Author: Erik Aronesty 2018-07-11 14:45:58
Published on: 2018-07-11T14:45:58+00:00
The discussion revolves around a scenario where the user knows Apub and Bpub, M is 3 and a random number is chosen for C's private key. The equation to be solved for is g^Ax + g^B*2 + g^C*3. However, the user does not know A or B, only their public keys. The user believes that choosing hash(pub) as X prevents an adaptive attack on the multisig construction using a shamir secret sharing interpolation. This is because in order to satisfy the equation and factor out C, one would need to break the hash. While adaptive attacks are possible in an additive construction, it is not possible with this method due to the need for a public X coordinate. Adam Back adds to the discussion by stating that delinearization mechanisms are needed to prevent adaptive public key choice from being used to break the scheme through Wagner's attack. He explains that all public keys are hashed along with a per-value hash, which forces the public keys to be non-adaptively chosen. Adaptively chosen public keys can be dangerous and easily exploited, as demonstrated in the example of pub keys A+B and party C' choosing C=C'-A-B, allowing for signing of A+B+C using adaptively chosen public key C. Back also mentions that Wagner was able to break an earlier delinearization scheme where S=H(A)*A+H(B)*B+H(C)*C.
Updated on: 2023-06-13T03:55:19.075553+00:00