-
sarangMoving convo with TheCharlatan and kayabaNerve from -community to here
-
sarangHaving a simple sum key seemed odd
-
sarangEither you could have rogue keys, and should compute the total key differently and with commitment, or it doesn't matter, and one party should do it all
-
sarangEven if that party could choose the key badly (fixed value, etc.) this is trivially possible with rogue keys anyway
-
sarangunless you precommit
-
kayabaNervesarang: The DL EQ proof verifies key validity according to the modulus. Public keys clearly define the underlying key. VES signatures allow secure recovery.
-
kayabaNerveMind filling me in on what I seem to be missing?
-
zkaoas far as i understand, u do commit to moneros pub keys, but on the bitcoin side. if a rogue monero key is used, the bitcoin is lost for the attacker
-
sarangWell, the private view keys are shared between participants and summed, as are the spend public keys
-
sarangThis means either party, depending on communication ordering, can set either value to whatever they wish
-
zkaoi dont think anyone ever worked out the initialization in great detail, but h4sh3d got contacted by coauthors of yours, if i recall correctly, to prove the security of the protocol. if u would have interest to work on that, let us know
-
h4sh3d[m]Yes, without the DLEQ proof this wouldn’t work. But if you choose the result A = B + C such as you know a instead of b (C is chosen by the other), you can’t compute the zkp that requires knowledge of b, thus the other participants must cancel the swap.
-
h4sh3d[m]But adding commit-reveal might be good anyway
-
sarangIt depends on the consequences of a rogue or otherwise fixed known key