What is Nostr?
Tom Trevethan [ARCHIVE] /
npub1axs…yw7n
2023-08-08 14:20:52
in reply to nevent1q…xc9q

Tom Trevethan [ARCHIVE] on Nostr: 📅 Original date posted:2023-08-06 🗒️ Summary of this message: The blinded ...

📅 Original date posted:2023-08-06
🗒️ Summary of this message: The blinded statechain protocol has been updated to include mitigation against the Wagner attack by requiring verification of previous computed values by new statecoin owners.
📝 Original message:
A follow up to this, I have updated the blinded statechain protocol
description to include the mitigation to the Wagner attack by requiring the
server to send R1 values only after commitments made to the server of the
R2 values used by the user, and that all the previous computed c values are
verified by each new statecoin owner.
https://github.com/commerceblock/mercury/blob/master/layer/protocol.md

Essentially, the attack is possible because the server cannot verify that
the blinded challenge (c) value it has been sent by the user has been
computed honestly (i.e. c = SHA256(X1 + X2, R1 + R2, m) ), however this CAN
be verified by each new owner of a statecoin for all the previous
signatures.

Each time an owner cooperates with the server to generate a signature on a
backup tx, the server will require that the owner send a commitment to
their R2 value: e.g. SHA256(R2). The server will store this value before
responding with it's R1 value. This way, the owner cannot choose the value
of R2 (and hence c).

When the statecoin is received by a new owner, they will receive ALL
previous signed backup txs for that coin from the sender, and all the
corresponding R2 values used for each signature. They will then ask the
server (for each previous signature), the commitments SHA256(R2) and the
corresponding server generated R1 value and c value used. The new owner
will then verify that each backup tx is valid, and that each c value was
computed c = SHA256(X1 + X2, R1 + R2, m) and each commitment equals
SHA256(R2). This ensures that a previous owner could not have generated
more valid signatures than the server has partially signed.

On Thu, Jul 27, 2023 at 2:25 PM Tom Trevethan <tom at commerceblock.com> wrote:

>
> On Thu, Jul 27, 2023 at 9:08 AM Jonas Nick <jonasdnick at gmail.com> wrote:
>
>> No, proof of knowledge of the r values used to generate each R does not
>> prevent
>> Wagner's attack. I wrote
>>
>> > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
>> > c[0] + ... + c[K-1] = c[K].
>>
>> You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and
>> define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't
>> make
>> sense if he didn't.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230807/f1841d99/attachment.html>;
Author Public Key
npub1axshsyxsl3vasj4z9549rvwdvhjmh52fw0ayj3ghtmdezx8cnuxqlwyw7n