-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Identifiable Aborts #32
Comments
We actually specified a DLEQ proof a while ago for ECDSA adaptor signatures: https://github.com/discreetlogcontracts/dlcspecs/blob/master/ECDSA-adaptor.md#proving. It's implemented in libsecp256k1-zkp somewhere by @jesseposner. I'm not sure you actually need a DLEQ proof. What's wrong with just MAC'ing the ciphertext and providing the shared secret? (I tl;dr'd the citations in the last issue). Just to confirm this keygen+IA protocol would enlargen the message size back to quadratic in DLEQ oracle attackIt sounds like the recipients key in the ElGamal encryption that they can provide verifiable decryption for will be their static public key. This is very risky when combined with verifiable ElGamal decryption at least if done naively. I might have misunderstood but that's how I interpreted "ephemeral-static ECDH". If so this would let the a malicious coordinator turn an honest participant into a DH oracle for their static key by providing simulated ElGamal encryptions with the right encryption nonce. Perhaps what you had in mind already addresses this but I wanted to bring it up in case. |
Oh crazy, I couldn't remember this :D BlockstreamResearch/secp256k1-zkp#117 ... I should tell the other team who's working on DLEQ proofs...
Quoting myself from #9:
So the victim can reveal the derived symmetric key (or the ECDH shared point), but without a DLEQ proof, the victim can't convince the coordinator that it was the right one. I think revealing the symmetric key is good enough for proving to the coordinator "The ciphertext you have received from the sender decrypts to X (under the key I revealed, which is unique because the encryption is committing)", but not enough for "The ciphertext you have received from the sender fails to decrypt (under the key derived from ECDH)". (Or am I wrong here?) As I said, it can be fixed by adding a round, but that's not great. edit: I can't even be an optional round. The accused participant needs to make sure that they either reveal the key or sign the transcript, but never both. This needs an additional accusation round.
I believe you interpreted it correctly. The sender generates an ephemeral key and the receiver has a static key. I guess ElGamal is more or less a synonym to "ephemeral-static ECDH", at least when used as a KEM. Ugh, and thanks for pointing out the static-DH oracle... I hadn't really thought about this risk here, and we were a bit too enthusiastic here. This breaks the protocol immediately. A malicious coordinator can just send a nonce from a previous successful session and get the shared secret from the participant. And I don't see anything we could do about it. |
I think you can make the static DH oracle go away if you just don't use a static point |
Oh, randomizing the generator is something I haven't considered. But I'm not sure how much that helps. We'll need a fresh common random point in every session, and I don't see how to agree one without adding another round at the start. And if we were to add a round, we could instead use ephemeral-ephemeral ECDH and the problem will just disappear. (Well, except that we'll still have an oracle if randomness is reused accidentally.) The only reason why the recipient uses a static key is that it's all the sender has in the first round. Perhaps that restriction is a bit artificial. The sender anyway needs to obtain the hostpubkey of all recipients anyway before the protocol (call it round 0), at least in the first session with some new recipient, and then it could obtain the nonce as well. Every participant could just send their hostpubkey and nonce when saying hello to the coordinator. But I'm not entirely convinced. It will typically be the coordinator who initiates sessions, and then sending a nonce in round 0 will really mix static data (hostpubkey) and session data. At a minimum, it will complicate the API and make the protocol flow harder to understand. |
InvalidContributionExcpetion
(this exception should probably be reserved for coordinator)The text was updated successfully, but these errors were encountered: