@Jonas
OK, thanks, I get the logic now. I believe this attack can be mitigated (at
least in the case of using this scheme for statechains) by the receiver of
a coin verifying the construction of all previous challenges.
So in this case, the sender of a coin would record R2[K-1] in addition to m
(
No, proof of knowledge of the r values used to generate each R does not prevent
Wagner's attack. I wrote
> Using Wagner's algorithm, choose R2[0], ..., R2[K-1] such that
>c[0] + ... + c[K-1] = c[K].
You can think of this as actually choosing scalars r2[0], ..., r2[K-1] and
define R2[i] = r
A reasonable attack scenario might be: attacker gains control of client machine
and its privkey, wants to extract money. It first operates passively, waiting
for user to do 2FA on a normal transaction, only modifying the nonce used in
order to achieve its goal. Then, after that 1 transaction goe
Hello all,
1. No proof of knowledge of each R does *NOT* prevent wagner's attack.
2. In my mind, A generic blind signing service is sufficient for doing
blinded MuSig, Muig2, FROST or whatever without the blind signing service
knowing. You don't need a specialized MuSig2 blind singing service to
e
> not taking action against these inscription could be interpreted by spammers
> as tacit acceptance of their practice.
Note that some people, even on this mailing list, do not consider Ordinals as
spam:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/021464.html
See? It
