0

I understand that:

$[a+b]G = [a]G + [b]G$

where $a$ and $b$ are secret keys. (See: Is there a relationship between the secp256k1 public key of the sum of two private keys, and the public keys of those original two private keys?)

If, under the circumstances:

  • ECDSA is the signing algorithm.
  • Alice publishes the public key as $[a]G$ where $a$ is her secret key.
  • Bob creates a one-use secret key $x\_secret = hash(\text{"Bob chose this"})$.
  • Bob publishes $x\_secret$.

Do the following conditions hold?

  • Only Alice can sign messages with the secret key $(a + x\_secret)$, as no-one else knows both secret keys.
  • Anyone can verify such a message's signature using the public key pubkey(alice_secret).combine(pubkey(x_secret)), as anyone can calculate pubkey(x_secret) from the previously published x_secret.
kelalaka
  • 48,443
  • 11
  • 116
  • 196
fadedbee
  • 916
  • 1
  • 10
  • 29
  • The answer might depend on what "sign" means. Is that ECDSA, or some of the various Schnorr signatures around? Is "can sign messages" met by producing one signature (checking under pubkey(alice_secret).combine(pubkey(x_secret)) of a message that Alice has signed? Of course we must assume Bob did not make use of alice_secret to create x_secret. Perhaps Bob should use x_secret = hash("Bob chose this") and publish that. – fgrieu Apr 24 '21 at 08:18
  • @fgrieu Thanks, I've edited the question to incorporate your suggestions. – fadedbee Apr 24 '21 at 09:02
  • @kelalaka Sorry, the code is in an answer to the linked question: https://crypto.stackexchange.com/a/83733/17505 – fadedbee Apr 24 '21 at 09:03
  • Well, the code doesn't check the result and we are not coding site. Anyway, You said bob publishes $x_secret$ you should say Bob send it secretly yo Alice? the name secret, not really secret. – kelalaka Apr 24 '21 at 09:51
  • Yes. Both of your conditions hold. As noted though, x_secret is misleading terminology. It's not clear why someone would want to do this (perhaps side-channel resistance?), but they could. – Daniel S Apr 24 '21 at 11:30
  • @DanielShiu Is a "tweak" a better name for x_secret? – fadedbee Apr 24 '21 at 13:24
  • @fadedbee: If this is one-use public value then I would use the term nonce. – Daniel S Apr 24 '21 at 13:36
  • @DanielShiu I'm still not entirely happy, as pubkey(x_secret) needs to be called for the shared public key (pubkey(alice_secret).combine(pubkey(x_secret)) to be calculated. I agree that calling it x_secret, and publishing it, is confusing. – fadedbee Apr 24 '21 at 15:31

0 Answers0