1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
Delivery-date: Wed, 30 Apr 2025 08:03:41 -0700
Received: from mail-oo1-f58.google.com ([209.85.161.58])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDD5RM5R7QJRBQ7XZDAAMGQEXYHRWII@googlegroups.com>)
id 1uA8yK-00077N-NT
for bitcoindev@gnusha.org; Wed, 30 Apr 2025 08:03:41 -0700
Received: by mail-oo1-f58.google.com with SMTP id 006d021491bc7-6048c82f61fsf1817300eaf.0
for <bitcoindev@gnusha.org>; Wed, 30 Apr 2025 08:03:40 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1746025415; cv=pass;
d=google.com; s=arc-20240605;
b=eXGNKF9D8yWDp3T23PC5G8LhDDbMrijoIqD40tFgvlJOWJIfy0As6LwGQfWscm1GHh
IezeNJ0JGEUv/zEFeXVuKhVO4K8/e2X4Fl3yfE2QmBNGNlCuvuLnLXb5Vp8f/E+XWyQZ
yfMfiS0aSURwzeyeYoot/RpSL1Sa9jDwOsfK17kfM3+qiKp7bTbBZ0EB8oWWOQSb5pTo
QbJ5nwmn9c8vWteGFXTvNw1LQCHoGZ0pEHbDmYl1AIEfBOL6Pzg/wtl6JRnlh43vVKDj
HiPwHeS3jux8zE3OMde8667Ed6v33K+jPaLXmeBZJ8IRoOYsQsx5DjMt+rs/YGN2mhqT
HNEw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:in-reply-to:from:content-language
:references:to:subject:user-agent:mime-version:date:message-id
:sender:dkim-signature;
bh=A1LfyC09+ERCzLkNTDiiXmbegMKDnujcu6P0RBkh+nI=;
fh=pr7848azsStpCSfGFQ5LliRxFLFaUfwAtIIPUxoEJBA=;
b=QsSWk1zq8flXfneOs/6bw4Ujrvg374kidyBQmc0lekQxevkuKRZZLzyZcd57f9MYRL
QPow5fvXfYeDO+AJQpfHcfh3MNI88YQYu21JvESB0aMy9hdqFz+ylMlfRjVewDsPNrfA
BpftjASpxtY+JIdJRGgg81w2KeHsPT6kf5Jadqz5cSTBk83Sveo/ogeKuV6OicS/dI6B
/Gy4yZu6L2VA542nlr4glXDDnk4v72JBGdJwLC0zjbvq1oUmY2tY1YHC/WMcGJgKfAYL
ySjZZRKxnaAdUZYSgfHGqlSDo/6v1tDZ6bhTy6L/sUNqNvtJ9YnVScoBcVzixifQCLwT
Umqw==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=dXlcitsy;
spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::435 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1746025415; x=1746630215; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:from:content-language:references:to
:subject:user-agent:mime-version:date:message-id:sender:from:to:cc
:subject:date:message-id:reply-to;
bh=A1LfyC09+ERCzLkNTDiiXmbegMKDnujcu6P0RBkh+nI=;
b=jbYyvc5nQxZVYLLt1pPx9Z7vA7FRrJjg2p/63F6EJu3/HJU+FnguETxyyc2YQTlE5g
XbI6ULQs/SJ52jrX6we3DnkiFs24lP5utWSo11gxvsHGsaAkbwYZ0vdNX6vUkEUnlJbZ
dD62zurVuE9Vgs1oWr9mM+86iNrVb6UX3x7d2ZsQMNKcDhfe6k717xFayDDl78y5xabE
qdG6BKbVTY8DFaTeVI1Lpw/w+8yDQYlyh8EuciEwgqfeJCKv3CIzfGzESf6NLlkwCswz
EJ0xgOSfu7TsM61+4SuVEZFW1R2qPO2aC1BzHgWHy24rHoUN4yZcjl3U1QKaKpmPxNmT
qrRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1746025415; x=1746630215;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:from:content-language:references:to
:subject:user-agent:mime-version:date:message-id:sender:x-beenthere
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=A1LfyC09+ERCzLkNTDiiXmbegMKDnujcu6P0RBkh+nI=;
b=cJF20aWNRolTzTn/ypsKqRISjUBhICk2oMiIYtSkriagsTIuoUIxP9drYEYRK1WBGR
Jb1Mu57CMEKhPhCpeBJPu2C5u2saekP6eiO4qVw+9rebf4E3BsKCwbCovlHY8puU2Nxc
PpmbCUIjW2+vG6HnN3mFgk5zYUYQhs3ApN16FVUbP5VBQ3w8wzMBQ/oClA8WA73aHOwr
veXLWzT+mUZp0kYcbZAo4qS3lQ9cIUK3sVAXRY+quOiiH/qD5zRK/2mJnGyoDFwBTiLN
zH9ac8VDQIg6s1I197SuZGh84Qz9/DBne7Saprzn99VQdBRaS6xb16tC19xLb7GtZVif
xZJg==
X-Forwarded-Encrypted: i=2; AJvYcCVaQFeHnTG0Mk8IroXJNGZ0cQ0GBSTnZFcAkmccyiJvuyiab/lYFrD9OaPkFoDHapeUj81j1VwmB+/3@gnusha.org
X-Gm-Message-State: AOJu0YyL4k0CbHcVLl1QA+rhz6kAFDb0KuS+4DbthnqkLURcz1SX0kvd
4+V4AzkvATcC8eYIlYDWruCZwPBkTbrvfyaDLFdPCDNjRggcf1Rc
