Replying to Avatar waxwing

Huh, I sent a reply an hour ago on the phone but just seems to have vanished.

First, about the curly braces, yes there was just one missing sorry (R_{A2} + R_{B2}).

Second, doh, I totally missed the point of the question, and, my fault, your language was pretty clear.

So I don't think there's any issue, no: if Alice gives R_{A1} and Bob picks -R_{A1} as his R_{B1} (and same for index 2) then, yes, the aggregate cancels.

But that doesn't allow him to cancel the secret nonce:

Alice may send him s_alice = k_{A1} + bk_{A2} + (hashes of stuff) * x_{A}. But he cannot cancel out those k-values by adding his s_bob because he cannot provide e.g. -k_{A1}. He doesn't know those scalars (DLP).

So he can't get the secret key by doing that cancellation (and yes, absolutely, he *would* be able to get Alice's key if he could effect that cancellation).

(It's a sidebar but 0 values for the nonce are explicitly disallowed in plain ECDSA and plain Schnorr iirc).
Avatar
Sjors Provoost 2y ago

Disappearing replies is always sad. I'm still a bit confused about the R_{...} notation.

So one important element here is that Alice never reveal an individual (secret) nonce, i.e. never reals k_{A1} or k_{A2}, but only some linear combination of both?

Reply to this note

Please Login to reply.

Discussion

Avatar
waxwing 2y ago

Oh, no Alice wouldn't explicitly reveal even the combination of k values.

Back to the single signer case: s = k + ex. You never reveal k, only R (the "commitment" to k, as discussed before). You publish R and s, so revealing k would expose the key (x). It's the fact that there are *two* secret unknowns (k and x) on the RHS that provides the security against leakage. If I give you the number 41 and say it's the sum of two numbers (mod 43), I'm not telling you anything (it could be any sum of 2 numbers in range).

Same here; Alice will give Bob s_alice, the partial signature of Alice, which is: k_{A1} + bk_{A2} + hashes * x_alice. But she would never separately hand over just k_{A1} + bk_{A2} ; that's her secret nonce.

About notation like k_{A1} I'm just doing the same as in LaTeX, it means everything in the curly braces is the subscript of the thing before _ .