π
Original date posted:2023-07-26
ποΈ Summary of this message: Blind Schnorr signatures can solve the issue of blinding, but not the problem of client-controlled forged signatures. Recent work proposes alternative approaches for blind Schnorr signatures.
π Original message:
While this may solve blinding, I don't see how it solves the problem that the
client can forge signatures because the client is in control of challenge e'.
This is not special to MuSig(2), but is also the reason why original blind
Schnorr signatures are insecure (as demonstrated in David Wagner's "A
Generalized Birthday Problem" paper).
For some more recent work on blind Schnorr signatures, see:
- https://eprint.iacr.org/2019/877.pdf Blind Schnorr Signatures and Signed
ElGamal Encryption in the Algebraic Group Mode
- https://eprint.iacr.org/2020/1071.pdf On Pairing-Free Blind Signature Schemes
in the Algebraic Group Model
In particular, the first paper proposes a less-efficient variant of blind
Schnorr signatures that is secure under concurrent signing if the "mROS" problem
is hard (which is imho plausible). Another potential approach is using
commitments and a ZKP as I mentioned earlier in this thread. This scheme is
"folklore", in the sense that it is being discussed from time to time but isn't
specified and does not have a security proof as far as I am aware.
Jonas Nick [ARCHIVE] /
npub1atβ¦y3z5a
2023-07-27 00:26:34
in reply to nevent1qβ¦cufh
Author Public Key
npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5aPublished at
2023-07-27 00:26:34Event JSON
{
"id": "46728fc9c8c64c8cd3fad6af322ad12dc2e915142b3619ddf0c09e179bb22641",
"pubkey": "eae21eb28545b20116d940817b2995954758d0d5511695442681f035faabe60f",
"created_at": 1690417594,
"kind": 1,
"tags": [
[
"e",
"86a87258a295f0e8a6ce06957ce368a6146cf45a73137d0af6fcc0729ce599a0",
"",
"root"
],
[
"e",
"a6ce502943305bd272d9e4b2033555a2fe7326571aa2c5c175b3ea30be923293",
"",
"reply"
],
[
"p",
"e9a17810d0fc59d84aa22d2a51b1cd65e5bbd14973fa4945175edb9118f89f0c"
]
],
"content": "π
Original date posted:2023-07-26\nποΈ Summary of this message: Blind Schnorr signatures can solve the issue of blinding, but not the problem of client-controlled forged signatures. Recent work proposes alternative approaches for blind Schnorr signatures.\nπ Original message:\nWhile this may solve blinding, I don't see how it solves the problem that the\nclient can forge signatures because the client is in control of challenge e'.\nThis is not special to MuSig(2), but is also the reason why original blind\nSchnorr signatures are insecure (as demonstrated in David Wagner's \"A\nGeneralized Birthday Problem\" paper).\n\nFor some more recent work on blind Schnorr signatures, see:\n- https://eprint.iacr.org/2019/877.pdf Blind Schnorr Signatures and Signed\n ElGamal Encryption in the Algebraic Group Mode\n- https://eprint.iacr.org/2020/1071.pdf On Pairing-Free Blind Signature Schemes\n in the Algebraic Group Model\n\nIn particular, the first paper proposes a less-efficient variant of blind\nSchnorr signatures that is secure under concurrent signing if the \"mROS\" problem\nis hard (which is imho plausible). Another potential approach is using\ncommitments and a ZKP as I mentioned earlier in this thread. This scheme is\n\"folklore\", in the sense that it is being discussed from time to time but isn't\nspecified and does not have a security proof as far as I am aware.",
"sig": "abd04beacec72c127d9e3c98a2bf63fee95d46ae21a6fc4e5834f9eb28463184e18721dadff54b3bfec9c0bda93607949925c36df9c8cfacc006db983b610711"
}