From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 30 Apr 2025 08:03:41 -0700 Received: from mail-oo1-f58.google.com ([209.85.161.58]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uA8yK-00077N-NT for bitcoindev@gnusha.org; Wed, 30 Apr 2025 08:03:41 -0700 Received: by mail-oo1-f58.google.com with SMTP id 006d021491bc7-6048c82f61fsf1817300eaf.0 for ; Wed, 30 Apr 2025 08:03:40 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1746025415; cv=pass; d=google.com; s=arc-20240605; b=eXGNKF9D8yWDp3T23PC5G8LhDDbMrijoIqD40tFgvlJOWJIfy0As6LwGQfWscm1GHh IezeNJ0JGEUv/zEFeXVuKhVO4K8/e2X4Fl3yfE2QmBNGNlCuvuLnLXb5Vp8f/E+XWyQZ yfMfiS0aSURwzeyeYoot/RpSL1Sa9jDwOsfK17kfM3+qiKp7bTbBZ0EB8oWWOQSb5pTo QbJ5nwmn9c8vWteGFXTvNw1LQCHoGZ0pEHbDmYl1AIEfBOL6Pzg/wtl6JRnlh43vVKDj HiPwHeS3jux8zE3OMde8667Ed6v33K+jPaLXmeBZJ8IRoOYsQsx5DjMt+rs/YGN2mhqT HNEw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=A1LfyC09+ERCzLkNTDiiXmbegMKDnujcu6P0RBkh+nI=; fh=pr7848azsStpCSfGFQ5LliRxFLFaUfwAtIIPUxoEJBA=; b=QsSWk1zq8flXfneOs/6bw4Ujrvg374kidyBQmc0lekQxevkuKRZZLzyZcd57f9MYRL QPow5fvXfYeDO+AJQpfHcfh3MNI88YQYu21JvESB0aMy9hdqFz+ylMlfRjVewDsPNrfA BpftjASpxtY+JIdJRGgg81w2KeHsPT6kf5Jadqz5cSTBk83Sveo/ogeKuV6OicS/dI6B /Gy4yZu6L2VA542nlr4glXDDnk4v72JBGdJwLC0zjbvq1oUmY2tY1YHC/WMcGJgKfAYL ySjZZRKxnaAdUZYSgfHGqlSDo/6v1tDZ6bhTy6L/sUNqNvtJ9YnVScoBcVzixifQCLwT Umqw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dXlcitsy; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::435 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746025415; x=1746630215; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:from:to:cc :subject:date:message-id:reply-to; bh=A1LfyC09+ERCzLkNTDiiXmbegMKDnujcu6P0RBkh+nI=; b=jbYyvc5nQxZVYLLt1pPx9Z7vA7FRrJjg2p/63F6EJu3/HJU+FnguETxyyc2YQTlE5g XbI6ULQs/SJ52jrX6we3DnkiFs24lP5utWSo11gxvsHGsaAkbwYZ0vdNX6vUkEUnlJbZ dD62zurVuE9Vgs1oWr9mM+86iNrVb6UX3x7d2ZsQMNKcDhfe6k717xFayDDl78y5xabE qdG6BKbVTY8DFaTeVI1Lpw/w+8yDQYlyh8EuciEwgqfeJCKv3CIzfGzESf6NLlkwCswz EJ0xgOSfu7TsM61+4SuVEZFW1R2qPO2aC1BzHgWHy24rHoUN4yZcjl3U1QKaKpmPxNmT qrRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746025415; x=1746630215; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=A1LfyC09+ERCzLkNTDiiXmbegMKDnujcu6P0RBkh+nI=; b=cJF20aWNRolTzTn/ypsKqRISjUBhICk2oMiIYtSkriagsTIuoUIxP9drYEYRK1WBGR Jb1Mu57CMEKhPhCpeBJPu2C5u2saekP6eiO4qVw+9rebf4E3BsKCwbCovlHY8puU2Nxc PpmbCUIjW2+vG6HnN3mFgk5zYUYQhs3ApN16FVUbP5VBQ3w8wzMBQ/oClA8WA73aHOwr veXLWzT+mUZp0kYcbZAo4qS3lQ9cIUK3sVAXRY+quOiiH/qD5zRK/2mJnGyoDFwBTiLN zH9ac8VDQIg6s1I197SuZGh84Qz9/DBne7Saprzn99VQdBRaS6xb16tC19xLb7GtZVif xZJg== X-Forwarded-Encrypted: i=2; AJvYcCVaQFeHnTG0Mk8IroXJNGZ0cQ0GBSTnZFcAkmccyiJvuyiab/lYFrD9OaPkFoDHapeUj81j1VwmB+/3@gnusha.org X-Gm-Message-State: AOJu0YyL4k0CbHcVLl1QA+rhz6kAFDb0KuS+4DbthnqkLURcz1SX0kvd 4+V4AzkvATcC8eYIlYDWruCZwPBkTbrvfyaDLFdPCDNjRggcf1Rc X-Google-Smtp-Source: AGHT+IGanT847NpdcDarBxzm9jpg03q7pMXZ85onnb5ZeMi9DGzuwPISOVnaH5/boAGdW0L9je95aA== X-Received: by 2002:a05:6820:150d:b0:606:8579:4c5b with SMTP id 006d021491bc7-607d43d5bf5mr1787749eaf.1.1746025414672; Wed, 30 Apr 2025 08:03:34 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AVT/gBFu2mGahsbBA1+Vrtq/1rB28hFFC2/R4mWF7zWVcuPd1Q== Received: by 2002:a4a:c389:0:b0:5fc:fc5a:c55b with SMTP id 006d021491bc7-607ded90a4bls5929eaf.0.