Author: Tom Trevethan 2023-08-07 00:55:38+00:00
Published on: 2023-08-07T00:55:38+00:00
The blinded statechain protocol description has been updated to include a mitigation for the Wagner attack. This involves requiring the server to send R1 values only after commitments are made to the server of the R2 values used by the user. All previous computed c values are verified by each new statecoin owner. The attack is possible because the server cannot verify that the blinded challenge (c) value it receives from the user has been computed honestly. However, this can be verified by each new owner of a statecoin for all previous signatures. When an owner cooperates with the server to generate a signature on a backup transaction, the server requires the owner to send a commitment to their R2 value. The server stores this value before responding with its R1 value. This prevents the owner from choosing the value of R2 (and hence c). When the statecoin is received by a new owner, they receive all previous signed backup transactions and the corresponding R2 values used for each signature. The new owner then asks the server for the commitments SHA256(R2), the corresponding server-generated R1 value, and the c value used for each previous signature. The new owner verifies that each backup transaction is valid, and that each c value was computed as c = SHA256(X1 + X2, R1 + R2, m), while each commitment equals SHA256(R2). This ensures that a previous owner could not have generated more valid signatures than the server has partially signed.
Updated on: 2023-08-09T02:04:25.830305+00:00