pull down to refresh
10 sats \ 0 replies \ @netstatic 22 Jul 2023
There's a good video from Bitcoin Optech that covers this for anyone interested in learning more. The video is really about musig though, which is a method for signature aggregation that does not suffer from this attack.
Link: https://youtu.be/5MbTptrXEC4
reply
0 sats \ 0 replies \ @AyCaramba 22 Jul 2023
Nice explanation thanks!!!
I remember a lecture in youtube where Tadge D. explained that but I failed to understand at the time.
reply
0 sats \ 0 replies \ @l0k18 22 Jul 2023
The mitigation obviously must be that both send an encrypted form of their signature and then they send the unlocks and combine them. Both should agree. I think this is called a "commitment".
The encryption would be based on an ECDH shared secret, they have to first share a public key, generate a random private key, generate a secret with the other side's public key, send the encrypted packet, wait for acknowledgement (the hash of the message encrypted message) and then wait for their side and return the ack and once both send and both get acks they then share the public key used to generate the cipher used on the signature.
BTW, when the diagram shows the addition of the two keys, that is literally how schnorr keys are aggregated. The only bit that is unfamiliar to most is that is an operation where the overflow bits are added to the other side, modulo addition, a form of clockwork arithmetic in binary.
Also, note that the very same thing can be done with more than two, but it could take a long time if there is hundreds of parties as this is an interactive protocol, although if you have the patience it certainly can be done more or less asynchronously, like it was email.
reply
0 sats \ 2 replies \ @zuspotirko 22 Jul 2023
Interesting scenario. The thing that comes to my mind immediately when hearing "Schnorr" and "attack" is the Sony-hack that is based on accidentally choosing the same r-value more than once. Which is a very famous attack in crypto
reply
10 sats \ 1 reply \ @zuspotirko 22 Jul 2023
Small correction: the sony-hack was with k-value in DSA, not r-value in Schnorr. But the two hacks are conceptually the same
reply
0 sats \ 0 replies \ @l0k18 22 Jul 2023
Half the same key certainly narrows down the search :D The effective bits of security for this are 64, which is still better than SSL 20 years ago.
wait. DSA. not ECDSA.
The noughties were miserable times after 2005 until the end of the decade.
reply
0 sats \ 0 replies \ @squank 22 Jul 2023
Is this attack mitigated by checking the destination address?
reply