Re: [Cfrg] Adoption of threshold drafts by RG

Jeff Burdges <burdges@gnunet.org> Wed, 30 September 2020 16:35 UTC

Return-Path: <burdges@gnunet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2DBC3A0B7B for <cfrg@ietfa.amsl.com>; Wed, 30 Sep 2020 09:35:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.957
X-Spam-Level:
X-Spam-Status: No, score=-0.957 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.274, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQfGg_DPiaQ1 for <cfrg@ietfa.amsl.com>; Wed, 30 Sep 2020 09:35:46 -0700 (PDT)
Received: from mail-out2.informatik.tu-muenchen.de (mail-out2.in.tum.de [131.159.0.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CADC3A0B5A for <cfrg@irtf.org>; Wed, 30 Sep 2020 09:35:45 -0700 (PDT)
Received: from [127.0.0.1] (sam.net.in.tum.de [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by sam.net.in.tum.de (Postfix) with ESMTP id 501FD1C00D2; Wed, 30 Sep 2020 18:42:23 +0200 (CEST)
From: Jeff Burdges <burdges@gnunet.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\))
Date: Wed, 30 Sep 2020 18:35:37 +0200
References: <CAMm+Lwj8z0i56G7iTh-z7fZM5z5=B7-x63rVJjuWT7mC1x6x3w@mail.gmail.com> <CACsn0c=9SwWsJ=D_gAStP+gnbfmZkTEokESa0wunpBxaJPvn3g@mail.gmail.com> <CAMm+LwgZ_o28FaUHJ2JdivarT7a3vUdBTRDKa4YLajF93Gn3ag@mail.gmail.com> <76cfa2f5d3c04193aa28d153ce7d4958@uwaterloo.ca> <20200929203843.GY3842@yoink.cs.uwaterloo.ca> <1A7BE772-12CD-4D84-9C24-0A337398FA58@gnunet.org> <CAMm+LwiPGRJiSJwwfLRgF68NcoWYNhFHiSrVJPxF6jS=OfBZ2g@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, IRTF CFRG <cfrg@irtf.org>
In-Reply-To: <CAMm+LwiPGRJiSJwwfLRgF68NcoWYNhFHiSrVJPxF6jS=OfBZ2g@mail.gmail.com>
Message-Id: <6C5B482F-758E-4206-B4E3-26D4270DB1F0@gnunet.org>
X-Mailer: Apple Mail (2.3445.9.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/l68Xo7aHIfcM9HGxMAEkT2KLwVc>
Subject: Re: [Cfrg] Adoption of threshold drafts by RG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2020 16:35:48 -0000


> On 30 Sep 2020, at 18:05, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
>> If you want a multi-signer Schnorr protocol then you'll need either some form of witnesses delinearization or else some fancy determinism solution like MuSig-DN.
> 
> I did initially consider multi-sig sufficient for pretty much every need. There are however two requirements where I think threshold is pretty compelling.

I never said “don’t do threshold”.  I said roughly: You need to understand why the witness/nonce attacks work.  And the defenses.  

If threshold gets in the way, then try to understand it for musig first.  

Also, MuSig-DN is *not* MuSig.  A derandomized nonce (the DN) is incredibly insecure unless you pull tricks similar to what they do.  MuSig and MuSig-DN both have natural threshold variants.  And both are closer to their threshold variants than to one another.

Jeff