X-Google-Smtp-Source: AGHT+IGanT847NpdcDarBxzm9jpg03q7pMXZ85onnb5ZeMi9DGzuwPISOVnaH5/boAGdW0L9je95aA==
X-Received: by 2002:a05:6820:150d:b0:606:8579:4c5b with SMTP id 006d021491bc7-607d43d5bf5mr1787749eaf.1.1746025414672;
Wed, 30 Apr 2025 08:03:34 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AVT/gBFu2mGahsbBA1+Vrtq/1rB28hFFC2/R4mWF7zWVcuPd1Q==
Received: by 2002:a4a:c389:0:b0:5fc:fc5a:c55b with SMTP id 006d021491bc7-607ded90a4bls5929eaf.0.-pod-prod-02-us;
Wed, 30 Apr 2025 08:03:31 -0700 (PDT)
X-Received: by 2002:a05:6808:2e4a:b0:3fe:b1fd:527f with SMTP id 5614622812f47-40239e55450mr2508580b6e.1.1746025411545;
Wed, 30 Apr 2025 08:03:31 -0700 (PDT)
Received: by 2002:a50:bae8:0:b0:5e5:cc7a:424a with SMTP id 4fb4d7f45d1cf-5f8852f9885msa12;
Wed, 30 Apr 2025 00:59:20 -0700 (PDT)
X-Received: by 2002:a17:907:72d6:b0:ace:9d3e:1502 with SMTP id a640c23a62f3a-acedc56b980mr239627666b.4.1745999958151;
Wed, 30 Apr 2025 00:59:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1745999958; cv=none;
d=google.com; s=arc-20240605;
b=LtQFRFCyaM7kbRfWwrS0VYqJYM5xDtThEJQA61Bsulu959Y7OeaRJ0k3IlQV5TbmWA
kvQvCqOerGeIln3MWvwnef/ZBALJnu7PnFZAr6II4/lWaknRTWKXTW+BMBpiumruTn5D
SwM9LVucmemGpdLw3m+sdAvALjIzCfsJdzewNk+G9fQT96um299+cWjdJbWqowHspiqT
HxYlK9tn92YjJaBddz5YQNnY5HhlycwTJHAA28UlTLLE1aeXRPpiXlHUPRWtEv1Fahwr
i8fwl9QoNKrVbiczG1J6KY0J1JOYcnhVPKLRjBahKtsD4fI4lFgANeJW/cHyy5w6AxLH
2xKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:in-reply-to:from:content-language
:references:to:subject:user-agent:mime-version:date:message-id
:sender:dkim-signature;
bh=XeMMKxI6LdDCkpFbjAjVRwHl4I6ci7bT6AkS3Y3wvcg=;
fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
b=fBd+FqumzOgsQwlmWG8IteBpQYubNbGUSbAvxl4XzBSksaSnQXm/fsVPgaqfcJDlEW
HvmSgPrDgDMgyVNklOe1h4kY2Mz0xUxYMyLfhcJd4dJyArQgm+XBuHCbo7ynrfiapYG5
mI9wKIhJD61OEvn1WknKj3qNwPFO7O7o10WGhFSq7QNcyHtUk2XG8zcZFcti7brUo/Uq
2JuZWxSfFvWi8O7OGX6EcYk11DgaCFUgAsajYlDDp+I09R+G7xw3c6jJ5ZyyPsL6p9ps
bYCWHdqKZUP3K3eVO9865BOZ97HGflflwSzwaF8ktMCNXo5SHBj79EUFdb3HvIQHgMSd
/DwA==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=dXlcitsy;
spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::435 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com. [2a00:1450:4864:20::435])
by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-5f7012f488asi134371a12.1.2025.04.30.00.59.18
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Wed, 30 Apr 2025 00:59:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::435 as permitted sender) client-ip=2a00:1450:4864:20::435;
Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-39ac8e7688aso5023913f8f.2
for <bitcoindev@googlegroups.com>; Wed, 30 Apr 2025 00:59:18 -0700 (PDT)
X-Gm-Gg: ASbGncsSt2N2XcFiwiwlhltBaEyf/itw5zs2gr+WhG3HlcUkiTw5jf/aUJYk+veGlyU
SmbhvYoVNGyLrkJRuKKatkKW4VCO3KvmFZp5fthXHTju3a46vJIa5VHh5Fc9FjYbAjS5CyYNAzc
REW+SYenYhkivdSBgiX/jiLP2Lv1XUQbrgKW8cI0cQSV5M9CViRwp/fJcm7MtK/6iyIRGfs8/1j
YgU7p0y1fQDPlpx4V3+pWc2gLi4+Ong9BgL/T/b2l84zFsRdaFY4/BJTIH8Bfy7n4jalCU6JqDO
QeatFuLriHPAnFlphoPVKtt0tsjtulpFm+WWkDY6VISAFka4vzyg5gx3IwAvBB5Z0hqTCQfONe0
B7v4vLzDGsQ==
X-Received: by 2002:a05:6000:1acf:b0:3a0:8c4d:6c9c with SMTP id ffacd0b85a97d-3a08f7bcedbmr1941590f8f.57.1745999957578;
Wed, 30 Apr 2025 00:59:17 -0700 (PDT)
Received: from [10.11.10.42] (p54b84dae.dip0.t-ipconnect.de. [84.184.77.174])