-pod-prod-02-us; Wed, 30 Apr 2025 08:03:31 -0700 (PDT) X-Received: by 2002:a05:6808:2e4a:b0:3fe:b1fd:527f with SMTP id 5614622812f47-40239e55450mr2508580b6e.1.1746025411545; Wed, 30 Apr 2025 08:03:31 -0700 (PDT) Received: by 2002:a50:bae8:0:b0:5e5:cc7a:424a with SMTP id 4fb4d7f45d1cf-5f8852f9885msa12; Wed, 30 Apr 2025 00:59:20 -0700 (PDT) X-Received: by 2002:a17:907:72d6:b0:ace:9d3e:1502 with SMTP id a640c23a62f3a-acedc56b980mr239627666b.4.1745999958151; Wed, 30 Apr 2025 00:59:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1745999958; cv=none; d=google.com; s=arc-20240605; b=LtQFRFCyaM7kbRfWwrS0VYqJYM5xDtThEJQA61Bsulu959Y7OeaRJ0k3IlQV5TbmWA kvQvCqOerGeIln3MWvwnef/ZBALJnu7PnFZAr6II4/lWaknRTWKXTW+BMBpiumruTn5D SwM9LVucmemGpdLw3m+sdAvALjIzCfsJdzewNk+G9fQT96um299+cWjdJbWqowHspiqT HxYlK9tn92YjJaBddz5YQNnY5HhlycwTJHAA28UlTLLE1aeXRPpiXlHUPRWtEv1Fahwr i8fwl9QoNKrVbiczG1J6KY0J1JOYcnhVPKLRjBahKtsD4fI4lFgANeJW/cHyy5w6AxLH 2xKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=XeMMKxI6LdDCkpFbjAjVRwHl4I6ci7bT6AkS3Y3wvcg=; fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=; b=fBd+FqumzOgsQwlmWG8IteBpQYubNbGUSbAvxl4XzBSksaSnQXm/fsVPgaqfcJDlEW HvmSgPrDgDMgyVNklOe1h4kY2Mz0xUxYMyLfhcJd4dJyArQgm+XBuHCbo7ynrfiapYG5 mI9wKIhJD61OEvn1WknKj3qNwPFO7O7o10WGhFSq7QNcyHtUk2XG8zcZFcti7brUo/Uq 2JuZWxSfFvWi8O7OGX6EcYk11DgaCFUgAsajYlDDp+I09R+G7xw3c6jJ5ZyyPsL6p9ps bYCWHdqKZUP3K3eVO9865BOZ97HGflflwSzwaF8ktMCNXo5SHBj79EUFdb3HvIQHgMSd /DwA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dXlcitsy; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::435 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com. [2a00:1450:4864:20::435]) by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-5f7012f488asi134371a12.1.2025.04.30.00.59.18 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 30 Apr 2025 00:59:18 -0700 (PDT) Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::435 as permitted sender) client-ip=2a00:1450:4864:20::435; Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-39ac8e7688aso5023913f8f.2 for ; Wed, 30 Apr 2025 00:59:18 -0700 (PDT) X-Gm-Gg: ASbGncsSt2N2XcFiwiwlhltBaEyf/itw5zs2gr+WhG3HlcUkiTw5jf/aUJYk+veGlyU SmbhvYoVNGyLrkJRuKKatkKW4VCO3KvmFZp5fthXHTju3a46vJIa5VHh5Fc9FjYbAjS5CyYNAzc REW+SYenYhkivdSBgiX/jiLP2Lv1XUQbrgKW8cI0cQSV5M9CViRwp/fJcm7MtK/6iyIRGfs8/1j YgU7p0y1fQDPlpx4V3+pWc2gLi4+Ong9BgL/T/b2l84zFsRdaFY4/BJTIH8Bfy7n4jalCU6JqDO QeatFuLriHPAnFlphoPVKtt0tsjtulpFm+WWkDY6VISAFka4vzyg5gx3IwAvBB5Z0hqTCQfONe0 B7v4vLzDGsQ== X-Received: by 2002:a05:6000:1acf:b0:3a0:8c4d:6c9c with SMTP id ffacd0b85a97d-3a08f7bcedbmr1941590f8f.57.1745999957578; Wed, 30 Apr 2025 00:59:17 -0700 (PDT) Received: from [10.11.10.42] (p54b84dae.dip0.t-ipconnect.de. [84.184.77.174]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-3a073c8d633sm16570468f8f.16.2025.04.30.00.59.16 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 30 Apr 2025 00:59:16 -0700 (PDT) Sender: Jonas Nick Message-ID: Date: Wed, 30 Apr 2025 07:59:15 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [bitcoindev] Re: DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures To: bitcoindev@googlegroups.com References: <039cb943-5c94-44ba-929b-abec281082a8n@googlegroups.com> <604ca4d2-48c6-4fa0-baa6-329a78a02201n@googlegroups.com> Content-Language: en-US From: Jonas Nick In-Reply-To: <604ca4d2-48c6-4fa0-baa6-329a78a02201n@googlegroups.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Original-Sender: jonasdnick@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dXlcitsy; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::435 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) Thanks for your comments. > That side note reminds me of my first question: would it not be appropriate > to include a proof of the zero knowledgeness property of the scheme, and > not only the soundness? I can kind of accept the answer "it's trivial" > based on the structure of the partial sig components (s_k = r_k1 + br_k2 + > c_k x_k) being "identical" to baseline Schnorr? That partial signatures do not leak information about the secret key x_k is implied by the security theorem for DahLIAS: If information would leak, the adversary could use that to win the unforgeability game. However, the adversary doesn't win the game unless the adversary solves the DL problem or finds a collision in hash function Hnon. > The side note also raises this point: would it be a good idea to explicitly > write down ways in which the usage of the scheme/structure can, and cannot, > be optimised for the single-party case? This is a very interesting point, probably out of scope for the paper. A single-party signer, given secret keys xi, ..., xn for public keys X1, ..., Xn can draw r at random, compute R := r*G and then set s := r + c1*x1 + ... + cn*xn. So this would only require a single group multiplication. > On that last point about "proof of knowledge of R", I suddenly realised > it's not a viable suggestion: of course it defends against key subtraction > attacks, but does not defend at all against the ability to grind nonces > adversarially in a Wagner type attack We believe Appendix B provides a helpful characterization of "Wagner-style" vulnerabilities. Roughly speaking, it shows that schemes where the adversary can ask the signer to produce a partial signature s = r + c*x or s' = r + c'*x such that c != c' then the scheme is vulnerable. In your "proof of knowledge of R idea", the adversary can choose to provide either R2 or R2' in a signing request, which would result in the same "effective nonce" r being used be the signer but different challenges c and c'. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/f9e082e3-4079-40b6-aa49-5d1b9b3b1e29%40gmail.com.