Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id C6C86C0032 for ; Mon, 24 Jul 2023 11:00:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 9B4E340227 for ; Mon, 24 Jul 2023 11:00:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 9B4E340227 Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=BHrfkiKS X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.601 X-Spam-Level: X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xSzsEMCe6gbE for ; Mon, 24 Jul 2023 11:00:27 +0000 (UTC) X-Greylist: delayed 593 seconds by postgrey-1.37 at util1.osuosl.org; Mon, 24 Jul 2023 11:00:27 UTC DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8E8D440182 Received: from mail-41103.protonmail.ch (mail-41103.protonmail.ch [185.70.41.103]) by smtp2.osuosl.org (Postfix) with ESMTPS id 8E8D440182 for ; Mon, 24 Jul 2023 11:00:27 +0000 (UTC) Date: Mon, 24 Jul 2023 10:50:13 +0000 Authentication-Results: mail-41103.protonmail.ch; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.b="BHrfkiKS" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1690195823; x=1690455023; bh=+v38b5yZxngRGZb5cz3eOM8aUcAlbOwIxyxHCDzhmUY=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=BHrfkiKS5ItdWhevwJc0IBh63e7jNy6/4IZVqtU6tAf5sWWHnyM5h+iLmu+AWSdFV n7ROaX7fAxpYl3arII6Aeyvc5KjxJ5aEOu7YzS0DTJiZGJko6BH2GTOtFZAqjc1xA7 zG4nrzsJKS3aCT0mLEiq+PVgE0K9+ROH1Is4mMWEDjhW3rMuBd/LCwLkr4t6ZzA4tJ Zd96JCFxEIe7mLU2ewKiN8EiXAbI6gTeQEoCZtzFh5WfZUP8V53w6DxL4k2OYxAUqD IhSmLSbERPyI1e6TmgpLSmDEkdq1JSs/Lt94RZ+/YhB9sMOzJHCfFGGnB2dQdouv8m xReOHp9p5ar6Q== To: Tom Trevethan From: ZmnSCPxj Message-ID: <4kTcpBuEgsQQDiKbxOQwJ9ZCuHvWXGotb8eWGESe2wJs5e-6ke7435NyGmNfBRP17w7UoXR4c59v_6uQWRonHfvv_n545WPgt68a0cBQi-k=@protonmail.com> In-Reply-To: References: Feedback-ID: 2872618:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Blinded 2-party Musig2 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2023 11:00:28 -0000 Good morning Tom, Would this allow party 2 to itself be composed of N >=3D 2 parties? MuSig2 (as opposed to MuSig1) requires that signatories provide multiple `R= ` points, not just one each, which are finally aggregated by first combinin= g them using the MuSig() public key compose function. This prevents party 2 from creating an `R` that may allow it to perform cer= tain attacks whose name escapes me right now but which I used to know. (it is the reason why MuSig1 requires 3 round trips, and why MuSig2 require= s at least 2 `R` nonces per signatory) Your scheme has only one `R` per party, would it not be vulnerably to that = attack? Regards, ZmnSCPxj Sent with Proton Mail secure email. ------- Original Message ------- On Monday, July 24th, 2023 at 7:46 AM, Tom Trevethan via bitcoin-dev wrote: > We are implementing a version of 2-of-2 Schnorr Musig2 for statechains wh= ere the server (party 1 in the 2-of-2) will be fully 'blinded' - in that it= can hold a private key that is required to generate an aggregate signature= on an aggregate public key, but that it does not learn either: 1) The aggr= egate public key 2) The aggregate signature and 3) The message (m) being si= gned. >=20 > In the model of blinded statechains, the security rests on the statechain= server being trusted to report the NUMBER of partial signatures it has gen= erated for a particular key (as opposed to being trusted to enforce rules o= n WHAT it has signed in the unblinded case) and the full set of signatures = generated being verified client side https://github.com/commerceblock/mercu= ry/blob/master/doc/merc_blind.md#blinding-considerations >=20 > Given the 2-of-2 musig2 protocol operates as follows (in the following de= scription, private keys (field elements) are denoted using lower case lette= rs, and elliptic curve points as uppercase letters. G is the generator poin= t and point multiplication denoted as X =3D xG and point addition as A =3D = G + G): >=20 > Party 1 generates private key x1 and public key X1 =3D x1G. Party 2 gener= ates private key x2 and public key X2 =3D x2G. The set of pubkeys is L =3D = {X1,X2}. The key aggregation coefficient is KeyAggCoef(L,X) =3D H(L,X). The= shared (aggregate) public key X =3D a1X1 + a2X2 where a1 =3D KeyAggCoef(L,= X1) and a2 =3D KeyAggCoef(L,X2). >=20 > To sign a message m, party 1 generates nonce r1 and R1 =3D r1G. Party 2 g= enerates nonce r2 and R2 =3D r2G. These are aggregated into R =3D R1 + R2. >=20 > Party 1 then computes 'challenge' c =3D H(X||R||m) and s1 =3D c.a1.x1 + r= 1 > Party 2 then computes 'challenge' c =3D H(X||R||m) and s2 =3D c.a2.x2 + r= 2 >=20 > The final signature is then (R,s1+s2). >=20 > In the case of blinding this for party 1: >=20 > To prevent party 1 from learning of either the full public key or final s= ignature seems straightforward, if party 1 doesn't not need to independentl= y compute and verify c =3D H(X||R||m) (as they are blinded from the message= in any case). >=20 > 1) Key aggregation is performed only by party 2. Party 1 just sends X1 to= party 2. > 2) Nonce aggregation is performed only by party 2. Party 1 just sends R1 = to party 2. > 3) Party 2 computes c =3D H(X||R||m) and sends it to party 1 in order to = compute s1 =3D c.a1.x1 + r1 >=20 > Party 1 never learns the final value of (R,s1+s2) or m. >=20 > Any comments on this or potential issues would be appreciated. >=20 > Tom