by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-3a073c8d633sm16570468f8f.16.2025.04.30.00.59.16
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Wed, 30 Apr 2025 00:59:16 -0700 (PDT)
Sender: Jonas Nick <jonasdnick@gmail.com>
Message-ID: <f9e082e3-4079-40b6-aa49-5d1b9b3b1e29@gmail.com>
Date: Wed, 30 Apr 2025 07:59:15 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [bitcoindev] Re: DahLIAS: Discrete Logarithm-Based Interactive
Aggregate Signatures
To: bitcoindev@googlegroups.com
References: <be3813bf-467d-4880-9383-2a0b0223e7e5@gmail.com>
<039cb943-5c94-44ba-929b-abec281082a8n@googlegroups.com>
<604ca4d2-48c6-4fa0-baa6-329a78a02201n@googlegroups.com>
Content-Language: en-US
From: Jonas Nick <jonasd.nick@gmail.com>
In-Reply-To: <604ca4d2-48c6-4fa0-baa6-329a78a02201n@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
X-Original-Sender: jonasdnick@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@gmail.com header.s=20230601 header.b=dXlcitsy; spf=pass
(google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::435
as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass
(p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
Thanks for your comments.
> That side note reminds me of my first question: would it not be appropriate
> to include a proof of the zero knowledgeness property of the scheme, and
> not only the soundness? I can kind of accept the answer "it's trivial"
> based on the structure of the partial sig components (s_k = r_k1 + br_k2 +
> c_k x_k) being "identical" to baseline Schnorr?
That partial signatures do not leak information about the secret key x_k is
implied by the security theorem for DahLIAS: If information would leak, the
adversary could use that to win the unforgeability game. However, the adversary
doesn't win the game unless the adversary solves the DL problem or finds a
collision in hash function Hnon.
> The side note also raises this point: would it be a good idea to explicitly
> write down ways in which the usage of the scheme/structure can, and cannot,
> be optimised for the single-party case?
This is a very interesting point, probably out of scope for the paper. A
single-party signer, given secret keys xi, ..., xn for public keys X1, ..., Xn
can draw r at random, compute R := r*G and then set s := r + c1*x1 + ... +
cn*xn. So this would only require a single group multiplication.
> On that last point about "proof of knowledge of R", I suddenly realised
> it's not a viable suggestion: of course it defends against key subtraction
> attacks, but does not defend at all against the ability to grind nonces
> adversarially in a Wagner type attack
We believe Appendix B provides a helpful characterization of "Wagner-style"
vulnerabilities. Roughly speaking, it shows that schemes where the adversary can
ask the signer to produce a partial signature s = r + c*x or s' = r + c'*x such
that c != c' then the scheme is vulnerable. In your "proof of knowledge of R
idea", the adversary can choose to provide either R2 or R2' in a signing
request, which would result in the same "effective nonce" r being used be the
signer but different challenges c and c'.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/f9e082e3-4079-40b6-aa49-5d1b9b3b1e29%40gmail.com.
|
