Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LNPBP-1: public key tweaking algorithm #3

Closed
dr-orlovsky opened this issue Oct 15, 2019 · 3 comments · Fixed by #67
Closed

LNPBP-1: public key tweaking algorithm #3

dr-orlovsky opened this issue Oct 15, 2019 · 3 comments · Fixed by #67
Assignees
@dr-orlovsky
Labels
[DBC] Deterministic bitcoin commitments tracking Issue tracking standard work progress & discussions
Milestone
BP Core

Comments

@dr-orlovsky
Copy link
Member

dr-orlovsky commented Oct 15, 2019
edited
Loading

Issue tracking LNPBP-1 work progress and discussions
@dr-orlovsky dr-orlovsky changed the title Discussion for LNPBPS-0001: public key tweaks Discussion for LNPBP-1: public key tweaks Oct 27, 2019
@dr-orlovsky dr-orlovsky changed the title Discussion for LNPBP-1: public key tweaks Discussion on LNPBP-1: public key tweaks Oct 27, 2019
@chm-diederichs
Copy link
Member

chm-diederichs commented Dec 3, 2019
edited
Loading

s = SHA256(SHA256("LNPBP-1") || SHA256("LNPBP-1") || SHA256(msg))

The hashing of msg seems unnecessary here, s commits to every bit of msg either way. This step is also not included in the tagged hashes proposed in bip-schnorr.

I think we can get by just using s = H(H(tag) | H(tag) | msg)) and generate the tweak simply as H(s) instead of HMAC without having to worry about length extension attacks. In this case a length extension attack would need

H'(H(s), attack) = H(s | attack) === H(H(H(tag) | H(tag) | msg')) for some msg' != msg

However, since s is a hash, each bit depends on every bit of the input msg. This attack is therefore not a length extension attack, but a collision attack of finding h(m) = h(m') for m != m'. SHA256 provides 128bit* security against this, which is the upper bound for security in this case since collision attacks are always possible regardless of the hashing scheme.

*probably >128bit since there are constraints on both m and m'

@chm-diederichs
Copy link
Member

chm-diederichs commented Dec 3, 2019
edited
Loading

§5.4.2 in Schneier's Cryptography Engineering provides a good discussion on the topic.
https://www.schneier.com/books/cryptography_engineering/

@dr-orlovsky dr-orlovsky changed the title Discussion on LNPBP-1: public key tweaks LNPBP-1: public key tweaking algorithm Jan 15, 2020
@dr-orlovsky dr-orlovsky self-assigned this Jan 15, 2020
@dr-orlovsky dr-orlovsky added [DBC] Deterministic bitcoin commitments tracking Issue tracking standard work progress & discussions labels Jan 15, 2020
@dr-orlovsky
Copy link
Member Author

During LNPBPCon 0 in Milano in December a new version of LNPBP-1 was designed, which still have to be written as a standard (WIP)

@dr-orlovsky dr-orlovsky added the WIP Work in progress label Jan 15, 2020
@dr-orlovsky dr-orlovsky added this to the DBC: proposals milestone Jan 15, 2020
@dr-orlovsky dr-orlovsky removed the WIP Work in progress label Oct 7, 2020
dr-orlovsky added a commit that referenced this issue Oct 7, 2020
@dr-orlovsky
LNPBP-1 rewrite. Closes #66, #48, #3
2d4ae4d
@dr-orlovsky dr-orlovsky linked a pull request Oct 7, 2020 that will close this issue
LNPBP-1 finalization #67
Merged
dr-orlovsky added a commit that referenced this issue Nov 26, 2022
@dr-orlovsky @gitbook-bot
GitBook: [#3] No subject
7a467c0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dr-orlovsky dr-orlovsky

Labels
[DBC] Deterministic bitcoin commitments tracking Issue tracking standard work progress & discussions
Projects
None yet
Milestone
BP Core
Development

Successfully merging a pull request may close this issue.

LNPBP-1 finalization LNP-BP/LNPBPs
2 participants
@dr-orlovsky @chm-diederichs