[bitcoin-dev] Composable MuSig

Lloyd Fournier lloyd.fourn at gmail.com
Mon Dec 2 03:30:26 UTC 2019


Hi ZmnSCPxj,

> > Just a quick note: I think there is a way to commit to a point properly with Pedersen commitments. Consider the following:
> > COM(X) = (y*G + z*H, y*G + X)  where y and z are random and the opening is (y,z,X).  This seems to be a  unconditionally hiding and computationally binding homomorphic commitment scheme to a point based on the DL problem rather than DDH.
>
> So the Pedersen commitment commits to a tweak on `X`, which is revealed later so we can un-tweak `X`.
> Am I correct in assuming that you propose to use `X` for the contribution to `R` for a participant?
> How is it different from using ElGamal commitments?

Yes. It's not significantly different. It is unconditionally hiding
rather than binding (ElGamal is unconditionally binding). I just
thought of it while reading your post so I mentioned it. The real
question is what properties does the commitment scheme need to be
appropriate for MuSig R coin tossing?
In the security proof, the commitment hash is modelled as a random
oracle rather than as an abstract commitment scheme. I wonder if any
MuSig author has an opinion on whether the H_com interaction can be
generalised to a commitment scheme with certain properties (e.g
equivocal, extractable). By the looks of it, the random oracle is
never explicitly programmed except with randomly generated values so
maybe there is hope that a non ROM commitment scheme can do the job. I
guess the reduction would then be to either breaking the discrete
logarithm problem OR some property of the commitment scheme.

Cheers,

LL


More information about the bitcoin-dev mailing list