Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Adam Back Profile picture
Adam Back
@adam3us
cypherpunk, cryptographer, privacy/ecash, inventor hashcash (Bitcoin mining) PhD Comp Sci. Co-Founder/CEO https://t.co/CysB3cs7Pp & Co-Founder/CEO @bstrco

Sep 3, 2020, 8 tweets

TL;DR @gregoryneven et al proved 2-round musig insecure, we made 2-round work with deterministic nonces + bulletproof ZKP (2 round is good for usability). as SHA256 is CPU expensive @pwuille @n1ckler @real_or_random @yannickseurin designed Purify for low bulletproof complexity.

I thought it was a pretty neat and simple trick to disprove the impossibility by counter-example: make a bulletproof that the nonce is deterministic, cuts off wagner adaptive attack as there are no free variables left. hearing "impossible" led to "is that true, really?" question.

in fairness the impossibility proof, is presumably correct, just within model assumptions that this solution side-steps. 2-round is interesting for usability because it reduces interactivity in multi-party signatures, which might involve fetching hardware-wallet from safe 2x.

the optimized-for-bulletproof Purify keyed-PRF to reduce the verification complexity, and security proofs of that were the bulk of the work by DN paper authors, as a bulletproof of normal bitcoin HMAC-SHA256 deterministic nonce is a bigger proof, and maybe 45x slower to verify.

the proof is more nuanced "we prove none of the schemes can be proved secure without radically departing from currently known techniques. We show if the one-more discrete-log problem is hard, no algebraic reduction exists that proves any of these schemes secure" @real_or_random

usually when people find impossible to prove results, it's a hint your direction is not securable, plus here Neven et al also concretely broke the previous MuSig version. which says if you try to repair by adding complexity, you're unlikely to get to work with this approach.

so bulletproof + determinstic nonce is a radically different technique and different approach, so the proof scope does not apply. plus it's pleasingly simple and has a clear intuitive security argument. the bulk of the work was the DN authors with #Purity and making it efficient.

and there firstly design of #Purity keyed-PRF (aka KDF, commonly built with MAC like HMAC), optimization of bulletproof circuit complexity (45x smaller vs HMAC) and security proofs of Purity's PRF security. strong work in applied crypto. MuSig2 is a whole other story, to come!

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling