Skip to content
This repository has been archived by the owner on Jun 6, 2024. It is now read-only.

musig: multi-message API for mitigating Russell's attack #176

Closed
oleganza opened this issue Mar 1, 2019 · 0 comments · Fixed by #282
Closed

musig: multi-message API for mitigating Russell's attack #176

oleganza opened this issue Mar 1, 2019 · 0 comments · Fixed by #282

Comments

@oleganza
Copy link
Contributor

oleganza commented Mar 1, 2019
edited
Loading

Background

See appendices A.2/A.3 in the MuSig paper.

TL;DR

If you have two UTXOs using the same key, and you did not check ALL the utxos being using in the signed message, then your partial signature for one UTXO can be reused to also sign off inclusion of another UTXO.

Solution for aggregation-by-verifier

The MuSig paper's appendix A.3 describes a solution:

  1. The total signed message is formed with ordered pairs (pubkey, item) where item is a specific message signed by the given pubkey (e.g. a unique utxo id or contract id - see also zkvm: make contracts unique #172).
  2. Each party generates their own Fiat-Shamir challenge corresponding to their index.
  3. The per-party F-S challenges effectively cover the "delinearization" factor applied to each pubkey, so there is no need to apply it to pubkeys in prior steps.
  4. The verifier needs to see each individual pubkey and individual message for this to work.

Key aggregation by provers

In the cases when the verifier does not see individual keys, that is, when they were compressed under n-of-n rule offline into a single predicate, each signer is supposed to be fully aware of a message they are signing.

This works fine in case of delegate (provided the contract's anchor is unique and covered by signature: #172).

For signtx, the signer must be "aware of" not just txid, but the specific pair of (pubkey, item) which is normally a (predicate, utxo_id). They usually would ignore txid and only verify proofs of certain outputs to belong to the txid that they sign, since the txid itself and other signers' outputs are not relevant to the given signer.

API

The multi-message API is inherently different from single-message API, since each key's delinearization factor is effectively an individual fiat-shamir challenge bound to the specific (key-submessage) pair.

This should be composable over the regular musig protocol for nested Multikeys via API for cumulative multiplicative adjustment factor (#236).
@cathieyun cathieyun mentioned this issue Mar 5, 2019
Merged
@oleganza oleganza mentioned this issue Mar 13, 2019
Open
15 tasks
@oleganza oleganza mentioned this issue Mar 21, 2019
Open
@oleganza oleganza changed the title musig: mitigating Russell's attack against reused/related keys musig: multi-message API for mitigating Russell's attack Mar 21, 2019
@oleganza oleganza mentioned this issue Apr 22, 2019
Merged
oleganza added a commit that referenced this issue Apr 22, 2019
@oleganza
zkvm: integrate multi-message API (#282)
d91489e 
1. Merges `Output` type into `Contract` type, and stores precomputed `ContractID` within the contract.
2. Adds multi-message API from Musig to be used with `signtx` with the use of contract ID.
3. Adds contract ID to the transcript in `delegate` instruction.
4. Added `UnsignedTx` type returned by the zkvm::Prover. See also #146.
5. All tx-related types are placed into `tx.rs` module: TxHeader, UnsignedTx, Tx, VerifiedTx, TxID, TxEntry, TxLog.

Closes #176
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

zkvm: integrate multi-message API stellar/slingshot
1 participant
@oleganza