suraeNoether: let me know when you're available to briefly chat about multisig security for the newer sublinear transaction protocols

I want to confirm a few things about honest-but-curious MPC

Here is an informal description of how Triptych multisig could work: github.com/SarangNoether/skunkworks/blob/inverse-mpc/triptych-mpc.md

that was quick!

They grind quickly *and* fine.

real_or_random: I haven't formally analyzed it yet, FWIW

It _appears_ fine assuming honest-but-curious players

:D

A similar technique should work (or not work...) for RCT3 too

I'll write that up shortly

this reminds me that I wanted to work on making the bulletproof MPC secure against fully malicious co-provers

Ah, nice!

without doubling the number of rounds

That would be even nicer!

You could perhaps argue that for some multisig situations, honest-but-curious is an acceptable risk

(not saying I have a solution but some vague ideas. I think the underlying problem is very similar to the problems in MuSig, and why you need the commitment round there)

I'll be very interested to hear any ideas that you have on that

Not sure whethere it's relevant to "honest-but-curious is an acceptable risk", but multisig is often used with people who'd steal from each other: a trade between randoms with an arbitrator in a 2/3 multisig. They wouldn't need the arbitrator if they were not gonna steal.

sarang: yep, I should think about this. let's discuss this at some point :)

For sure!

I'm adding this to my official list of stalled research projects lol

ah it's already on the list :D at least

Yeah moneromooo what remains is to determine what risks arise (or don't) from the assumption of malicious players

Adding precommitments provides stronger guarantees at the cost of communication complexity

as well as avoiding the one-to-many nature of the dealer-player relationship for the proof, in favor of having all players confirm proof elements at each phase

but again, adds communication complexity

This is just a starting point to show that the different linking tag format isn't necessarily a showstopper for MPC

FWIW I think honest-but-curious is mostly useless in practice

why should you be malicious only later? there are a few scenarios but they're a stretch

I think hbc is mostly useful as a lower goal and a first step when constructing protocols, but not when you deploy then

I was also thinking of cases like multifactor, or having the peer-to-peer data obtained

The inversion MPC does include extra proofs (a range proof, for one, due to the Paillier encryption) for this reason, which I didn't include in the initial writeup or example code