search

LNP-BP / LNPBPs

LNP/BP standards for bitcoin layer 2 & 3 protocols
https://standards.lnp-bp.org
202 stars 39 forks source link

LNPBP-1: public key tweaking algorithm #3

Closed dr-orlovsky closed 4 years ago

dr-orlovsky commented 5 years ago

Issue tracking LNPBP-1 work progress and discussions

chm-diederichs commented 4 years ago

s = SHA256(SHA256("LNPBP-1") || SHA256("LNPBP-1") || SHA256(msg))

The hashing of msg seems unnecessary here, s commits to every bit of msg either way. This step is also not included in the tagged hashes proposed in bip-schnorr.

I think we can get by just using s = H(H(tag) | H(tag) | msg)) and generate the tweak simply as H(s) instead of HMAC without having to worry about length extension attacks. In this case a length extension attack would need

H'(H(s), attack) = H(s | attack) === H(H(H(tag) | H(tag) | msg')) for some msg' != msg

However, since s is a hash, each bit depends on every bit of the input msg. This attack is therefore not a length extension attack, but a collision attack of finding h(m) = h(m') for m != m'. SHA256 provides 128bit* security against this, which is the upper bound for security in this case since collision attacks are always possible regardless of the hashing scheme.

*probably >128bit since there are constraints on both m and m'

chm-diederichs commented 4 years ago

§5.4.2 in Schneier's Cryptography Engineering provides a good discussion on the topic. https://www.schneier.com/books/cryptography_engineering/

dr-orlovsky commented 4 years ago

During LNPBPCon 0 in Milano in December a new version of LNPBP-1 was designed, which still have to be written as a standard (WIP)