Add blaming to pseudocode #67
Conversation
Also, 1. consistently use term "invalid" instead of "incorrect". 2. honest signers "will" not necessarily identify the dishonest signer. If a third party nonce aggregator is used, then they may have to go to through additional steps to obtain the unaggregated nonces.
bip-musig2.mediawiki
Outdated
| @@ -141,10 +141,10 @@ Stateless signers may want to consider signing deterministically (see [[#modific | |||
|
|
|||
| === Identifying Disruptive Signers === | |||
|
|
|||
| If the signing session fails to output a valid signature, each honest signer will identify at least one disruptive signer, who sent incorrect contributions in the session. | |||
| If the signing session fails to output a valid signature, each honest signer is able to identify at least one disruptive signer, who sent invalid contributions in the session. | |||
There was a problem hiding this comment.
We could also say that this is only the case if nonce aggregation is honest.
There was a problem hiding this comment.
Does this make sense?
| If the signing session fails to output a valid signature, each honest signer is able to identify at least one disruptive signer, who sent invalid contributions in the session. | |
| If the signing session fails to output a valid signature, each honest signer is able to identify at least one disruptive party (either a signer or the aggregator) who sent invalid contributions in the session. |
There was a problem hiding this comment.
We could also say that this is only the case if nonce aggregation is honest.
Yes, I think that's a good idea.
But I'm not entirely sure how to phrase the property in a nice way. @robot-dreams is right, we also blame the aggregator but this can be misleading because there's no guarantee that we can do so. (As you point out, if nonce aggregation is dishonest, then the partial signatures are all "valid" but they just won't add up to a valid signature).
And we should say that all of this works only if the messages received from the other parties are authentic. This is said in the next paragraph but I feel both of these should be reworked.
Suggestion, please improve further if necessary:
The signing protocol makes it possible to identify malicious signers who send invalid contributions to a signing session in order to make the signing session abort and prevent the honest signers from obtaining a valid signature. This property is called "identifiable aborts", and it ensures that honest parties can assign blame to malicious signers who cause an abort in the signing protocol.
Aborts are identifiable following for an honest party if these conditions hold in a signing session:
- The contributions received from all signers have not been tampered with (e.g., because they sent over authenticated connections).
- Nonce aggregation is performed honestly (e.g., because the honest signer performs nonce aggregation on its own or because the aggregator is trusted).
- The partial signatures received from all signers are verified using the algorithm ''PartialSigVerify''.
If these conditions hold and an honest party (signer or aggregator) runs an algorithm which fails due to invalid protocol contributions from malicious signers, then the algorithm run by the honest party will output the index of exactly one malicious signer. Additionally, if the honest parties agree on the contributions sent by all signers in the signing session, all the honest parties who run the aborting algorithm will identify the same malicious signer.
==== Further remarks ====
Some of the algorithms in this specification may also assign blame to a malicious aggregator. While this is possible for some particular misbehavior of the aggregator, it is in general not guaranteed that a malicious aggregator can be identified. In other words, a malicious aggregator (who violates the second condition above) can always make signing abort and make honest signers responsible for the abort (e.g., by claiming that it received an invalid contribution from a particular honest signer.)
The only purpose of the algorithm ''PartialSigVerify'' is to ensure identifiable aborts and it is not necessary to use it when identifiable aborts are not desired. [Insert the disclaimer about partial sigs here]
There was a problem hiding this comment.
I just realized that this would probably solve most of #9.
There was a problem hiding this comment.
Thanks @real-or-random. That's a great way to phrase this. When I made this PR and looked at this section I thought that I was missing the real explanation of identifiable aborts somewhere else in the BIP because this section was just not quite right. I pushed a commit with your suggestion.
bip-musig2.mediawiki
Outdated
| @@ -141,10 +141,10 @@ Stateless signers may want to consider signing deterministically (see [[#modific | |||
|
|
|||
| === Identifying Disruptive Signers === | |||
|
|
|||
| If the signing session fails to output a valid signature, each honest signer will identify at least one disruptive signer, who sent incorrect contributions in the session. | |||
| If the signing session fails to output a valid signature, each honest signer is able to identify at least one disruptive signer, who sent invalid contributions in the session. | |||
There was a problem hiding this comment.
Does this make sense?
| If the signing session fails to output a valid signature, each honest signer is able to identify at least one disruptive signer, who sent invalid contributions in the session. | |
| If the signing session fails to output a valid signature, each honest signer is able to identify at least one disruptive party (either a signer or the aggregator) who sent invalid contributions in the session. |
bip-musig2.mediawiki
Outdated
|
|
||
| Some of the algorithms in this specification may also assign blame to a malicious aggregator. | ||
| While this is possible for some particular misbehavior of the aggregator, it is not guaranteed that a malicious aggregator can be identified. | ||
| More specifically, a malicious aggregator (who violates the second condition above) can always make signing abort and make honest signers responsible for the abort (e.g., by claiming that it received an invalid contribution from a particular honest signer.) |
There was a problem hiding this comment.
| More specifically, a malicious aggregator (who violates the second condition above) can always make signing abort and make honest signers responsible for the abort (e.g., by claiming that it received an invalid contribution from a particular honest signer.) | |
| More specifically, a malicious aggregator (whose existence violates the second condition above) can always make signing abort and wrongly hold honest signers accountable for the abort (e.g., by claiming to have received an invalid contribution from a particular honest signer.) |
Co-authored-by: Tim Ruffing <[email protected]>
jonasnick
force-pushed
the
blame-pseudocode
branch
from
77f4965 to
ec24a46
Compare
No description provided.