This question comes from an issue raised in another question: Non interactive threshold signature without bilinear pairing (is it possible)?
Is the proposed random oracle model safe when trying to output a distinct and random $m \times G = M$ value?
Doing the interpolation for $t$ compromised shares $m^{'}_i$ results in: $l_0 \times M_0 + \sum^t_{i=1} l_i \cdot m^{'}_i \times G = m \times G$ that reduces to $(m - \sum^{t}_{i=1} l_i \cdot m^{'}_i) \cdot l^{-1}_0 \times G = M_0$, where $M_0$ is always different for each signature. So, I suppose we can't reuse previous values to perform the attack.
How do you solve to a wanted $m$ value without resolving the DLP? Searching for $m^{'}_i$ and $m$ for some unknown $m_0$ is brute forcing the DLP, even in the k-sums context!
What I have seen in the k-sums/generalized birthday problem is a way to solve for $x_1 \oplus ... \oplus x_n = 0$. Mapping this approach to our problem, we should try to solve for $x_1 \oplus ... \oplus x_n = m_0$ equivalent to $x_1 \oplus ... \oplus x_n \oplus m_0 = 0$. The issue is, $m_0$ has a specific value but it is unknown to the solver due to DLP. How can we solve for something we don't know? If such solution were possible, won't this be solving the DLP?
I need a math clarification to explain exactly how this attack is performed?
Edited1: Expanded math proof: Trying to follow @Aman Grewal logic, lets try to attack in a k-sum scenario.
All variables marked in the form $c^*$ are controlled by the attacker. The attacker's objective is to sign a random $B^*$ for a submitted $B$ such that $B^* \neq B$. The attacker has access to $M_0$ and $c=H(Y||M||B)$ for this or any previous messages. Assume the attacker has knowledge of $t$ shares of $y_i$.
We remove the Lagrange coefficients $l_i$ from the math, since they are public and doesn't affect the final proof. For a single signature we have:
- For a set of randomly selected $m_i^* \times G = M_i^*$ one can derive $\sum_{i=1}^t M_i^* + M_0 = M^*$
- Then $c^* = H(Y||M^*||B^*)$ and the output of a single signature is $(m_0 + c \cdot y_0) + \sum_{i=1}^t (m_i^* + c_i^* \cdot y_i) = m^* + c^* \cdot y$. Assuming $m_0 + \sum_{i=1}^t m_i^* = m^*$ and $c + \sum_{i=1}^t c_i^* = c^*$ (this last one is not totaly correct, since we removed the Lagrange coefficients, but this is even easier to attack)
One cannot solve for $c_i^*$ in $\sum_{i=1}^t (m_i^* + c_i^* \cdot y_i) = (m^* + c^* \cdot y) - (m_0 + c \cdot y_0)$. Even assuming that $m^*$ is equal to some previous result and that $c^*$ is directly dependent on $c_i^*$. There are $t + 3$ unknowns corresponding to $(c_i^*, y_0, y, m_0)$. So... lets expand it to $j$ signatures:
The real equation we need to solve is: $\sum_{j=1}^n \sum_{i=1}^t (m_{ij}^* + c_{ij}^* \cdot y_i) = \sum_{j=1}^n [(m_j^* + c_j^* \cdot y) - (m_{0j} + c_j \cdot y_0)]$
Assuming somehow you can have a lot of equalities in this system of equations between signatures $j$, you are still left with $(t + 2) + j$ unknowns for $(c_i^*, y_0, y, m_{0j})$. For every new equation, you have a new unknown $m_{0j}$ that you can't catch up. $m_{0j}$ is distinct for every new signature by the definition of the threat model.
Edited2: Eq public version: The public version of the equation is: $\sum_{j=1}^n \sum_{i=1}^t (M_{ij}^* + c_{ij}^* \cdot Y_i) = \sum_{j=1}^n [(M_j^* + c_j^* \cdot Y) - (M_{0j} + c_j \cdot Y_0)]$
In this case there are only the $c_{ij}^*$ unknowns, but we have the DLP. If there is an efficient way to solve this, are we breaking the DLP?
If any one can contest this math logic to come up with a successful attack, I will accept your answer.
