[bitcoin-dev] Fwd: Blinded 2-party Musig2
@Jonas OK, thanks, I get the logic now. I believe this attack can be mitigated (at least in the case of using this scheme for statechains) by the receiver of a coin verifying the construction of all previous challenges. So in this case, the sender of a coin would record R2[K-1] in addition to m (and any c blinding nonce used) for the signature it generates with the server. It would then send this (and all previous R2 values i = 0, ..., K-2) to the receiver. The receiver would then query the server for the full set (i = 0, ..., K-1) of R1[i] values it has generated, and the corresponding (blinded) c[i] values used for each co-signing it has performed on this key. The receiver would then verify that each previous c[i] (i = 0, ... K-1) has been correctly formed and includes the server generated R1[i]. If any of the c values fail to verify against the values of R1 provided by the server, then the coin is invalid. On Thu, Jul 27, 2023 at 9:08 AM Jonas Nick wrote: > No, proof of knowledge of the r values used to generate each R does not > prevent > Wagner's attack. I wrote > > > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that > >c[0] + ... + c[K-1] = c[K]. > > You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and > define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't > make > sense if he didn't. > ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Blinded 2-party Musig2
No, proof of knowledge of the r values used to generate each R does not prevent Wagner's attack. I wrote > Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that >c[0] + ... + c[K-1] = c[K]. You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't make sense if he didn't. ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Blinded 2-party Musig2
A reasonable attack scenario might be: attacker gains control of client machine and its privkey, wants to extract money. It first operates passively, waiting for user to do 2FA on a normal transaction, only modifying the nonce used in order to achieve its goal. Then, after that 1 transaction goes through, it gets the server privkey as above, and so 2FA is no longer needed to steal the remainder of the money. Or did I miss some part of the setup? Sent with Proton Mail secure email. --- Original Message --- On Wednesday, July 26th, 2023 at 13:28, moonsettler via bitcoin-dev wrote: > Yes, thank you! > > There I assume if someone has your private key, and can satisfy the 2FA, he > will just steal your coins, and not bother with extracting the co-signers key > that is specific to you. I can see, how this assumption is not useful > generally. > > BR, > moonsettler > > Sent with Proton Mail secure email. > > > --- Original Message --- > On Wednesday, July 26th, 2023 at 9:19 PM, AdamISZ adam...@protonmail.com > wrote: > > > > > It's an interesting idea for a protocol. If I get it right, your basic idea > > here is to kind of "shoehorn" in a 2FA authentication, and that the > > blind-signing server has no other function than to check the 2FA? > > > > This makes it different from most uses of blind signing, where counting the > > number of signatures matters (hence 'one more forgery etc). Here, you are > > just saying "I'll sign whatever the heck you like, as long as you're > > authorized with this 2FA procedure". > > > > Going to ignore the details of practically what that means - though I'm > > sure that's where most of the discussion would end up - but just looking at > > your protocol in the gist: > > > > It seems you're not checking K values against attacks, so for example this > > would allow someone to extract the server's key from one signing: > > > > 1 Alice, after receiving K2, sets K1 = K1' - K2, where the secret key of > > K1' is k1'. > > 2 Chooses b as normal, sends e' as normal. > > 3 Receiving s2, calculate s = s1 + s2 as normal. > > > > So since s = k + ex = (k' + bx) + ex = k' + e'x, and you know s, k' and e', > > you can derive x. Then x2 = x - x1. > > > > (Gist I'm referring to: > > https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb) > > > > Sent with Proton Mail secure email. > > > > --- Original Message --- > > On Wednesday, July 26th, 2023 at 03:44, moonsettler via bitcoin-dev > > bitcoin-dev@lists.linuxfoundation.org wrote: > > > > > Hi All, > > > > > > I believe it's fairly simple to solve the blinding (sorry for the bastard > > > notation!): > > > > > > Signing: > > > > > > X = X1 + X2 > > > K1 = k1G > > > K2 = k2G > > > > > > R = K1 + K2 + bX > > > e = hash(R||X||m) > > > > > > e' = e + b > > > s = (k1 + e'*x1) + (k2 + e'*x2) > > > s = (k1 + k2 + b(x1 + x2)) + e(x1 + x2) > > > > > > sG = (K1 + K2 + bX) + eX > > > sG = R + eX > > > > > > Verification: > > > > > > Rv = sG - eX > > > ev = hash(R||X||m) > > > e ?= ev > > > > > > https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb > > > > > > Been trying to get a review on this for a while, please let me know if I > > > got it wrong! > > > > > > BR, > > > moonsettler > > > > > > --- Original Message --- > > > On Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev > > > bitcoin-dev@lists.linuxfoundation.org wrote: > > > > > > > > Party 1 never learns the final value of (R,s1+s2) or m. > > > > > > > > Actually, it seems like a blinding step is missing. Assume the server > > > > (party 1) > > > > received some c during the signature protocol. Can't the server scan the > > > > blockchain for signatures, compute corresponding hashes c' = H(R||X||m) > > > > as in > > > > signature verification and then check c == c'? If true, then the server > > > > has the > > > > preimage for the c received from the client, including m. > > > > ___ > > > > bitcoin-dev mailing list > > > > bitcoin-dev@lists.linuxfoundation.org > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > > > > ___ > > > bitcoin-dev mailing list > > > bitcoin-dev@lists.linuxfoundation.org > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > ___ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Blinded 2-party Musig2
Hello all, 1. No proof of knowledge of each R does *NOT* prevent wagner's attack. 2. In my mind, A generic blind signing service is sufficient for doing blinded MuSig, Muig2, FROST or whatever without the blind signing service knowing. You don't need a specialized MuSig2 blind singing service to extract MuSig2 compatible shares from it. You can just add the MuSig tweak (and/or BIP32 etc) to their key when you do the blind signing request (this seemed to be what the OP was suggesting). Making the server have multiple nonces like in MuSig2 proper doesn't help the server's security at all. I think the problem is simply reduced to creating a secure blind schnorr signing service. Jonas mentioned some papers which show how to do that. The question is mostly about whether you can practically integrate those tricks into your protocol which might be tricky. LL On Thu, 27 Jul 2023 at 08:20, Erik Aronesty via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > correct. you cannot select R if it is shipped with a POP > > On Wed, Jul 26, 2023, 4:35 PM Tom Trevethan wrote: > >> Not 'signing' but 'secret' i.e. the r values (ephemeral keys). Proof of >> knowledge of the r values used to generate each R used prevents the Wagner >> attack, no? >> >> On Wed, Jul 26, 2023 at 8:59 PM Jonas Nick wrote: >> >>> None of the attacks mentioned in this thread so far (ZmnSCPxj mentioned >>> an >>> attack on the nonces, I mentioned an attack on the challenge c) can be >>> prevented >>> by proving knowledge of the signing key (usually known as proof of >>> possession, >>> PoP). >>> >> ___ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Concern about "Inscriptions".
