📅 Original date posted:2021-05-15
📝 Original message:We have some taproot address with private key "a" and public key "a*G", owned by Alice. Bob wants to take Alice's coins without her permission. He owns taproot address with private key "b" and public key "b*G". He knows "a*G" by exploring the chain and looking for P2TR outputs. To grab Alice's funds, he creates "(b-a)*G" taproot address and send some small amount to this address. Then, Bob can create a transaction with two inputs, taking coins from "a*G" and "(b-a)*G" addresses. All that is needed is producing a signature matching the sum of the public keys used in taproot, which is "(a+b-a)*G", reduced to "b*G", so Bob uses his "b" private key to produce Schnorr signature. Is there any protection from this attack?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210515/9b58f6eb/attachment.html>;
vjudeu [ARCHIVE] /
npub1mx…nqexn
2023-06-07 22:53:36
in reply to nevent1q…8xnu
Author Public Key
npub1mxz2kkpp4z07x65rxwr6gsksd9cnwn0q22lx874t63dh6uulsy7qxnqexnPublished at
2023-06-07 22:53:36Event JSON
{
"id": "37ef6cbad5d2c2da96937aa9ef62bddd0ee1940974069b3a6561f420cfaddbf8",
"pubkey": "d984ab5821a89fe36a833387a442d06971374de052be63faabd45b7d739f813c",
"created_at": 1686178416,
"kind": 1,
"tags": [
[
"e",
"e74498ee529b2b84d2ef2c40bb63f1994cc2169342c25a226bfe93c9597cc2e8",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2021-05-15\n📝 Original message:We have some taproot address with private key \"a\" and public key \"a*G\", owned by Alice. Bob wants to take Alice's coins without her permission. He owns taproot address with private key \"b\" and public key \"b*G\". He knows \"a*G\" by exploring the chain and looking for P2TR outputs. To grab Alice's funds, he creates \"(b-a)*G\" taproot address and send some small amount to this address. Then, Bob can create a transaction with two inputs, taking coins from \"a*G\" and \"(b-a)*G\" addresses. All that is needed is producing a signature matching the sum of the public keys used in taproot, which is \"(a+b-a)*G\", reduced to \"b*G\", so Bob uses his \"b\" private key to produce Schnorr signature. Is there any protection from this attack?\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210515/9b58f6eb/attachment.html\u003e",
"sig": "6848bcf2331ec13ec9ee16197b5ff640aed58cad77461cfe4d90955c86122e8a51b8f8305e6de976640592af6a26f71275434cf62323d19dab2bebbdfd2c202e"
}