📅 Original date posted:2023-07-26 🗒️ Summary of this message: The author ...

moonsettler [ARCHIVE] /

npub1nt4…d2m3

2023-07-27 00:26:34

in reply to nevent1q…gtun

📅 Original date posted:2023-07-26
🗒️ Summary of this message: The author proposes a solution to the blinding issue in a signature protocol and seeks feedback on its correctness.
📝 Original message:
Hi All,

I believe it's fairly simple to solve the blinding (sorry for the bastard notation!):

Signing:

X = X1 + X2
K1 = k1G
K2 = k2G

R = K1 + K2 + bX
e = hash(R||X||m)

e' = e + b
s = (k1 + e'*x1) + (k2 + e'*x2)
s = (k1 + k2 + b(x1 + x2)) + e(x1 + x2)

sG = (K1 + K2 + bX) + eX
sG = R + eX

Verification:

Rv = sG - eX
ev = hash(R||X||m)
e ?= ev

https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb

Been trying to get a review on this for a while, please let me know if I got it wrong!

BR,
moonsettler

------- Original Message -------
On Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:

> > Party 1 never learns the final value of (R,s1+s2) or m.
>
>
> Actually, it seems like a blinding step is missing. Assume the server (party 1)
> received some c during the signature protocol. Can't the server scan the
> blockchain for signatures, compute corresponding hashes c' = H(R||X||m) as in
> signature verification and then check c == c'? If true, then the server has the
> preimage for the c received from the client, including m.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Author Public Key

npub1nt4g4lddyzlky5q9m93tfa6fqpjmhsvnyfkjfsdqf33s8ax7jcmswjd2m3

Seen on

wss://relay.nostr.band

Show more details

Published at

2023-07-27 00:26:34

Kind type

1 Short Text Note

Event JSON

{ "id": "7792a36e445e89366b691701dff54b5240ebcc443aa8f8114f6af1721009ae3f", "pubkey": "9aea8afdad20bf625005d962b4f7490065bbc193226d24c1a04c6303f4de9637", "created_at": 1690417594, "kind": 1, "tags": [ [ "e", "961d711feb21f391e929fc93a5451f3654c2d8c47ecb46ca44c4b148516657b4", "", "reply" ], [ "p", "a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0" ] ], "content": "📅 Original date posted:2023-07-26\n🗒️ Summary of this message: The author proposes a solution to the blinding issue in a signature protocol and seeks feedback on its correctness.\n📝 Original message:\nHi All,\n\nI believe it's fairly simple to solve the blinding (sorry for the bastard notation!):\n\nSigning:\n\nX = X1 + X2\nK1 = k1G\nK2 = k2G\n\nR = K1 + K2 + bX\ne = hash(R||X||m)\n\ne' = e + b\ns = (k1 + e'*x1) + (k2 + e'*x2)\ns = (k1 + k2 + b(x1 + x2)) + e(x1 + x2)\n\nsG = (K1 + K2 + bX) + eX\nsG = R + eX\n\nVerification:\n\nRv = sG - eX\nev = hash(R||X||m)\ne ?= ev\n\nhttps://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb\n\nBeen trying to get a review on this for a while, please let me know if I got it wrong!\n\nBR,\nmoonsettler\n\n\n------- Original Message -------\nOn Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\n\u003e \u003e Party 1 never learns the final value of (R,s1+s2) or m.\n\u003e \n\u003e \n\u003e Actually, it seems like a blinding step is missing. Assume the server (party 1)\n\u003e received some c during the signature protocol. Can't the server scan the\n\u003e blockchain for signatures, compute corresponding hashes c' = H(R||X||m) as in\n\u003e signature verification and then check c == c'? If true, then the server has the\n\u003e preimage for the c received from the client, including m.\n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev", "sig": "bab6cf9e6113673c3157b943fab307f76367d3b428b8cec6c9dba69cc71cfba3699d9106ac2d4a2f4fb84688f220219f567563debe08eac036f9ab4fb6c9a1d0" }