public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Jonas Nick <jonasdnick@gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] MuSig2 BIP
Date: Thu, 3 Nov 2022 14:43:22 +0000	[thread overview]
Message-ID: <0d4bb432-771d-8b8e-f2f8-f86dca9f41c5@gmail.com> (raw)
In-Reply-To: <576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com>

We updated the MuSig2 BIP draft to fix the vulnerability published in an earlier
post [0].

We also wrote an article [1] that contains a description of
1. the vulnerable scheme (remember that the original MuSig2 scheme is not
    vulnerable because it doesn't allow tweaking)
2. an attack against the vulnerable scheme using Wagner's algorithm
3. a fixed scheme that permits tweaking

Moreover, we implemented the "BLLOR" attack mentioned in the article which
works against the reference python implementation of the previous version of the
MuSig2 BIP draft (takes about 7 minutes on my machine) [2].

The fix of the MuSig2 BIP is equivalent to the fix of the scheme in the article
[1]: before calling ''NonceGen'', the signer must determine the (potentially
tweaked) secret key it will use for this signature. BIP MuSig2 now ensures that
users can not accidentally violate this requirement by adding a mandatory public
key argument to ''NonceGen'', appending the public key to the ''secnonce'' array
and checking the public key against the secret key in ''Sign'' (see the pull
request for the detailed changes [3]).

[0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021000.html
[1] https://github.com/jonasnick/musig2-tweaking
[2] https://gist.github.com/robot-dreams/89ce8c3ff16f70cb2c55ba4fe9fd1b31 (must
     be copied into the bip-musig2 directory)
[3] https://github.com/jonasnick/bips/pull/74


  reply	other threads:[~2022-11-03 14:43 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-05 22:57 [bitcoin-dev] MuSig2 BIP Jonas Nick
2022-04-28  1:47 ` Olaoluwa Osuntokun
2022-04-28  3:53   ` Olaoluwa Osuntokun
2022-04-28 19:18     ` Jonas Nick
2022-05-22 22:26 ` AdamISZ
2022-05-23 15:56   ` Jonas Nick
2022-05-23 22:09     ` AdamISZ
2022-05-24 19:06       ` AdamISZ
2022-05-26 15:32         ` Jonas Nick
2022-05-26 17:34           ` AdamISZ
2022-06-12 23:07             ` AdamISZ
2022-10-03 20:41 ` Jonas Nick
2022-10-11 15:34   ` Jonas Nick
2022-11-03 14:43     ` Jonas Nick [this message]
2022-04-28 15:33 Brandon Black

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0d4bb432-771d-8b8e-f2f8-f86dca9f41c5@gmail.com \
    --to=jonasdnick@gmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox