📅 Original date posted:2023-07-24
🗒️ Summary of this message: The sender is discussing with Jonas the need for a method to blind the value of c in order to prevent the server from learning the value of m.
📝 Original message:
Hi Jonas,
Seems you are right: for every tx, compute c from the on-chain data, and
the server can match the c to the m (tx). So there would need to be a
method for blinding the value of c.
On Mon, Jul 24, 2023 at 4:39 PM Jonas Nick <jonasdnick at gmail.com> wrote:
> > Party 1 never learns the final value of (R,s1+s2) or m.
>
> Actually, it seems like a blinding step is missing. Assume the server
> (party 1)
> received some c during the signature protocol. Can't the server scan the
> blockchain for signatures, compute corresponding hashes c' = H(R||X||m) as
> in
> signature verification and then check c == c'? If true, then the server
> has the
> preimage for the c received from the client, including m.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230724/2bc0b366/attachment.html>;
Tom Trevethan [ARCHIVE] /
npub1ax…wyw7n
2023-07-27 00:26:33
in reply to nevent1q…wek4
Author Public Key
npub1axshsyxsl3vasj4z9549rvwdvhjmh52fw0ayj3ghtmdezx8cnuxqlwyw7nPublished at
2023-07-27 00:26:33Event JSON
{
"id": "a6ce502943305bd272d9e4b2033555a2fe7326571aa2c5c175b3ea30be923293",
"pubkey": "e9a17810d0fc59d84aa22d2a51b1cd65e5bbd14973fa4945175edb9118f89f0c",
"created_at": 1690417593,
"kind": 1,
"tags": [
[
"e",
"86a87258a295f0e8a6ce06957ce368a6146cf45a73137d0af6fcc0729ce599a0",
"",
"root"
],
[
"e",
"ba2308e53db608be8b6874f6d4b8e9097266342c34e963c3897378a1f7314856",
"",
"reply"
],
[
"p",
"22944ce1e29904e3826d25013a614e4665693ec514003efacc1b7586e8e5d0aa"
]
],
"content": "📅 Original date posted:2023-07-24\n🗒️ Summary of this message: The sender is discussing with Jonas the need for a method to blind the value of c in order to prevent the server from learning the value of m.\n📝 Original message:\nHi Jonas,\n\nSeems you are right: for every tx, compute c from the on-chain data, and\nthe server can match the c to the m (tx). So there would need to be a\nmethod for blinding the value of c.\n\nOn Mon, Jul 24, 2023 at 4:39 PM Jonas Nick \u003cjonasdnick at gmail.com\u003e wrote:\n\n\u003e \u003e Party 1 never learns the final value of (R,s1+s2) or m.\n\u003e\n\u003e Actually, it seems like a blinding step is missing. Assume the server\n\u003e (party 1)\n\u003e received some c during the signature protocol. Can't the server scan the\n\u003e blockchain for signatures, compute corresponding hashes c' = H(R||X||m) as\n\u003e in\n\u003e signature verification and then check c == c'? If true, then the server\n\u003e has the\n\u003e preimage for the c received from the client, including m.\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230724/2bc0b366/attachment.html\u003e",
"sig": "13174a397c8e09c5dfb9f216a1d30b69d2157040596123dab543ce4daeeda26bcc84061679adf0d2a7d485f228c8d6313597b5fac6db20abd8a89d56c7190417"
}