π
Original date posted:2018-11-28
π Original message:> For deterministic nonces, you generate r=H(p,m) based on the message
> being signed and your private key, so can only start this process when
> you start signing, and the sharing rounds mean interactivity.
It's not your point but it should be noted that this is not secure unless all
other signers give you zero knowledge proof that they've generated their nonce
in the same way. Otherwise, if your asked to sign the same message you'll use
the same nonce for two different challenges. In your example you'd compute
s=r+H(R',P',m)*p and s'=r+H(R'',P',m)*p from which an observer can compute the
secret key p.
On 11/28/18 10:49 AM, Anthony Towns via bitcoin-dev wrote:
> On Tue, Nov 27, 2018 at 10:33:30PM -0800, Devrandom via bitcoin-dev wrote:
>> Are there any candidates for non-interactive threshold signatures?Β Interactive
>> signatures are not very suitable for air-gapped use cases.
>
> I think you can work around this to some extent by "batching" signing
> requests.
>
> (Background:
>
> For interactive multisignatures (threshold or not), the protocol is:
>
> produce secret nonce r, calculate public nonce R=r*G
> everyone shares H(R)
> everyone shares R, checks received values match received hashes
> everyone calculates s=r+H(R',P',m)*p, shares s
>
> For deterministic nonces, you generate r=H(p,m) based on the message
> being signed and your private key, so can only start this process when
> you start signing, and the sharing rounds mean interactivity.
>
> )
>
> But you don't strictly need deterministic nonces, you just have to never
> use the same nonce with a different message. If you arrange to do that
> by keeping some state instead, you can calculate nonces in advance:
>
> phase 1:
> produce secret nonces r1..r1024, calculate R1..R1024
> share H(R1)..H(R1024)
>
> phase 2:
> store other parties hashes, eg as H1..H1024
> share R1..R1024
>
> phase 3:
> check received nonces match, ie H(R1)=H1, etc
>
> phase 4:
> request to sign msg m, with nonce n
> if nonce n has already been used, abort
> mark nonce n as having being used
> lookup other signer's nonces n and sum them to get R'
> calculate s = rn + H(R',P',m)*p
> share s
>
> That way you could do phases 1-3 once, and then do 1024 signatures during
> the month on whatever your current timetable is.
>
> You could also combine these phases, so when you get a signing request you:
>
> * receive msg to sign m, n=4; everyone else's R4, H(R5)
>
> * check H(R4) = previously received "H(R4)"
> * calculate R4' by summing up your and everyone's R4s
> * bump state to n=5
> * do the signature...
>
> * send sig=(s,R4), R5, H(R6)
>
> which would let you have an untrusted app that does the coordination and
> shares the nonces and nonce-hashes, and getting all the needed air-gapped
> communication in a single round. (This is effectively doing phase 3 and
> 4 for the current signature, phase 2 for the next signature, and phase
> 1 for the signature after that all in one round of communication)
>
> That seems almost as good as true non-interactivity to me, if your signing
> hardware is capable of securely storing (and updating) a few kB of state
> (which is probably not quite as easy as it sounds).
>
> Cheers,
> aj
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
Jonas Nick [ARCHIVE] /
npub1atβ¦y3z5a
2023-06-07 18:15:23
in reply to nevent1qβ¦6hy7
Author Public Key
npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5aPublished at
2023-06-07 18:15:23Event JSON
{
"id": "3ddc25c804589af684190294035261077c9ae16fc139fca37173a9cd6506eef0",
"pubkey": "eae21eb28545b20116d940817b2995954758d0d5511695442681f035faabe60f",
"created_at": 1686161723,
"kind": 1,
"tags": [
[
"e",
"cd7e024950034674de771ae97f0f4a7d697cc0813c8ea05376c31db3ca1405a1",
"",
"root"
],
[
"e",
"f17498c8b894805aa8d5f1f7390a74a66c0ffd179803915f8a9ce2c895d6cce5",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "π
Original date posted:2018-11-28\nπ Original message:\u003e For deterministic nonces, you generate r=H(p,m) based on the message\n\u003e being signed and your private key, so can only start this process when\n\u003e you start signing, and the sharing rounds mean interactivity.\n\nIt's not your point but it should be noted that this is not secure unless all\nother signers give you zero knowledge proof that they've generated their nonce\nin the same way. Otherwise, if your asked to sign the same message you'll use\nthe same nonce for two different challenges. In your example you'd compute\ns=r+H(R',P',m)*p and s'=r+H(R'',P',m)*p from which an observer can compute the\nsecret key p.\n\nOn 11/28/18 10:49 AM, Anthony Towns via bitcoin-dev wrote:\n\u003e On Tue, Nov 27, 2018 at 10:33:30PM -0800, Devrandom via bitcoin-dev wrote:\n\u003e\u003e Are there any candidates for non-interactive threshold signatures?Β Interactive\n\u003e\u003e signatures are not very suitable for air-gapped use cases.\n\u003e \n\u003e I think you can work around this to some extent by \"batching\" signing\n\u003e requests.\n\u003e \n\u003e (Background:\n\u003e \n\u003e For interactive multisignatures (threshold or not), the protocol is:\n\u003e \n\u003e produce secret nonce r, calculate public nonce R=r*G\n\u003e everyone shares H(R)\n\u003e everyone shares R, checks received values match received hashes\n\u003e everyone calculates s=r+H(R',P',m)*p, shares s\n\u003e \n\u003e For deterministic nonces, you generate r=H(p,m) based on the message\n\u003e being signed and your private key, so can only start this process when\n\u003e you start signing, and the sharing rounds mean interactivity.\n\u003e \n\u003e )\n\u003e \n\u003e But you don't strictly need deterministic nonces, you just have to never\n\u003e use the same nonce with a different message. If you arrange to do that\n\u003e by keeping some state instead, you can calculate nonces in advance:\n\u003e \n\u003e phase 1:\n\u003e produce secret nonces r1..r1024, calculate R1..R1024\n\u003e share H(R1)..H(R1024)\n\u003e \n\u003e phase 2:\n\u003e store other parties hashes, eg as H1..H1024\n\u003e share R1..R1024\n\u003e \n\u003e phase 3:\n\u003e check received nonces match, ie H(R1)=H1, etc\n\u003e \n\u003e phase 4:\n\u003e request to sign msg m, with nonce n\n\u003e if nonce n has already been used, abort\n\u003e mark nonce n as having being used\n\u003e lookup other signer's nonces n and sum them to get R'\n\u003e calculate s = rn + H(R',P',m)*p\n\u003e share s\n\u003e \n\u003e That way you could do phases 1-3 once, and then do 1024 signatures during\n\u003e the month on whatever your current timetable is.\n\u003e \n\u003e You could also combine these phases, so when you get a signing request you:\n\u003e \n\u003e * receive msg to sign m, n=4; everyone else's R4, H(R5)\n\u003e \n\u003e * check H(R4) = previously received \"H(R4)\"\n\u003e * calculate R4' by summing up your and everyone's R4s\n\u003e * bump state to n=5\n\u003e * do the signature...\n\u003e \n\u003e * send sig=(s,R4), R5, H(R6)\n\u003e \n\u003e which would let you have an untrusted app that does the coordination and\n\u003e shares the nonces and nonce-hashes, and getting all the needed air-gapped\n\u003e communication in a single round. (This is effectively doing phase 3 and\n\u003e 4 for the current signature, phase 2 for the next signature, and phase\n\u003e 1 for the signature after that all in one round of communication)\n\u003e \n\u003e That seems almost as good as true non-interactivity to me, if your signing\n\u003e hardware is capable of securely storing (and updating) a few kB of state\n\u003e (which is probably not quite as easy as it sounds).\n\u003e \n\u003e Cheers,\n\u003e aj\n\u003e \n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e",
"sig": "06450c661e63b3fbaf4c12cc935611958d212ca1d95e7b5b8e7409628e7070a751038ac99155fc70a1996d111f63b1bbe5598943d59d943a737076b2f28e202f"
}