00:32:37 (reposting from -lounge, since it is MRL related) Rucknium[m] pointed out a new-ish multisig scheme called FROST. I had seen something about this before but didn't look too closely. Today I looked much closer and discovered something very useful. FROST shows an apparently elegant way to solve the multisig Wagner attack (https://github.com/haveno-dex/haveno/issues/103), more appropriately called the Drijvers attack, without using 00:32:37 commit-and-reveal (which requires an extra communication round during thresholded signing). This paper helped me understand the Drijvers attack much better, which I am also grateful for. The attack allows _signature forgeries_ IF performing multiple concurrent signing attempts with the same group of signers, not leakage of private keys over non-concurrent signing attempts like I originally thought. I will probably do a short 00:32:37 write-up later this week/weekend. 00:32:37 I also plan to update my Seraphis composition proof multisig implementation to use FROST-style signing, as a demo :). It might even be trivial to update the current code to use FROST-style signing, so maybe I will grab the Haveno bounty for that (if 7877 ever lands... which is way more important). 00:32:38 FROST also has an M-of-N key gen process that is more efficient than our current approach when `N - M > 1`. It is a bit complicated, and would be a lot of work to implement. Since 2-of-3 is the main use-case for multisig, I think it's fine to keep what we have (in PR 7877), and leave FROST key gen as a 'TODO if you are competent and really motivated to improve key gen for `N - M > 1`'. 00:32:39 - FROST: https://eprint.iacr.org/2020/852.pdf (sections 2.5, 5.2, 6.2 [Extension of Proof to FROST] are most useful) 00:32:40 - Drijvers attack: https://eprint.iacr.org/2018/417.pdf (section 4.2 is especially useful) 00:32:40 - https://eprint.iacr.org/2020/945.pdf (an optimization of the Drijvers attack afaict; I think these guys claim that 9 concurrent signing attempts is the minimum number for efficient forgeries with optimized-Drijvers) 00:34:30 (note: FROST key gen is less efficient for N-of-N, and marginally less efficient for (N-1)-of-N since you can't do keygen boosting afaict) 00:51:44 cool thanks koe 00:56:00 If anyone reads these papers (https://eprint.iacr.org/2021/1375.pdf also), please let me know why each signer needs two commitments `D, E` (is the reason buried in security proofs somewhere?). My impression is just one would suffice (`E`). 01:00:16 Great thanks koe 02:04:45 Re: `D, E`, there is appendix C of https://eprint.iacr.org/2021/1375.pdf. I see how Drijvers attack can be executed if there is one honest signer and `D = identity`. It isn't clear if it would be vulnerable for >1 honest signer, but this is sufficient to justify 2 commitments/nonces. 02:05:17 Since an honest signer has to assume there are `M-1` dishonest signers. 03:58:28 wallet-side binning PoC: https://github.com/monero-project/research-lab/issues/88 04:03:07 UkoeHB: Interesting! I'll take a read :) 04:06:51 It would be really nice if we can remove commit-and-reveal phase (so -1 round) and still "as secrue", if not "better". 09:30:02 Oh FROST keygen builds upon Pedersen DKG (not the commitment), which builds upon Feldman VSS, which builds upon Shamir Secret Sharing. I have a prototype of Feldman VSS here: https://github.com/coinstudent2048/junks/blob/master/feldman_vss.py , although as UKoeHB said, 2-of-3 is the main use-case for multisig, hence I'ts alright to keep what we have for now. 17:23:26 Boom done: https://github.com/UkoeHB/drijvers-multisig-tech-note. Lunch time 17:26:01 "(reposting from -lounge, since..." <- I'm glad my lurking in the Zcash forums could result in something useful for Monero 😁