to be some proof t= hat the signing request is 'well formed' (Jonas expresses it below as a ZKP= of a SHA2 preimage .. it does not seem pretty but I agree that on the face= of it, that is what's needed). @Jonas, Erik: 'posk' is probably meant as 'proof of secret key' which may(?) be a mixup w= ith what is sometimes referred to in the literature as "KOSK" (iirc they us= ed it in FROST for example). It isn't clear to me yet how that factors into= this scenario, although ofc it is for sure a potential building block of t= hese constructions. Sent with Proton Mail secure email. ------- Original Message ------- On Monday, July 24th, 2023 at 08:12, Jonas Nick via bitcoin-dev wrote: > Hi Tom, >=20 > I'm not convinced that this works. As far as I know blind musig is still = an open > research problem. What the scheme you propose appears to try to prevent i= s that > the server signs K times, but the client ends up with K+1 Schnorr signatu= res for > the aggregate of the server's and the clients key. I think it's possible = to > apply a variant of the attack that makes MuSig1 insecure if the nonce com= mitment > round was skipped or if the message isn't determined before sending the n= once. > Here's how a malicious client would do that: >=20 > - Obtain K R-values R1[0], ..., R1[K-1] from the server > - Let > R[i] :=3D R1[i] + R2[i] for all i <=3D K-1 > R[K] :=3D R1[0] + ... + R1[K-1] > c[i] :=3D H(X, R[i], m[i]) for all i <=3D K. > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that > c[0] + ... + c[K-1] =3D c[K]. > - Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1]. > - Let > s[K] =3D s[0] + ... + s[K-1]. > Then (s[K], R[K]) is a valid signature from the server, since > s[K]G =3D R[K] + c[K]a1X1, > which the client can complete to a signature for public key X. >=20 > What may work in your case is the following scheme: > - Client sends commitment to the public key X2, nonce R2 and message m to= the > server. > - Server replies with nonce R1 =3D k1G > - Client sends c to the server and proves in zero knowledge that c =3D > SHA256(X1 + X2, R1 + R2, m). > - Server replies with s1 =3D k1 + c*x1 >=20 > However, this is just some quick intuition and I'm not sure if this actua= lly > works, but maybe worth exploring. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev