π
Original date posted:2018-09-07
π Original message:Your multisignature writeup appears to be vulnerable to key cancellation
attacks because the aggregated public key is just the sum of public keys (and
there is no proof of knowledge of the individual secret keys). Therefore, in a
multisignature between Alice and an attacker, the attacker can choose their key
to be -alice_key+attacker_key resulting in an aggregated key for which the
attacker can sign alone (without requiring Alice's partial signature). The
Schnorr BIP links to the MuSig paper which describes a secure key aggregation
scheme. See https://eprint.iacr.org/2018/068
On 8/7/18 6:35 AM, nakagat via bitcoin-dev wrote:
> Hi all,
>
> I wrote a multisignature procedure using bip-schnorr.
>
> If you have time to review and give feedback, Iβd really appreciate it.
> Thanks in advance!
>
> Multisignature
> https://gist.github.com/tnakagawa/0c3bc74a9a44bd26af9b9248dfbe598b
>
> Original
> https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#Multisignatures_and_Threshold_Signatures
>
Jonas Nick [ARCHIVE] /
npub1atβ¦y3z5a
2023-06-07 18:14:40
in reply to nevent1qβ¦w5j2
Author Public Key
npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5aPublished at
2023-06-07 18:14:40Event JSON
{
"id": "dff01a704f9a598300dd6378f4551fbfa84cdb94f0fa837bd079cadeb0fd6adf",
"pubkey": "eae21eb28545b20116d940817b2995954758d0d5511695442681f035faabe60f",
"created_at": 1686161680,
"kind": 1,
"tags": [
[
"e",
"0e6d78a34909d0e92bd37b01adfafa1740015a03c40245a31f1f1c1b6e81d830",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "π
Original date posted:2018-09-07\nπ Original message:Your multisignature writeup appears to be vulnerable to key cancellation\nattacks because the aggregated public key is just the sum of public keys (and\nthere is no proof of knowledge of the individual secret keys). Therefore, in a\nmultisignature between Alice and an attacker, the attacker can choose their key\nto be -alice_key+attacker_key resulting in an aggregated key for which the\nattacker can sign alone (without requiring Alice's partial signature). The\nSchnorr BIP links to the MuSig paper which describes a secure key aggregation\nscheme. See https://eprint.iacr.org/2018/068\n\nOn 8/7/18 6:35 AM, nakagat via bitcoin-dev wrote:\n\u003e Hi all,\n\u003e \n\u003e I wrote a multisignature procedure using bip-schnorr.\n\u003e \n\u003e If you have time to review and give feedback, Iβd really appreciate it.\n\u003e Thanks in advance!\n\u003e \n\u003e Multisignature\n\u003e https://gist.github.com/tnakagawa/0c3bc74a9a44bd26af9b9248dfbe598b\n\u003e \n\u003e Original\n\u003e https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#Multisignatures_and_Threshold_Signatures\n\u003e",
"sig": "be4433778d361dc08014ae9c3051c78b5127695d62be8c26c596c27a58bf03f64d02d9291278296cff2ce762913faa2fb53ba074882fa293bc3366b1008862fa"
}