[dlc-dev] Security of Discreet Log Contract Attestation Schemes

Nadav Kohen nadavk25 at gmail.com
Tue Feb 2 22:45:27 CET 2021

Hi Lloyd,

Thanks for doing this! It is really nice to have :)

Before I leave my comments/review from having read the paper, I was curious
if you could elaborate/enumerate what aspects of security may also be worth
looking into? I agree that unforgeability is the most important but I'm
drawing blanks when trying to think of other security properties.

Now some mostly nit comments:

* In definition 2, is it meant to be Pr[Forge = 1] \geq eps? (as opposed to
* In definition 2 under Forge, I believe that n* is meant to be a* and
under Att n_i is meant to be a_i?
* Fig. 1's Attest and Verify also have n in place of a
* "solves the OMDL problem *and* breaks collision resistance"
    * Shouldn't this be *or*?
* It might be nice, just as a reference for discussion, to write down a
figure like figure 1 for your proposal at the bottom under (or above) your
explanation of it and why it is secure by the same proof.


On Tue, Feb 2, 2021 at 12:14 AM Lloyd Fournier via dlc-dev <
dlc-dev at mailmanlists.org> wrote:

> Hi List,
> This week I've done some work on defining security for DLC oracles.
> Please see: https://github.com/LLFourn/dlc-sec/blob/master/main.pdf
> The point I've touched on so far is "unforgeability" -- an adversary
> cannot forge an oracle attestation without the secret key.
> I guess it seemed obvious to everyone that the original scheme was secure
> in this respect but a precise answer had never been given until now.
> My result is interesting as it implies that we can show the scheme from
> the original  paper secure in the plain model (not random oracle model) by
> reduction from the *one-more* discrete logarithm problem. Or said another
> way the security is more straightforward than Schnorr signatures
> themselves. Another thing that becomes clear is that the security depends
> on the collision resistance of the hash function (Schnorr doesn't normally
> depend on this).
> The proof can easily be modified to work with the simplified scheme I
> suggested here [1]. Apart from being more efficient the simplified scheme
> does not rely on the collision resistance of a hash function since it
> doesn't use a hash function.
> There are more aspects of DLC security to consider but I felt this was the
> most important. The paper is very terse -- please let me know where you
> think I should expand upon it.
> Cheers,
> LL
> [1] https://mailmanlists.org/pipermail/dlc-dev/2020-December/000002.html
> dlc-dev mailing list
> dlc-dev at mailmanlists.org
> https://mailmanlists.org/mailman/listinfo/dlc-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailmanlists.org/mailman/private/dlc-dev/attachments/20210202/687df633/attachment.htm>

More information about the dlc-dev mailing list