-
UkoeHB(reposting from -lounge, since it is MRL related) Rucknium[m] pointed out a new-ish multisig scheme called FROST. I had seen something about this before but didn't look too closely. Today I looked much closer and discovered something very useful. FROST shows an apparently elegant way to solve the multisig Wagner attack (haveno-dex/haveno #103), more appropriately called the Drijvers attack, without using
-
UkoeHBcommit-and-reveal (which requires an extra communication round during thresholded signing). This paper helped me understand the Drijvers attack much better, which I am also grateful for. The attack allows _signature forgeries_ IF performing multiple concurrent signing attempts with the same group of signers, not leakage of private keys over non-concurrent signing attempts like I originally thought. I will probably do a short
-
UkoeHBwrite-up later this week/weekend.
-
UkoeHBI also plan to update my Seraphis composition proof multisig implementation to use FROST-style signing, as a demo :). It might even be trivial to update the current code to use FROST-style signing, so maybe I will grab the Haveno bounty for that (if 7877 ever lands... which is way more important).
-
UkoeHBFROST also has an M-of-N key gen process that is more efficient than our current approach when `N - M > 1`. It is a bit complicated, and would be a lot of work to implement. Since 2-of-3 is the main use-case for multisig, I think it's fine to keep what we have (in PR 7877), and leave FROST key gen as a 'TODO if you are competent and really motivated to improve key gen for `N - M > 1`'.
-
UkoeHB- FROST: eprint.iacr.org/2020/852.pdf (sections 2.5, 5.2, 6.2 [Extension of Proof to FROST] are most useful)
-
UkoeHB- Drijvers attack: eprint.iacr.org/2018/417.pdf (section 4.2 is especially useful)
-
UkoeHB- eprint.iacr.org/2020/945.pdf (an optimization of the Drijvers attack afaict; I think these guys claim that 9 concurrent signing attempts is the minimum number for efficient forgeries with optimized-Drijvers)
-
UkoeHB(note: FROST key gen is less efficient for N-of-N, and marginally less efficient for (N-1)-of-N since you can't do keygen boosting afaict)
-
luigi1111cool thanks koe
-
UkoeHBIf anyone reads these papers (eprint.iacr.org/2021/1375.pdf also), please let me know why each signer needs two commitments `D, E` (is the reason buried in security proofs somewhere?). My impression is just one would suffice (`E`).
-
ArticMineGreat thanks koe
-
UkoeHBRe: `D, E`, there is appendix C of eprint.iacr.org/2021/1375.pdf. I see how Drijvers attack can be executed if there is one honest signer and `D = identity`. It isn't clear if it would be vulnerable for >1 honest signer, but this is sufficient to justify 2 commitments/nonces.
-
UkoeHBSince an honest signer has to assume there are `M-1` dishonest signers.
-
jberman[m]wallet-side binning PoC: monero-project/research-lab #88
-
coinstudent2048[UkoeHB: Interesting! I'll take a read :)
-
coinstudent2048[It would be really nice if we can remove commit-and-reveal phase (so -1 round) and still "as secrue", if not "better".
-
coinstudent2048[Oh FROST keygen builds upon Pedersen DKG (not the commitment), which builds upon Feldman VSS, which builds upon Shamir Secret Sharing. I have a prototype of Feldman VSS here: github.com/coinstudent2048/junks/blob/master/feldman_vss.py , although as UKoeHB said, 2-of-3 is the main use-case for multisig, hence I'ts alright to keep what we have for now.
-
UkoeHBBoom done: github.com/UkoeHB/drijvers-multisig-tech-note. Lunch time
-
Rucknium[m]<UkoeHB> "(reposting from -lounge, since..." <- I'm glad my lurking in the Zcash forums could result in something useful for Monero 😁