|
|
|
@ -601,7 +601,7 @@ Alice and Bob need to derive the public key for +x+, which is +xG+.
|
|
|
|
|
Since it's possible to use elliptic curve operations to add two EC
|
|
|
|
|
points together, they start by Alice deriving +yG+ and Bob deriving
|
|
|
|
|
+zG+. They then add them together to create +xG = yG + zG+. The point
|
|
|
|
|
+xG+ is their _aggregated public key_. To create a signature, they begin the
|
|
|
|
|
+xG+ is ((("aggregated public keys")))((("public keys", "aggregated")))their _aggregated public key_. To create a signature, they begin the
|
|
|
|
|
simple multisignature protocol:
|
|
|
|
|
|
|
|
|
|
1. They each individually choose a large random private nonce, +a+ for
|
|
|
|
@ -632,7 +632,7 @@ to their own public key. For example, Alice generates her public key
|
|
|
|
|
using +zG - yG+. When their two keys are combined (+yG + zG - yG+), the
|
|
|
|
|
positive and negative +yG+ terms cancel out so the public key only represents
|
|
|
|
|
the private key for +z+, i.e., Bob's private key. Now Bob can create a
|
|
|
|
|
valid signature without any assistance from Alice. This is called a
|
|
|
|
|
valid signature without any assistance from Alice. This is ((("key cancellation attacks")))called a
|
|
|
|
|
_key cancellation attack_.
|
|
|
|
|
|
|
|
|
|
There are various ways to solve the key cancellation attack. The
|
|
|
|
|