π
Original date posted:2022-10-11
π Original message:It is still true that cryptography is hard, unfortunately. Yannick Seurin, Tim
Ruffing, Elliott Jin, and I discovered an attack against the latest version of
BIP MuSig2 in the case that a signer's individual key A = a*G is tweaked before
giving it as input to key aggregation.
In more detail, a signer may be vulnerable if _all_ of the following conditions
are true:
1. The signer supports signing with a tweaked individual key (as provided to
key aggregation) and the tweak is known to the attacker (e.g., as in BIP 32
unhardened derivation).
2. The signer's public key appears at least two times with different tweaks in
the set of public keys that are aggregated. This would, for example, be the
case if a signer with public key A=a*G creates partial signatures for an
aggregate key corresponding to public key set {A, A+t*G} where t is some
tweak. Note that an attacker could make this condition true by using the key
B = A+t*G after having seen A.
3. The signer uses "concurrent signing", i.e., the signer stores secnonces for
multiple signing sessions.
4. The secret key provided to the Sign algorithm is not yet fully determined when the
NonceGen algorithm is called. This would, for example, be the case if the
attacker, after having seen the nonce of the signer, can influence whether a
or a+t will be provided as a secret key to Sign.
In this scenario, an attacker may forge a signature for any message and any
aggregate public key that contains the signer's individual public key A (with
any attacker-chosen tweak). In particular, the attacker may forge a signature
for any message and the public key A itself.
Condition 4 should only apply in relatively rare cases unless the signer is
tricked into such a situation.
Fix:
Note that if the optional secret key argument is provided to the NonceGen
algorithm and matches the secret key provided to the Sign algorithm, then
Condition 4 will not hold. Thus, one definite fix is to make the secret key
argument to the NonceGen algorithm mandatory. We are investigating other options
and will follow up shortly with a concrete fix of the BIP draft.
This discovery does not invalidate the security proof of the scheme as presented
in the MuSig2 paper because the security model in the paper does not support
tweaking a signer's key.
If you've implemented the BIP draft in your library or are already using it in
production don't hesitate to reach out to clarify the implications of this
discovery.
Tim Ruffing, Elliott Jin, Jonas Nick
Jonas Nick [ARCHIVE] /
npub1atβ¦y3z5a
2023-06-07 23:14:06
in reply to nevent1qβ¦yux4
Author Public Key
npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5aPublished at
2023-06-07 23:14:06Event JSON
{
"id": "5b65725fcdc315352f80caf7c675ad5eb470c67320b24bac76994a46f815b06d",
"pubkey": "eae21eb28545b20116d940817b2995954758d0d5511695442681f035faabe60f",
"created_at": 1686179646,
"kind": 1,
"tags": [
[
"e",
"76319f385ad614a6978f75cdb4ef20493be1b5fbc876aba21802e1b7c9e5757c",
"",
"root"
],
[
"e",
"ba7be25457b45012736131544fc873bf7e37d1143190d49ab348c222e00b89b1",
"",
"reply"
],
[
"p",
"eae21eb28545b20116d940817b2995954758d0d5511695442681f035faabe60f"
]
],
"content": "π
Original date posted:2022-10-11\nπ Original message:It is still true that cryptography is hard, unfortunately. Yannick Seurin, Tim\nRuffing, Elliott Jin, and I discovered an attack against the latest version of\nBIP MuSig2 in the case that a signer's individual key A = a*G is tweaked before\ngiving it as input to key aggregation.\n\nIn more detail, a signer may be vulnerable if _all_ of the following conditions\nare true:\n\n1. The signer supports signing with a tweaked individual key (as provided to\n key aggregation) and the tweak is known to the attacker (e.g., as in BIP 32\n unhardened derivation).\n2. The signer's public key appears at least two times with different tweaks in\n the set of public keys that are aggregated. This would, for example, be the\n case if a signer with public key A=a*G creates partial signatures for an\n aggregate key corresponding to public key set {A, A+t*G} where t is some\n tweak. Note that an attacker could make this condition true by using the key\n B = A+t*G after having seen A.\n3. The signer uses \"concurrent signing\", i.e., the signer stores secnonces for\n multiple signing sessions.\n4. The secret key provided to the Sign algorithm is not yet fully determined when the\n NonceGen algorithm is called. This would, for example, be the case if the\n attacker, after having seen the nonce of the signer, can influence whether a\n or a+t will be provided as a secret key to Sign.\n\nIn this scenario, an attacker may forge a signature for any message and any\naggregate public key that contains the signer's individual public key A (with\nany attacker-chosen tweak). In particular, the attacker may forge a signature\nfor any message and the public key A itself.\n\nCondition 4 should only apply in relatively rare cases unless the signer is\ntricked into such a situation.\n\nFix:\nNote that if the optional secret key argument is provided to the NonceGen\nalgorithm and matches the secret key provided to the Sign algorithm, then\nCondition 4 will not hold. Thus, one definite fix is to make the secret key\nargument to the NonceGen algorithm mandatory. We are investigating other options\nand will follow up shortly with a concrete fix of the BIP draft.\n\nThis discovery does not invalidate the security proof of the scheme as presented\nin the MuSig2 paper because the security model in the paper does not support\ntweaking a signer's key.\n\nIf you've implemented the BIP draft in your library or are already using it in\nproduction don't hesitate to reach out to clarify the implications of this\ndiscovery.\n\nTim Ruffing, Elliott Jin, Jonas Nick",
"sig": "7f25ac77e5341973e6c698e9ef5bc567f41aba214acc66c2996b1531e9338b44b16e5fc138fd24c5375d31f6193a5cb1b1be8b4dd6d3a865d135502ba98a1e7b"
}