From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 22 Apr 2025 10:02:38 -0700 Received: from mail-oa1-f62.google.com ([209.85.160.62]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1u7H14-0002qA-1d for bitcoindev@gnusha.org; Tue, 22 Apr 2025 10:02:38 -0700 Received: by mail-oa1-f62.google.com with SMTP id 586e51a60fabf-2c238fbc14fsf6926653fac.1 for ; Tue, 22 Apr 2025 10:02:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1745341351; cv=pass; d=google.com; s=arc-20240605; b=iKU8VdpVrtY3zRWR70qo31XpS/ppJtbdeUOYdanIwqGYYub6PMVY1VvcXw+ieCFLk2 kdq9EIfRpc3XpUGrOa9sfIe69G3MLwKY5ZP2DDx2IkOHMbq92KHIycjvMHWk0HJ4FC2H CGi9IoWrJBJeDo7gRhJ8TbyFh+gjuFt1uCWFnj24r/i7AOu9AOqFHRalBIcUojgyForf 00gzFR1SzttRDK0Ite9r9RRFfeWVxapBaUsirF5hUIhRpZXcWWucQxbheccsoU8Bzhpc VY1JFQ/rMKJJHPiD/MQ1YpmgGUk/Ubm+Yeev/vf3JAvxUSQlz7OaedZd6dMx1AURn+oI OYtA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=OYvMxHan/NkW77KVGYAfiJqJ2wgP84EVxcTbHmFQAvA=; fh=cLGE2yF1rIkCpnowFo3UvI9cjbdhiqtMygcCzJSQhhk=; b=HhSBi+BQmOCayzvhWtdshEIPrW5DdAO8tR9Z/ZFTPm1IXdEPly+5YTviNP5hC8Sc8a eLWnzyabLd+YWTAteVTLTesdlgKveRscuwsXBnBPkKIvsO3abT2fiX1+tyMasZfoNmv8 gEg2uMd+IZXXl3VT0zzQxcNRxVV3at1qO8QYBpdYHhoUHIAw2ya2J4la7pmsCwQ5k3rz ths2EYDtZITIiAyjJvyUhj27j6H8Ib61JlCvR2PkQCFhIRygToNelN4JE5JkQJuCBT+m WE5+817ivfBV11O3u1hcaiZeNOM25RS4hJms+zxkorOhp+jmfujbZkt1/+nwfEc8Aup4 WTng==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=CfK1WM7f; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1745341351; x=1745946151; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:from:to:cc :subject:date:message-id:reply-to; bh=OYvMxHan/NkW77KVGYAfiJqJ2wgP84EVxcTbHmFQAvA=; b=bredjo7qkdg/z5QNwfA8Sm/FyL5XmmeeE6Ka6Q8kKDKFhk08t4VqvrB+FH3ArP9rh7 xjHqvWsQTNQG4bxjSoVqwBnYFsk4lR7bhz0Ac+o7LAzeksg35sdolUtDkuw5oAc42gbb qskxwZAzzUPV8+DOTeCTZMYI0wFH67fSxVp4+1FqUzqnkvPux+v2MrKyAyGvyRLE5POZ 3mWO1y0WJNOge/TIX+Lu/mJQuLo66+BptRKmi4n4ilTtrm5J1iY7ygP9C4IdmVzxb6/m dpTRQ4Fr8jc7mx2OvCTRJ0UEK4y8VD7dGGnYQ3msNOt67mykzdoOlutGlbhfUROm0kKt v3Tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745341351; x=1745946151; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=OYvMxHan/NkW77KVGYAfiJqJ2wgP84EVxcTbHmFQAvA=; b=NTklwTI+NGwIBrn+PSLtThqH3RUoMVkVpO6ERjoNEjWApj50N0HVHxg5NS+Q+418Pk D9gGTEo8xMzYBBWmwUZXrw72Zjd70o7tlawyxvO7XiFyS/3eVp5ilJN79Mzh7yIPNkra 8ExnZTyBhMHLTulg9pr5oc8MSz/Rlj5pih3KrxAqYsvbWFMs6KW4f2mg+MO0+HK/vNXS Z5mXbG2ahtY031+XeNszxmut/taeQo3/AwG1lDRq5B6eaIktyOPn4VxaVG2FzTJGrRL6 so49UUst2BU6Iy1wi30miTDpV+yzdpCRQN+lB9PnNzqeDfpxA0Vxkwgayjg0lLKHX//h hb3Q== X-Forwarded-Encrypted: i=2; AJvYcCXob8XNbAimDtNMCifkBBaCEix+Tlh22EnzzcmGvYK4ztaR2aqStdcqP42zOOjadvgDJfq0YtqB/LKH@gnusha.org X-Gm-Message-State: AOJu0Ywzc6pm2A2kkWpWqO5mVWirPIrPovrKZKmGUfBSJh4s9E9KvBjJ 2AecWs+U/SvEFVOKtgs02GPonvRk3b9D5UFP8asB7d5M1ySPAl5y X-Google-Smtp-Source: AGHT+IGM/Z4WqABAmRv66sKcaZHYHRGITfZfkrjZv8OAgI+f9OSP4xHM8IuSNThRcsodbv9nmPfqxg== X-Received: by 2002:a05:6871:3a81:b0:2c1:4090:9263 with SMTP id 586e51a60fabf-2d526ec5b08mr10389172fac.35.1745341351018; Tue, 22 Apr 2025 10:02:31 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAL2L09hOvuGmaoconqC5d/EsTD/9Yv48Adu7LPl1xrNXw== Received: by 2002:a05:6871:a9c1:b0:29f:bc7e:8f47 with SMTP id 586e51a60fabf-2d4ec01d18cls120321fac.1.