{"type":"rich","version":"1.0","title":"Jonas Nick [ARCHIVE] wrote","author_name":"Jonas Nick [ARCHIVE] (npub1atโ€ฆy3z5a)","author_url":"https://yabu.me/npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5a","provider_name":"njump","provider_url":"https://yabu.me","html":"๐Ÿ“… Original date posted:2023-07-24\n๐Ÿ—’๏ธ Summary of this message: The text discusses concerns about the proposed scheme for blind music and suggests an alternative approach that may be worth exploring.\n๐Ÿ“ Original message:\nHi Tom,\n\nI'm not convinced that this works. As far as I know blind musig is still an open\nresearch problem. What the scheme you propose appears to try to prevent is that\nthe server signs K times, but the client ends up with K+1 Schnorr signatures for\nthe aggregate of the server's and the clients key. I think it's possible to\napply a variant of the attack that makes MuSig1 insecure if the nonce commitment\nround was skipped or if the message isn't determined before sending the nonce.\nHere's how a malicious client would do that:\n\n- Obtain K R-values R1[0], ..., R1[K-1] from the server\n- Let\n R[i] := R1[i] + R2[i] for all i \u003c= K-1\n R[K] := R1[0] + ... + R1[K-1]\n c[i] := H(X, R[i], m[i]) for all i \u003c= K.\n Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that\n c[0] + ... + c[K-1] = c[K].\n- Send c[0], ..., c[K-1] to the server to obtain s[0], ..., s[K-1].\n- Let\n s[K] = s[0] + ... + s[K-1].\n Then (s[K], R[K]) is a valid signature from the server, since\n s[K]*G = R[K] + c[K]*a1*X1,\n which the client can complete to a signature for public key X.\n\nWhat may work in your case is the following scheme:\n- Client sends commitment to the public key X2, nonce R2 and message m to the\n server.\n- Server replies with nonce R1 = k1*G\n- Client sends c to the server and proves in zero knowledge that c =\n SHA256(X1 + X2, R1 + R2, m).\n- Server replies with s1 = k1 + c*x1\n\nHowever, this is just some quick intuition and I'm not sure if this actually\nworks, but maybe worth exploring."}