📅 Original date posted:2023-04-28
🗒️ Summary of this message: The security of using signature adaptors for multiparty swaps has been analyzed by an amateur, with a focus on scenarios involving multiple adaptors or signing sessions. The analysis is currently unreviewed and available on GitHub. An issue around sequencing was found in the case of multiple signing sessions with the same adaptor. Expert opinions on security reductions for this primitive in the case of multiple concurrent signing sessions are sought.
📝 Original message:Hi list,
I was motivated to look more carefully at the question of the security of using signature adaptors after recently getting quite enthused about the idea of using adaptors across N signing sessions to do a kind of multiparty swap. But of course security analysis is also much more important for the base case of 2 party swapping, which is of .. some considerable practical importance :)
There is work (referenced in Section 3 here) that's pretty substantial on "how secure are adaptors" (think in terms of security reductions) already from I guess the 2019-2021 period. But I wanted to get into scenarios of multiple adaptors at once or multiple signing sessions at once with the *same* adaptor (as mentioned above, probably this is the most important scenario).
To be clear this is the work of an amateur and is currently unreviewed - hence (a) me posting it here and (b) putting the paper on github so people can easily add specific corrections or comments if they like:
https://github.com/AdamISZ/AdaptorSecurityDoc/blob/main/adaptorsecurity.pdf
I'll note that I did the analysis only around MuSig, not MuSig2.
The penultimate ("third case"), that as mentioned, of "multiple signing sessions, same adaptor" proved to be the most interesting: in trying to reduce this to ECDLP I found an issue around sequencing. It may just be irrelevant but I'd be curious to hear what others think about that.
If nothing else, I'd be very interested to hear what experts in the field have to say about security reductions for this primitive in the case of multiple concurrent signing sessions (which of course has been analyzed very carefully already for base MuSig(2)).
Cheers,
AdamISZ/waxwing
Sent with Proton Mail secure email.
AdamISZ [ARCHIVE] /
npub1nv…kqw2t
2023-06-07 23:21:00
in reply to nevent1q…yk66
Author Public Key
npub1nv7tjpn2g8tvt8qfq5ccyl00ucfcu98ch998sq4g5xp65vy6fc4sykqw2tPublished at
2023-06-07 23:21:00Event JSON
{
"id": "9e8705289d69bfe5da14133b8057e5d1dd589349b4b6cfedb1115093e194a038",
"pubkey": "9b3cb9066a41d6c59c090531827defe6138e14f8b94a7802a8a183aa309a4e2b",
"created_at": 1686180060,
"kind": 1,
"tags": [
[
"e",
"a16645ac55cdcdcf58c15ee2b03c44fde8e60064394388320707afadb3d4e6d3",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2023-04-28\n🗒️ Summary of this message: The security of using signature adaptors for multiparty swaps has been analyzed by an amateur, with a focus on scenarios involving multiple adaptors or signing sessions. The analysis is currently unreviewed and available on GitHub. An issue around sequencing was found in the case of multiple signing sessions with the same adaptor. Expert opinions on security reductions for this primitive in the case of multiple concurrent signing sessions are sought.\n📝 Original message:Hi list,\nI was motivated to look more carefully at the question of the security of using signature adaptors after recently getting quite enthused about the idea of using adaptors across N signing sessions to do a kind of multiparty swap. But of course security analysis is also much more important for the base case of 2 party swapping, which is of .. some considerable practical importance :)\n\nThere is work (referenced in Section 3 here) that's pretty substantial on \"how secure are adaptors\" (think in terms of security reductions) already from I guess the 2019-2021 period. But I wanted to get into scenarios of multiple adaptors at once or multiple signing sessions at once with the *same* adaptor (as mentioned above, probably this is the most important scenario).\n\nTo be clear this is the work of an amateur and is currently unreviewed - hence (a) me posting it here and (b) putting the paper on github so people can easily add specific corrections or comments if they like:\n\nhttps://github.com/AdamISZ/AdaptorSecurityDoc/blob/main/adaptorsecurity.pdf\n\nI'll note that I did the analysis only around MuSig, not MuSig2.\n\nThe penultimate (\"third case\"), that as mentioned, of \"multiple signing sessions, same adaptor\" proved to be the most interesting: in trying to reduce this to ECDLP I found an issue around sequencing. It may just be irrelevant but I'd be curious to hear what others think about that.\n\nIf nothing else, I'd be very interested to hear what experts in the field have to say about security reductions for this primitive in the case of multiple concurrent signing sessions (which of course has been analyzed very carefully already for base MuSig(2)).\n\nCheers,\nAdamISZ/waxwing\n\n\n\n\nSent with Proton Mail secure email.",
"sig": "b5c7721e6951511c434ebf499df4a85c3b6d737dda9c62dfb4682c308b88cb4a2447a87ce28304d3b171f8f7e97de3995535d3dedb4ad251eb1a3f22aad8fa0b"
}