📅 Original date posted:2018-07-11
📝 Original message:On Wed, Jul 11, 2018, 02:42 Erik Aronesty via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:
> Basically you're just replacing addition with interpolation everywhere in
the musig construction
Yes, but you can't do that without a delinearization mechanism to prevent
adaptive public key choice being used to break the scheme using Wagner's
attack. It is not specific to addition, it is a generalized birthday attack.
Look at the delinearization mechanism for an intuition, all public keys are
hashed along with per value hash, so that pre-commits and forces the public
keys to be non-adaptively chosen.
Adaptively chosen public keys are dangerous and simple to exploit for
example pub keys A+B, add party C' he chooses C=C'-A-B, now we can sign for
A+B+C using adaptively chose public key C.
Btw Wagner also breaks this earlier delinearization scheme
S=H(A)*A+H(B)*B+H(C)*C
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180711/6ff37bd5/attachment.html>;
Adam Back [ARCHIVE] /
npub1ac…lswfj
2023-06-07 18:13:43
in reply to nevent1q…h2uq
Author Public Key
npub1ac86vemj7ce5z8jyxt39rna3tvwql6xd30ha3vxcd6esysp23d9qrlswfjPublished at
2023-06-07 18:13:43Event JSON
{
"id": "b210d5a93e5abeebc9f9cc0ed2e793368ad169f7c0d42d274f5695d060ca328b",
"pubkey": "ee0fa66772f633411e4432e251cfb15b1c0fe8cd8befd8b0d86eb302402a8b4a",
"created_at": 1686161623,
"kind": 1,
"tags": [
[
"e",
"5913947cd80c78b94322af07aff87080ecda6ad2abd7e1bd4a8b9634dfe27fca",
"",
"root"
],
[
"e",
"bd93de7d9a0ed7030cef627133e34a65d9b9156f69a2891bd74d5b365f1128c4",
"",
"reply"
],
[
"p",
"22944ce1e29904e3826d25013a614e4665693ec514003efacc1b7586e8e5d0aa"
]
],
"content": "📅 Original date posted:2018-07-11\n📝 Original message:On Wed, Jul 11, 2018, 02:42 Erik Aronesty via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e Basically you're just replacing addition with interpolation everywhere in\nthe musig construction\n\nYes, but you can't do that without a delinearization mechanism to prevent\nadaptive public key choice being used to break the scheme using Wagner's\nattack. It is not specific to addition, it is a generalized birthday attack.\n\nLook at the delinearization mechanism for an intuition, all public keys are\nhashed along with per value hash, so that pre-commits and forces the public\nkeys to be non-adaptively chosen.\n\nAdaptively chosen public keys are dangerous and simple to exploit for\nexample pub keys A+B, add party C' he chooses C=C'-A-B, now we can sign for\nA+B+C using adaptively chose public key C.\n\nBtw Wagner also breaks this earlier delinearization scheme\nS=H(A)*A+H(B)*B+H(C)*C\n\nAdam\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180711/6ff37bd5/attachment.html\u003e",
"sig": "a224fbb02a1f6bc14778fb81d205f9aa1fa323c64a330c776ddda9b5ffc6d6fe5117c9546dfcb4eb15e86c776a7cd5416d386fb31982d3ecf26e6ab775bb41a4"
}