Jonas Nick [ARCHIVE] on Nostr: 📅 Original date posted:2023-07-27 🗒️ Summary of this message: Proof of ...
📅 Original date posted:2023-07-27
🗒️ Summary of this message: Proof of knowledge of the r values used in Wagner's attack does not prevent the attack. The attacker chooses the r values.
📝 Original message:
No, proof of knowledge of the r values used to generate each R does not prevent
Wagner's attack. I wrote
> Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
> c[0] + ... + c[K-1] = c[K].
You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and
define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't make
sense if he didn't.
🗒️ Summary of this message: Proof of knowledge of the r values used in Wagner's attack does not prevent the attack. The attacker chooses the r values.
📝 Original message:
No, proof of knowledge of the r values used to generate each R does not prevent
Wagner's attack. I wrote
> Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
> c[0] + ... + c[K-1] = c[K].
You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and
define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't make
sense if he didn't.