Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: Shared K in multisig? (Read 241 times)

dmitrygerasimov
newbie
Activity: 17
Merit: 2
Shared K in multisig?
April 02, 2020, 04:17:02 AM
#5
Quote from: ewaspiro on March 01, 2020, 02:40:33 AM
Quote from: dmitrygerasimov on February 27, 2020, 03:20:49 AM
Thats a bad idea, would compromise security

can you tell more?

mathematically developed functions can calculate and backward engineer a multisig with same K to steal funds without multisig as you would be able to recover the private key from the others in the multisig wallet.
athanred
newbie
Activity: 10
Merit: 37
Re: Shared K in multisig?
March 01, 2020, 05:09:38 AM
#4
Quote
everyone have to divide received value by its chosen part of K
This is insecure, because when you know some number and you know number/K, then you can calculate someone else's K.

But even if all parties could agree on some K and create such signatures, it is still not enough, because you can still calculate someone else's private key.

sA=(z+r*privKeyA)/(kValueA*kValueB)
sB=(z+r*privKeyB)/(kValueA*kValueB)
sA/sB=(z+r*privKeyA)/(z+r*privKeyB)
privKeyA=(sA/sB-z)/r
privKeyB=(sB/sA-z)/r

Everyone knows sA, sB, z and r, so everyone can calculate anyone private key if you use the same K in both signatures.
ewaspiro
member
Activity: 74
Merit: 10
Re: Shared K in multisig?
March 01, 2020, 02:40:33 AM
#3
Quote from: dmitrygerasimov on February 27, 2020, 03:20:49 AM
Thats a bad idea, would compromise security

can you tell more?
dmitrygerasimov
newbie
Activity: 17
Merit: 2
Re: Shared K in multisig?
February 27, 2020, 03:20:49 AM
#2
Thats a bad idea, would compromise security
trisel
newbie
Activity: 1
Merit: 0
Re: Shared K in multisig?
February 25, 2020, 03:41:20 PM
#1
Now in each signature we have to specify r and s explicitly. What about choosing some "shared K value" and calculate it as kValueA*kValueB*...*kValueZ*basePoint? In this way all parties can agree on the same r and safely exchange partial s values defined as "(z+r*privKeyA)/kValueA", "(z+r*privKeyB)/kValueB", etc. Then, everyone have to divide received value by its chosen part of K and in result everyone can receive sA="(z+r*privKeyA)/(kValueA*kValueB*...*kValueZ)", sB="(z+r*privKeyB)/(kValueA*kValueB*...*kValueZ)", ..., sZ and include it in the final transaction.
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: