Author: Gregory Maxwell 2018-07-09 16:21:59
Published on: 2018-07-09T16:21:59+00:00
In an email thread on bitcoin-dev, Erik Aronesty proposes using H(g*x) as a public index for Shamir polynomial interpolation. However, this method is found to be insecure as it is similar to the insecure musig variant where keys are blinded by H(g*x) instead of a commitment to all keys. The vulnerability arises in the form of an attacker knowing a victim pubkey P and using Wagner's algorithm to solve a random modular subset sum problem. The attacker then claims to be participants with keys aP, bP, cP, ..., xG (their own key), cancels out key P, and signs the value alone with their key. A member of the thread points out that Erik's suggestion uses simple multiplication in place of a cryptographic hash, resulting in a schnorr signature where H() is just r*m in the field of size n. This method does not possess any new properties about how it can be used and has the same linearities as the normal schnorr construction. However, security proofs cannot hold unless it is believed that multiplication in the field of n is a suitable random oracle, which is deemed implausible.
Updated on: 2023-05-20T17:25:21.386805+00:00