Very nice! Is there an authentication mechanism to avoid 'breaking the chain'
with an unverifiable new state by a previous owner? Can the current owner prove
the knowledge of a non-identifying secret he learned as recipient to the server
that is related to the statechain tip?
BR,
moonsettler
------- Original Message -------
On Monday, August 7th, 2023 at 2:55 AM, Tom Trevethan via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> A follow up to this, I have updated the blinded statechain protocol
> description to include the mitigation to the Wagner attack by requiring the
> server to send R1 values only after commitments made to the server of the R2
> values used by the user, and that all the previous computed c values are
> verified by each new statecoin owner.
> https://github.com/commerceblock/mercury/blob/master/layer/protocol.md
>
> Essentially, the attack is possible because the server cannot verify that the
> blinded challenge (c) value it has been sent by the user has been computed
> honestly (i.e. c = SHA256(X1 + X2, R1 + R2, m) ), however this CAN be
> verified by each new owner of a statecoin for all the previous signatures.
>
> Each time an owner cooperates with the server to generate a signature on a
> backup tx, the server will require that the owner send a commitment to their
> R2 value: e.g. SHA256(R2). The server will store this value before responding
> with it's R1 value. This way, the owner cannot choose the value of R2 (and
> hence c).
>
> When the statecoin is received by a new owner, they will receive ALL previous
> signed backup txs for that coin from the sender, and all the corresponding R2
> values used for each signature. They will then ask the server (for each
> previous signature), the commitments SHA256(R2) and the corresponding server
> generated R1 value and c value used. The new owner will then verify that each
> backup tx is valid, and that each c value was computed c = SHA256(X1 + X2, R1
> + R2, m) and each commitment equals SHA256(R2). This ensures that a previous
> owner could not have generated more valid signatures than the server has
> partially signed.
>
> On Thu, Jul 27, 2023 at 2:25 PM Tom Trevethan <t...@commerceblock.com> wrote:
>
>> On Thu, Jul 27, 2023 at 9:08 AM Jonas Nick <jonasdn...@gmail.com> wrote:
>>
>>> No, proof of knowledge of the r values used to generate each R does not
>>> prevent
>>> Wagner's attack. I wrote
>>>
>>>> Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
>>>> c[0] + ... + c[K-1] = c[K].
>>>
>>> You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and
>>> define R2[i] = r2[i]*G. The attacker chooses r2[i]. The attack wouldn't make
>>> sense if he didn't.
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
