Author: Tom Trevethan 2023-07-27 13:25:33+00:00
Published on: 2023-07-27T13:25:33+00:00
In a conversation between two individuals, Jonas and another person (referred to as "@Jonas"), they discuss a potential attack on a scheme involving statechains. @Jonas suggests that the attack can be mitigated by having the receiver of a coin verify the construction of all previous challenges.According to @Jonas, the sender of a coin would record R2[K-1] (a value) along with m (message) and any c blinding nonce used for the signature generated with the server. These values, along with all previous R2 values (i = 0, ..., K-2), would then be sent to the receiver.The receiver, in turn, would query the server for the full set of R1[i] values it has generated (i = 0, ..., K-1) and the corresponding blinded c[i] values used for each co-signing performed on this key. The receiver would then verify that each previous c[i] (i = 0, ..., K-1) has been correctly formed and includes the server-generated R1[i].If any of the c values fail to verify against the provided R1 values from the server, then the coin is considered invalid.In a separate email, @Jonas explains that proof of knowledge of the r values used to generate each R does not prevent Wagner's attack. He clarifies that Wagner's algorithm involves choosing R2[0], ..., R2[K-1] such that the sum of c[0] + ... + c[K-1] equals c[K]. This can be thought of as choosing scalars r2[0], ..., r2[K-1] and defining R2[i] = r2[i]*G, where G is a generator point. The attacker chooses r2[i] in this scenario.Overall, the discussion highlights the importance of verifying the construction of previous challenges in order to mitigate potential attacks on the statechains scheme.
Updated on: 2023-07-28T02:09:31.484217+00:00