An amazing video showing how you can sign notes cooperatively on nak using musig2, now with 4 signers instead of the boring 3 from the previous video:
https://cdn.satellite.earth/4ca2815dfe2c4f21506e36b1c1c294ef3d372d7b2f846c69a4954e54fdd2a2ea.mp4
Discussion
Multisig notes?
Is it possible to set up a 2/2 for a single npubโs notes?
cc nostr:npub1h50pnxqw9jg7dhr906fvy4mze2yzawf895jhnc3p7qmljdugm6gsrurqev
You mean you already have a pubkey, but you want to split it into multiple and then sign cooperatively? I think you can do it, yes. But the assumption will be that you will control all the shards and not give them to others, and then you don't have to use MuSig, you can do a simpler, more naรฏve protocol.
But I'm just guessing, we should ask someone who actually understands cryptography. nostr:npub1vadcfln4ugt2h9ruwsuwu5vu5am4xaka7pw6m7axy79aqyhp6u5q9knuu7, maybe?
Here is the intended use case: https://github.com/damus-io/damus/issues/2017
lol
Coincidentally that's one of the first things I posted on nostr about :) Yes, 2 people could cooperatively control a nostr npub and use musig2 to sign for it. MuSig2 was designed to do exactly that for secp256k1 keypairs (which nostr as well as bitcoin use). It's a protocol to let N of N individual keys create a combined keypair and make signatures which require the consent of all keyholders. The protocol (musig2 that is) is pretty complicated to make it so that the end product look just like any other signature, and the combined pubkey looks like any other pubkey. HTH.
Did you see the first post in this thread? It's about an easy (manual) way to sign events with musig2 that comes in the https://github.com/fiatjaf/nak CLI tool. You should try it!
But my question here was more if it's a possible and if it's a good idea to take someone's existing private key and split it in two, store each shard in a different device so they're never united again, then use some protocol to produce signatures without having to bring them together.
As opposed to just making a fresh 2 keys? I mean it'd always be easier to just do that ofc (and authorise new key(s) with old).
Hmm with MuSig2 it's not possible I think. The aggregated pubkey is designed to withstand key subtraction attacks, and that means you can't backsolve to make the aggregated pubkey be equal to the preexisting pubkey.
So you're in a weird area ... try do just combine signatures naively without the protections of musig2 against adversarial behaviour? Very unlikely to make sense since you're doing this for improved security in the first place.
> As opposed to just making a fresh 2 keys?
Yes.
> try do just combine signatures naively without the protections of musig2 against adversarial behaviour?
I see, that makes sense.
> Very unlikely to make sense
I think the use case is something like:
1. I have been using this raw private key in my desktop and so far it hasn't leaked, but I am afraid it will eventually leak.
2. So I split it in 2 and put one shard in a hardware wallet and the other I leave on the desktop, delete the raw key.
3. Now to sign events I need the combination of the two devices, communicating somehow to produce a signature.
(As I write this I realize it's not a very good use case, so maybe this discussion is a waste of time.)
What could go wrong? If one of the two shards is leaked to an attacker, could him find out about the other shard somehow?
Or, a more generic question: since the two shards are pre-defined by myself, are they immune to the key subtraction attack since that would require the attacker to use an entirely new key?
This may or may not be related: https://crypto.stackexchange.com/a/103298/54810
Yes it is, good find, tim ruffing covers it well in that answer. And my bad for not remembering it. If you look at e.g. FROST they argue strongly that for the even more tricky case of *threshold* signatures (ie M of N, not just N of N, which as you can imagine is much more delicate), that a proof of knowledge of key shares is realistically essential, I came to the same conclusion looking at the security proofs of these things - it's stupidly complicated otherwise. MuSig2 is a very "industrial" protocol, by which I mean, partly because of the requirements of bitcoin, they push the limits on sophistication in order to achieve the most performant and smallest interactivity footprint possible version of multisignature. The cruder way is "key + proof of knowledge of key" in setup and then "nonce point + proof of knowledge of nonce point" in signing. But while that is kind of "the" solution to this niche problem, I'm for sure not going to recommend doing some half cocked protocol instead of doing the sane thing of creating fresh keys and then following the very well analyzed standard(s).
On your "more generic question", sure, the immediate thought is "well this was my secret key in the first case so it can't be adversarially chosen", yes, but the signing process has another "key", namely the nonce "shares" you do for each signing event. If they are adversarially chosen you again can get a forgery; in fact you can *use* this to extract the private key of the other signer. This is why the original MuSig was patched up to commit to the nonce points first, in an extra round.
If you add that 3rd round in, the overall idea is *perhaps* safe ... indeed that 3 round musig is quite nice, when I coded it for pathcoin I used that instead of MuSig2, it's a simpler security model at the cost of 3 instead of 2 rounds of comms. But meh, this is too slapdash, i suspect.
Nice work sir, this could be handy in some community consensus models
me seeing my gf tiktok feed: "how can you be interested to this shit I can't undesrstand. .."
also me: *watching a more enjoyable notes cosignin on nak using musig2 with 4 signers after being bored seeing notes cosignin on nak using musig2 with only 3 signers*
ehy why noone on nostr find me funny
also I'm being scammed there's no sign at all here instead my gf shows me 2 non-retarded funny stuff from tiktok thats all wrong here but ehy here if I'm funny here I will be zapped so its like I'm working here.. .
please fiatjaf add autozap nip so I can autopay me and show my gf I'm not retarded I'm working here
It was funny.
maybe I need to use hashtag to have some attention #plebchain #GM the next step is AI nudes the next next step is to endorse drivechains so its all in your hands nostr guys you can interrupt this destructive spiral at the first step just with few zaps. . .
amazing