Thanks for your comments. > That side note reminds me of my first question: would it not be appropriate > to include a proof of the zero knowledgeness property of the scheme, and > not only the soundness? I can kind of accept the answer "it's trivial" > based on the structure of the partial sig components (s_k = r_k1 + br_k2 + > c_k x_k) being "identical" to baseline Schnorr?
That partial signatures do not leak information about the secret key x_k is implied by the security theorem for DahLIAS: If information would leak, the adversary could use that to win the unforgeability game. However, the adversary doesn't win the game unless the adversary solves the DL problem or finds a collision in hash function Hnon. > The side note also raises this point: would it be a good idea to explicitly > write down ways in which the usage of the scheme/structure can, and cannot, > be optimised for the single-party case? This is a very interesting point, probably out of scope for the paper. A single-party signer, given secret keys xi, ..., xn for public keys X1, ..., Xn can draw r at random, compute R := r*G and then set s := r + c1*x1 + ... + cn*xn. So this would only require a single group multiplication. > On that last point about "proof of knowledge of R", I suddenly realised > it's not a viable suggestion: of course it defends against key subtraction > attacks, but does not defend at all against the ability to grind nonces > adversarially in a Wagner type attack We believe Appendix B provides a helpful characterization of "Wagner-style" vulnerabilities. Roughly speaking, it shows that schemes where the adversary can ask the signer to produce a partial signature s = r + c*x or s' = r + c'*x such that c != c' then the scheme is vulnerable. In your "proof of knowledge of R idea", the adversary can choose to provide either R2 or R2' in a signing request, which would result in the same "effective nonce" r being used be the signer but different challenges c and c'. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/f9e082e3-4079-40b6-aa49-5d1b9b3b1e29%40gmail.com.