-pod-prod-09-us; Tue, 22 Apr 2025 10:02:26 -0700 (PDT) X-Received: by 2002:a05:6808:8704:b0:401:9175:ab1f with SMTP id 5614622812f47-401c0c38e3dmr8511128b6e.29.1745341346135; Tue, 22 Apr 2025 10:02:26 -0700 (PDT) Received: by 2002:a05:600c:3b13:b0:43c:fe31:d01d with SMTP id 5b1f17b1804b1-44069ee67e8ms5e9; Tue, 22 Apr 2025 08:29:09 -0700 (PDT) X-Received: by 2002:a05:600c:1c28:b0:440:6a37:be30 with SMTP id 5b1f17b1804b1-4406aba5c25mr132345275e9.16.1745335746476; Tue, 22 Apr 2025 08:29:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1745335746; cv=none; d=google.com; s=arc-20240605; b=C3GwnQeVwe700aColEfy87IyUWR2VP9AnnNsIYXdrVDAeEGFt4Tw6ZkrAFaKYM+zea P1McEUDrTcakKsxto7tt+PWf4+JeqzS5OsLTH0KSqOaWBycagYwA5RIsl+c9aFULvz82 gHZiUzcYBoFB8PJ4EzZ33Ohl9QeLCAFDI84adt86sASmWc944L7ZQLb3YSgriBRMAA6Q kR8msySzA2AHw1dEXZ16GzEj3GVD6ku45neYBjcvPUaISCMDXckpdVnBGYP2YwYEcAlA R2lHMp2oH+D+kuIOtvbTPsSpsripF49cwHg2FWLcFABlXtLCA3Fh+FvmilRKm3M8ApCI voPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=Qvmd/RP8iK8+gryHXQikF+hwzcKTRIWSJCmm5bfEUUI=; fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=; b=JPGQPldhgnR5W1qHxO1j89fIfEEondnaAN5kNwpXG6zInXW0DX+eoLScWPPQzCrgq0 sPlmW6j4hLyPbKVum9WhRFEqe9lRXK/GvkKvWyuqBl6aLEER2Ye6ZCsPvN+TtsvWGz+K XPLo/TsXtO30w/VuBE/mTyTZmcQSywxAcb4NsMv5psUm9cZqaDDuzUV3tMNLQOOmYikp GiHoejacNtg+FVjwAYi94Oj4oPi+GqODApx4S5nu0HYjo0HPbFLNQUKwNA1V17GlV8nW EQOZYWCU0ICHh0pdsLiqluQpAV4rIG9792qB8xK71cxJcqb49UTiUs9bt2F/g6KKEAzK 9jYQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=CfK1WM7f; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com. [2a00:1450:4864:20::42e]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4408d059ef2si391415e9.1.2025.04.22.08.29.06 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Apr 2025 08:29:06 -0700 (PDT) Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) client-ip=2a00:1450:4864:20::42e; Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-39c14016868so5330465f8f.1 for ; Tue, 22 Apr 2025 08:29:06 -0700 (PDT) X-Gm-Gg: ASbGncuzeifVMco70b/JuX9ZheliLjF5YYYE/txMcUXDCohL27hZ374iOHYwtkdsXIU hxqhTcnAvnzGvv3nfzoSkJ+B5uuQ/kkcEC8SttQps2modK3QZzgM3t5YfIRDdGtbacoago+pHnp 7Fb1Tyif6/sFTnvOqjwa2xISIV15conYJXf4ote9EQcGujGKlqpXsWJDp6GjYrI4bffOvV2iiMI c0rXfTWlfPvDOB3BcVvDYPJYxK9K84nV/gWHyxGU+ppxCJcnYslQDUN9FxPHDcCG9YejmcafbEh bu+X/SFA2S4WZiqli7VV2OFZzGz4UWyP+UdhjZzXfCb1CmWhAEMfRJk17XW8iL559j5b43/xrNY = X-Received: by 2002:a05:6000:18a5:b0:38f:2766:759f with SMTP id