π
Original date posted:2023-07-26
ποΈ Summary of this message: The protocol described in the text is an interesting idea for incorporating 2FA authentication into blind signing. However, there may be vulnerabilities in the protocol that need to be addressed.
π Original message:
It's an interesting idea for a protocol. If I get it right, your basic idea here is to kind of "shoehorn" in a 2FA authentication, and that the blind-signing server has no other function than to check the 2FA?
This makes it different from most uses of blind signing, where *counting* the number of signatures matters (hence 'one more forgery etc). Here, you are just saying "I'll sign whatever the heck you like, as long as you're authorized with this 2FA procedure".
Going to ignore the details of practically what that means - though I'm sure that's where most of the discussion would end up - but just looking at your protocol in the gist:
It seems you're not checking K values against attacks, so for example this would allow someone to extract the server's key from one signing:
1 Alice, after receiving K2, sets K1 = K1' - K2, where the secret key of K1' is k1'.
2 Chooses b as normal, sends e' as normal.
3 Receiving s2, calculate s = s1 + s2 as normal.
So since s = k + ex = (k' + bx) + ex = k' + e'x, and you know s, k' and e', you can derive x. Then x2 = x - x1.
(Gist I'm referring to: https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb)
Sent with Proton Mail secure email.
------- Original Message -------
On Wednesday, July 26th, 2023 at 03:44, moonsettler via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
> Hi All,
>
> I believe it's fairly simple to solve the blinding (sorry for the bastard notation!):
>
> Signing:
>
> X = X1 + X2
> K1 = k1G
> K2 = k2G
>
> R = K1 + K2 + bX
> e = hash(R||X||m)
>
> e' = e + b
> s = (k1 + e'*x1) + (k2 + e'*x2)
> s = (k1 + k2 + b(x1 + x2)) + e(x1 + x2)
>
> sG = (K1 + K2 + bX) + eX
> sG = R + eX
>
> Verification:
>
> Rv = sG - eX
> ev = hash(R||X||m)
> e ?= ev
>
> https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb
>
> Been trying to get a review on this for a while, please let me know if I got it wrong!
>
> BR,
> moonsettler
>
>
> ------- Original Message -------
> On Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev bitcoin-dev at lists.linuxfoundation.org wrote:
>
>
>
> > > Party 1 never learns the final value of (R,s1+s2) or m.
> >
> > Actually, it seems like a blinding step is missing. Assume the server (party 1)
> > received some c during the signature protocol. Can't the server scan the
> > blockchain for signatures, compute corresponding hashes c' = H(R||X||m) as in
> > signature verification and then check c == c'? If true, then the server has the
> > preimage for the c received from the client, including m.
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev at lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
AdamISZ [ARCHIVE] /
npub1nvβ¦kqw2t
2023-07-27 02:26:34
in reply to nevent1qβ¦st7e
Author Public Key
npub1nv7tjpn2g8tvt8qfq5ccyl00ucfcu98ch998sq4g5xp65vy6fc4sykqw2tPublished at
2023-07-27 02:26:34Event JSON
{
"id": "96877d900e98a4be6d28e74b63c120eae9faa7649cbfb5de0d32f8b209557890",
"pubkey": "9b3cb9066a41d6c59c090531827defe6138e14f8b94a7802a8a183aa309a4e2b",
"created_at": 1690417594,
"kind": 1,
"tags": [
[
"e",
"86a87258a295f0e8a6ce06957ce368a6146cf45a73137d0af6fcc0729ce599a0",
"",
"root"
],
[
"e",
"46728fc9c8c64c8cd3fad6af322ad12dc2e915142b3619ddf0c09e179bb22641",
"",
"reply"
],
[
"p",
"eae21eb28545b20116d940817b2995954758d0d5511695442681f035faabe60f"
]
],
"content": "π
Original date posted:2023-07-26\nποΈ Summary of this message: The protocol described in the text is an interesting idea for incorporating 2FA authentication into blind signing. However, there may be vulnerabilities in the protocol that need to be addressed.\nπ Original message:\nIt's an interesting idea for a protocol. If I get it right, your basic idea here is to kind of \"shoehorn\" in a 2FA authentication, and that the blind-signing server has no other function than to check the 2FA?\n\nThis makes it different from most uses of blind signing, where *counting* the number of signatures matters (hence 'one more forgery etc). Here, you are just saying \"I'll sign whatever the heck you like, as long as you're authorized with this 2FA procedure\".\n\nGoing to ignore the details of practically what that means - though I'm sure that's where most of the discussion would end up - but just looking at your protocol in the gist:\n\nIt seems you're not checking K values against attacks, so for example this would allow someone to extract the server's key from one signing:\n\n1 Alice, after receiving K2, sets K1 = K1' - K2, where the secret key of K1' is k1'.\n2 Chooses b as normal, sends e' as normal.\n3 Receiving s2, calculate s = s1 + s2 as normal.\n\nSo since s = k + ex = (k' + bx) + ex = k' + e'x, and you know s, k' and e', you can derive x. Then x2 = x - x1.\n\n(Gist I'm referring to: https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb)\n\n\n\n\nSent with Proton Mail secure email.\n\n------- Original Message -------\nOn Wednesday, July 26th, 2023 at 03:44, moonsettler via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\n\u003e Hi All,\n\u003e \n\u003e I believe it's fairly simple to solve the blinding (sorry for the bastard notation!):\n\u003e \n\u003e Signing:\n\u003e \n\u003e X = X1 + X2\n\u003e K1 = k1G\n\u003e K2 = k2G\n\u003e \n\u003e R = K1 + K2 + bX\n\u003e e = hash(R||X||m)\n\u003e \n\u003e e' = e + b\n\u003e s = (k1 + e'*x1) + (k2 + e'*x2)\n\u003e s = (k1 + k2 + b(x1 + x2)) + e(x1 + x2)\n\u003e \n\u003e sG = (K1 + K2 + bX) + eX\n\u003e sG = R + eX\n\u003e \n\u003e Verification:\n\u003e \n\u003e Rv = sG - eX\n\u003e ev = hash(R||X||m)\n\u003e e ?= ev\n\u003e \n\u003e https://gist.github.com/moonsettler/05f5948291ba8dba63a3985b786233bb\n\u003e \n\u003e Been trying to get a review on this for a while, please let me know if I got it wrong!\n\u003e \n\u003e BR,\n\u003e moonsettler\n\u003e \n\u003e \n\u003e ------- Original Message -------\n\u003e On Monday, July 24th, 2023 at 5:39 PM, Jonas Nick via bitcoin-dev bitcoin-dev at lists.linuxfoundation.org wrote:\n\u003e \n\u003e \n\u003e \n\u003e \u003e \u003e Party 1 never learns the final value of (R,s1+s2) or m.\n\u003e \u003e \n\u003e \u003e Actually, it seems like a blinding step is missing. Assume the server (party 1)\n\u003e \u003e received some c during the signature protocol. Can't the server scan the\n\u003e \u003e blockchain for signatures, compute corresponding hashes c' = H(R||X||m) as in\n\u003e \u003e signature verification and then check c == c'? If true, then the server has the\n\u003e \u003e preimage for the c received from the client, including m.\n\u003e \u003e _______________________________________________\n\u003e \u003e bitcoin-dev mailing list\n\u003e \u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e \u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e \n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev",
"sig": "193dc2291a42537c5556748587f7f1aac477ec378d4b11ea443bb9d66b2d79ea445e2861a9c79542432b523555cf098bf8e053c0bc35e5ebc95a2bb02fdf4dce"
}