> not taking action against these inscription could be interpreted by spammers > as tacit acceptance of their practice. Note that some people, even on this mailing list, do not consider Ordinals as spam: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/021464.html See? It was discussed when it started. Some people believe that blocking Ordinals is censorship, and could lead to blocking regular transactions in the future, just based on other criteria. That means, even if developers would create some official version with that option, then some people would not follow them, or even block Ordinals-filtering nodes, exactly as described in the linked thread: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/021487.html > as spammers might perceive that the Bitcoin network tolerates this kind of > behavior But it is true, you have the whole pages, where you can find images, files, or other data, that was pushed on-chain long before Ordinals. The whole whitepaper was uploaded just on 1-of-3 multisig outputs, see transaction 54e48e5f5c656b26c3bca14a8c95aa583d07ebe84dde3b7dd4a78f4e4186e713. You have the whole altcoins that are connected to Bitcoin by using part of the Bitcoin's UTXO set as their database. That means, as long as you won't solve IBD problem and UTXO set growing problem, you will go nowhere, because if you block Ordinals specifically, people won't learn "this is bad, don't do that", they could read it as "use the old way instead", as long as you won't block all possible ways. And doing that, requires for example creating new nodes, without synchronizing non-consensus data, like it could be done in "assume UTXO" model. Also note that as long as people use Taproot to upload a lot of data, you can still turn off the witness, and become a pre-Segwit node. But if you block those ways, then people will push data into legacy parts, and then you will need more code to strip it correctly. The block 774628 maybe contains almost 4 MB of data from the perspective of Segwit node, but the legacy part is actually very small, so by turning witness off, you can strip it to maybe just a few kilobytes. > I want to emphasize that my proposal does not involve implementing a soft > fork in any way. On the contrary, what I am asking is simply to consider > adding a standardization option. This option would allow the community to > freely decide whether it should be activated or not. 1. Without a soft-fork, those data will be pushed by mining pools anyway, as it happened in the block 774628. 2. Adding some settings won't help, as most people use the default configuration. For example, people can configure their nodes to allow free transactions, without recompiling anything. The same with disabling dust amounts. But good luck finding a node in the wild that does anything unusual. 3. This patch produced by Luke Dashjr does not address all cases. You could use "OP_TRUE OP_NOTIF" instead of "OP_FALSE OP_IF" used by Ordinals, and easily bypass those restrictions. This will be just a cat and mouse game, where spammers will even use P2PK, if they will be forced to. The Pandora's box is already opened, that fix could be good for February or March, but not now. On 2023-07-26 11:47:09 user leo...@orangepill.ovh wrote: > I understand your point of view. However, inscription represent by far the > largest spam attack due to their ability to embed themselves in the witness > with a fee reduction. Unlike other methods, such as using the op_return field which could also be used to spam the chain, the associated fees and the standardization rule limiting op_return to 80 bytes have so far prevented similar abuses. Although attempting to stop inscription could lead to more serious issues, not taking action against these inscription could be interpreted by spammers as tacit acceptance of their practice. This could encourage more similar spam attacks in the future, as spammers might perceive that the Bitcoin network tolerates this kind of behavior. I want to emphasize that my proposal does not involve implementing a soft fork in any way. On the contrary, what I am asking is simply to consider adding a standardization option. This option would allow the community to freely decide whether it should be activated or not. > Le 26 juil. 2023 à 07:30, vju...@gazeta.pl a écrit : > >> and I would like to understand why this problem has not been addressed more >> seriously > > Because if nobody has any good solution, then status quo is preserved. If > tomorrow ECDSA would be broken, the default state of the network would be > "just do nothing", and every solution would be backward-compatible with that > approach. Burn old coins, and people will call it "Tether", redistribute > them, and people will call it "BSV". Leave everything untouched, and the > network will split into N parts, and then you pick the strongest chain to > decide, what
