|
Title: Shared K in multisig? Post by: trisel on February 25, 2020, 08:41:20 PM Now in each signature we have to specify r and s explicitly. What about choosing some "shared K value" and calculate it as kValueA*kValueB*...*kValueZ*basePoint? In this way all parties can agree on the same r and safely exchange partial s values defined as "(z+r*privKeyA)/kValueA", "(z+r*privKeyB)/kValueB", etc. Then, everyone have to divide received value by its chosen part of K and in result everyone can receive sA="(z+r*privKeyA)/(kValueA*kValueB*...*kValueZ)", sB="(z+r*privKeyB)/(kValueA*kValueB*...*kValueZ)", ..., sZ and include it in the final transaction.
Title: Re: Shared K in multisig? Post by: dmitrygerasimov on February 27, 2020, 08:20:49 AM Thats a bad idea, would compromise security
Title: Re: Shared K in multisig? Post by: ewaspiro on March 01, 2020, 07:40:33 AM Thats a bad idea, would compromise security can you tell more? Title: Re: Shared K in multisig? Post by: athanred on March 01, 2020, 10:09:38 AM Quote everyone have to divide received value by its chosen part of K This is insecure, because when you know some number and you know number/K, then you can calculate someone else's K.But even if all parties could agree on some K and create such signatures, it is still not enough, because you can still calculate someone else's private key. sA=(z+r*privKeyA)/(kValueA*kValueB) sB=(z+r*privKeyB)/(kValueA*kValueB) sA/sB=(z+r*privKeyA)/(z+r*privKeyB) privKeyA=(sA/sB-z)/r privKeyB=(sB/sA-z)/r Everyone knows sA, sB, z and r, so everyone can calculate anyone private key if you use the same K in both signatures. Title: Re: Shared K in multisig? Post by: dmitrygerasimov on April 02, 2020, 09:17:02 AM Thats a bad idea, would compromise security can you tell more? mathematically developed functions can calculate and backward engineer a multisig with same K to steal funds without multisig as you would be able to recover the private key from the others in the multisig wallet. |