📅 Original date posted:2018-07-20 📝 Original message:That's a great point. It's ...

Erik Aronesty [ARCHIVE] /

npub1y22…taj0

2023-06-07 18:13:45

in reply to nevent1q…9r5z

📅 Original date posted:2018-07-20
📝 Original message:That's a great point. It's been solved in musig and that doesn't change
the m of n multisig construction.

You use the same musig construction where you hash all keys and sum the
multiples....and use that when computing k ... the shared blinding
factor.... you're still improving the system .... Getting a nice Shamir m
of n multisig.... with a single signature...and all the same properties
otherwise.

On Thu, Jul 19, 2018, 9:11 AM Russell O'Connor <roconnor at blockstream.io>
wrote:

> On Thu, Jul 19, 2018 at 8:16 AM, Erik Aronesty via bitcoin-dev <
> bitcoin-dev at lists.linuxfoundation.org> wrote:
>
>> you can't birthday attack something where there's only a single variable
>> that you can modify.
>>
>
> When engaging in a multiparty signature, the attacker can more than one
> variable to modify. When you are party to a multi-party signature (for
> example, in some sort of coin-join protocol) it could be that every other
> participant in the multi-party signature is, in fact, the same single
> attacker representing themselves as multiple participants. This is how the
> attacker gets their hands on multiple variables.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180720/ee083e30/attachment-0001.html>;

Author Public Key

npub1y22yec0znyzw8qndy5qn5c2wgejkj0k9zsqra7kvrd6cd6896z4qm5taj0

Show more details

Published at

2023-06-07 18:13:45

Kind type

1 Short Text Note

Event JSON

{ "id": "e87d41e5e8788d8463483aab3aacf37bcbe89ae7cde285cec2da3e3b39e4b06c", "pubkey": "22944ce1e29904e3826d25013a614e4665693ec514003efacc1b7586e8e5d0aa", "created_at": 1686161625, "kind": 1, "tags": [ [ "e", "5913947cd80c78b94322af07aff87080ecda6ad2abd7e1bd4a8b9634dfe27fca", "", "root" ], [ "e", "40038472744b2551b07072f32caf6919b2bde8324b517fbf79f55cc9cb0b509f", "", "reply" ], [ "p", "6b8e77368804013d7126ba4b77c7963bcfeff909135791531097d7a0f03ca85d" ] ], "content": "📅 Original date posted:2018-07-20\n📝 Original message:That's a great point. It's been solved in musig and that doesn't change\nthe m of n multisig construction.\n\nYou use the same musig construction where you hash all keys and sum the\nmultiples....and use that when computing k ... the shared blinding\nfactor.... you're still improving the system .... Getting a nice Shamir m\nof n multisig.... with a single signature...and all the same properties\notherwise.\n\n\nOn Thu, Jul 19, 2018, 9:11 AM Russell O'Connor \u003croconnor at blockstream.io\u003e\nwrote:\n\n\u003e On Thu, Jul 19, 2018 at 8:16 AM, Erik Aronesty via bitcoin-dev \u003c\n\u003e bitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\n\u003e\u003e you can't birthday attack something where there's only a single variable\n\u003e\u003e that you can modify.\n\u003e\u003e\n\u003e\n\u003e When engaging in a multiparty signature, the attacker can more than one\n\u003e variable to modify. When you are party to a multi-party signature (for\n\u003e example, in some sort of coin-join protocol) it could be that every other\n\u003e participant in the multi-party signature is, in fact, the same single\n\u003e attacker representing themselves as multiple participants. This is how the\n\u003e attacker gets their hands on multiple variables.\n\u003e\n\u003e\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180720/ee083e30/attachment-0001.html\u003e", "sig": "8b2cd6101e038100a3f03214958c62b406ad4b8cfb1f0db5007d8bf7202fe98b25427e2471ff3e913059b4c98aa435fac7d04cbe3b14e95c8b140df4f3710042" }