π
Original date posted:2022-11-03
π Original message:We updated the MuSig2 BIP draft to fix the vulnerability published in an earlier
post [0].
We also wrote an article [1] that contains a description of
1. the vulnerable scheme (remember that the original MuSig2 scheme is not
vulnerable because it doesn't allow tweaking)
2. an attack against the vulnerable scheme using Wagner's algorithm
3. a fixed scheme that permits tweaking
Moreover, we implemented the "BLLOR" attack mentioned in the article which
works against the reference python implementation of the previous version of the
MuSig2 BIP draft (takes about 7 minutes on my machine) [2].
The fix of the MuSig2 BIP is equivalent to the fix of the scheme in the article
[1]: before calling ''NonceGen'', the signer must determine the (potentially
tweaked) secret key it will use for this signature. BIP MuSig2 now ensures that
users can not accidentally violate this requirement by adding a mandatory public
key argument to ''NonceGen'', appending the public key to the ''secnonce'' array
and checking the public key against the secret key in ''Sign'' (see the pull
request for the detailed changes [3]).
[0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021000.html
[1] https://github.com/jonasnick/musig2-tweaking
[2] https://gist.github.com/robot-dreams/89ce8c3ff16f70cb2c55ba4fe9fd1b31 (must
be copied into the bip-musig2 directory)
[3] https://github.com/jonasnick/bips/pull/74
Jonas Nick [ARCHIVE] /
npub1atβ¦y3z5a
2023-06-07 23:16:40
in reply to nevent1qβ¦9vr7
Author Public Key
npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5aPublished at
2023-06-07 23:16:40Event JSON
{
"id": "c69011d920c513d1ad2a9313061a88e8bf3eec03438cf3327f46ba65d617948e",
"pubkey": "eae21eb28545b20116d940817b2995954758d0d5511695442681f035faabe60f",
"created_at": 1686179800,
"kind": 1,
"tags": [
[
"e",
"dfb700b3e6964e32735815d79a6129c78819279f8b4188406c63977367b8266a",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "π
Original date posted:2022-11-03\nπ Original message:We updated the MuSig2 BIP draft to fix the vulnerability published in an earlier\npost [0].\n\nWe also wrote an article [1] that contains a description of\n1. the vulnerable scheme (remember that the original MuSig2 scheme is not\n vulnerable because it doesn't allow tweaking)\n2. an attack against the vulnerable scheme using Wagner's algorithm\n3. a fixed scheme that permits tweaking\n\nMoreover, we implemented the \"BLLOR\" attack mentioned in the article which\nworks against the reference python implementation of the previous version of the\nMuSig2 BIP draft (takes about 7 minutes on my machine) [2].\n\nThe fix of the MuSig2 BIP is equivalent to the fix of the scheme in the article\n[1]: before calling ''NonceGen'', the signer must determine the (potentially\ntweaked) secret key it will use for this signature. BIP MuSig2 now ensures that\nusers can not accidentally violate this requirement by adding a mandatory public\nkey argument to ''NonceGen'', appending the public key to the ''secnonce'' array\nand checking the public key against the secret key in ''Sign'' (see the pull\nrequest for the detailed changes [3]).\n\n[0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021000.html\n[1] https://github.com/jonasnick/musig2-tweaking\n[2] https://gist.github.com/robot-dreams/89ce8c3ff16f70cb2c55ba4fe9fd1b31 (must\n be copied into the bip-musig2 directory)\n[3] https://github.com/jonasnick/bips/pull/74",
"sig": "b4000f1f2f177aaff01e94759702b835c7eff033e9da82084a2adba2892ecb72a7de2d9949e5830cba06ef954e557ff06b615d10f79fe49b04319b3c2417c08d"
}