Integrated Payment Proofs and Round Minimization

The assumption is wrong. Yoopa, another attack.

Let’s say I am party A, and I want to fake a payment to party B, with fixed nonce RB.

I generate a random scalar r, and set my RA as RA = r.G - RB.

I set some random scalar x as well. The magic happens (rogue-nonce attack) when you see that
s = r + h + e.x is a valid signature for X = x.G and for total nonce RA + RB + h.G. And me, party A, actually don’t know neither of the private keys to RA or RB !

Using this kernel, I can prove that I paid B without him participating at all : /

That sounds magic. This (almost 1 month old) can go either way as well: Eliminating finalize step - #22 by Kurt. People can choose!

Anyways, not sure why you happened to get rid of the Diffie-Hellman @tromp. It’s not like I haven’t insisted on the need of Diffie-Hellman in several posts of the other thread. In particular note the step 3. at the end of the post on the payment proof…

Indeed, the trick if one doesn’t like rogue-nonce attacks and prefers sound payment proofs is… Diffie-Hellman, and following exactly this, both sound in security and in payment proof:
Eliminating finalize step - #77 by Kurt.
It is a pretty good exercise to read and understand the steps in both links.

3 Likes