📅 Original date posted:2018-07-09 📝 Original message:On Mon, Jul 9, 2018 at ...

Gregory Maxwell [ARCHIVE] /

npub1f2n…rwet

2023-06-07 18:13:43

in reply to nevent1q…azr2

📅 Original date posted:2018-07-09
📝 Original message:On Mon, Jul 9, 2018 at 4:33 PM, Erik Aronesty <erik at q32.com> wrote:
>>> with security assumptions that match the original Schnorr construction more closely,
>> More closely than what?
> More closely than musig.

Musig is instructions on using the original schnorr construction for
multiparty signing which is secure against participants adaptively
choosing their keys, which is something the naive scheme of just
interpolating keys and shares is vulnerable to. It works as
preprocessing on the keys, then you continue on with the naive
protocol. The verifier (e.g. network consensus rules) is the same.

Now that you're back to using a cryptographic hash, I think what
you're suggesting is "use naive interpolation of schnorr signatures"
-- which you can do, including with the verifier proposed in the BIP,
but doing that alone is insecure against adaptive key choice (and
potentially adaptive R choice, depending on specifics which aren't
clear enough to me in your description). In particular, although it
seems surprising picking your interpolation locations with the hash of
each key isn't sufficient to prevent cancellation attacks due to the
remarkable power of wagner's algorithm.

Author Public Key

npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwet

Show more details

Published at

2023-06-07 18:13:43

Kind type

1 Short Text Note

Event JSON

{ "id": "919ec51dc57806a56eddf3c48ab68c3bfda215991d86e97f17c55a35aeb7e9e8", "pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73", "created_at": 1686161623, "kind": 1, "tags": [ [ "e", "5913947cd80c78b94322af07aff87080ecda6ad2abd7e1bd4a8b9634dfe27fca", "", "root" ], [ "e", "d0b2adc8430176703cc513510606ddb68333a28e11ab02d0005309a58ff32fdb", "", "reply" ], [ "p", "22944ce1e29904e3826d25013a614e4665693ec514003efacc1b7586e8e5d0aa" ] ], "content": "📅 Original date posted:2018-07-09\n📝 Original message:On Mon, Jul 9, 2018 at 4:33 PM, Erik Aronesty \u003cerik at q32.com\u003e wrote:\n\u003e\u003e\u003e with security assumptions that match the original Schnorr construction more closely,\n\u003e\u003e More closely than what?\n\u003e More closely than musig.\n\nMusig is instructions on using the original schnorr construction for\nmultiparty signing which is secure against participants adaptively\nchoosing their keys, which is something the naive scheme of just\ninterpolating keys and shares is vulnerable to. It works as\npreprocessing on the keys, then you continue on with the naive\nprotocol. The verifier (e.g. network consensus rules) is the same.\n\nNow that you're back to using a cryptographic hash, I think what\nyou're suggesting is \"use naive interpolation of schnorr signatures\"\n-- which you can do, including with the verifier proposed in the BIP,\nbut doing that alone is insecure against adaptive key choice (and\npotentially adaptive R choice, depending on specifics which aren't\nclear enough to me in your description). In particular, although it\nseems surprising picking your interpolation locations with the hash of\neach key isn't sufficient to prevent cancellation attacks due to the\nremarkable power of wagner's algorithm.", "sig": "810c224227e141df07f5301872c4f496de36c39f8f37c996d65fcd59076618187a612dd87e920d8ba3f7df2949a7817e2b8af128aa6ae35780aaf845b09bd971" }