[bitcoin-dev] Composable MuSig
Lloyd Fournier
lloyd.fourn at gmail.com
Sun Dec 8 06:10:00 UTC 2019
Hi ZmnSCPxj,
I think you're idea of allowing multiple Rs is a fine solution as it
would essentially mean that you were just doing a three party MuSig
with more specific communication structure. As you mentioned, this is
not quite ideal though.
> It seems to me that what is needed for a composable MuSig is to have a commitment scheme which is composable.
Maybe. Showing certain attacks don't work is a first step. It would
take some deeper analysis of the security model to figure out what
exactly the MuSig requires of the commitment scheme.
> To create a commitment `c[A]` on the point A, such that `A = a * G`, the committer:
>
> * Generates random scalars `r` and `m`.
> * Computes `R` as `r * G`.
> * Computes `s` as `r + h(R | m) * a`.
> * Gives `c[A]` as the tuple `(R, s)`.
This doesn't look binding. It's easy to find another ((A,a),m) which
would validate against (R,s). Just choose m and choose a = (s - r)
h(R||m)^-1.
Cheers,
LL
More information about the bitcoin-dev
mailing list