ffacd0b85a97d-39efbad2c1cmr12029180f8f.41.1745335745766; Tue, 22 Apr 2025 08:29:05 -0700 (PDT) Received: from [10.11.10.42] (p57b13477.dip0.t-ipconnect.de. [87.177.52.119]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-39efa43bf09sm15411399f8f.44.2025.04.22.08.29.04 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Apr 2025 08:29:04 -0700 (PDT) Sender: Jonas Nick Message-ID: <2ede88e8-2570-442f-a073-730f7de70eca@gmail.com> Date: Tue, 22 Apr 2025 15:29:04 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [bitcoindev] Re: DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures To: bitcoindev@googlegroups.com References: <242c6fdd-f629-4a2a-900c-7b1d770eedbbn@googlegroups.com> Content-Language: en-US From: Jonas Nick In-Reply-To: <242c6fdd-f629-4a2a-900c-7b1d770eedbbn@googlegroups.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Original-Sender: jonasdnick@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=CfK1WM7f; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) Thanks for bringing this up. It's an interesting question and it made us realize that we should clarify this section of the paper, as there are indeed some subtleties here that are currently unmentioned. > I don't understand why this same attack cannot be applied to MuSig2 itself? There are nuances, but I think it's fair to say that the same attack cannot be applied to MuSig2 itself. During the attack, the adversary requests a partial signature for public key X and message m from the honest signer. Using this, the adversary is able to create a partial signature for public key X' = TweakPK(X, t), where t is some tweak chosen by the adversary, and message m'. When applying the attack to MuSig2, we have that m' = m, and when applying it to MuSig2-IAS, we may have m != m'. So, using the attack, the adversary is able to produce a signature sigma_1 for MuSig2 and sigma_2 for MuSig2-IAS such that - MuSig2.Verify(KeyAgg(X, X'), m, sigma_1) = 1, and - MuSig2-IAS.Verify((X, m), (X', m'), sigma_2) = 1. sigma_2 is clearly a forgery under the EUF-CMA-TK security model defined in the DahLIAS paper because it is a signature for a message m' that the honest signer hasn't signed. In contrast, sigma_1 only covers the message that the honest signer actually signed. Whether sigma_1 counts as a forgery depends on the abstract security notion that you consider for multisignature tweaking. We didn't provide such a model in the MuSig2 paper and I am not aware of a standard one. It would be easy to design a security model where sigma_1 constitutes a forgery and one where it doesn't. More importantly, could this be a problem for MuSig2 in practice? I can only come up with contrived scenarios, but it may still be worth mentioning in the BIP, for example. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/2ede88e8-2570-442f-a073-730f7de70eca%40gmail.com.