Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 82B80C002D for ; Thu, 3 Nov 2022 14:43:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 49B6881EFF for ; Thu, 3 Nov 2022 14:43:26 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 49B6881EFF Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=q0hRxuqk X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9LY5sJMWoshK for ; Thu, 3 Nov 2022 14:43:25 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2095981EFD Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by smtp1.osuosl.org (Postfix) with ESMTPS id 2095981EFD for ; Thu, 3 Nov 2022 14:43:25 +0000 (UTC) Received: by mail-wm1-x330.google.com with SMTP id p16so1282037wmc.3 for ; Thu, 03 Nov 2022 07:43:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:content-language:references :to:subject:user-agent:mime-version:date:message-id:from:from:to:cc :subject:date:message-id:reply-to; bh=M6D2Dh66bqKUjShc1hqRhwd/B4mGq8AOMFNrsHQJWcI=; b=q0hRxuqkbp6B3x3i/0TLY7hVGL6ldZ07OmvebqW9LCwnIxkFdINBKW2sj2VoF7roVC 6EFWjr5v7HXWfQdt7GeismjK1WQfC4EV4aTjfo7vGIbnfQm2J76HxnYVJAOKxNmo89AS expn5/K5c3EZgcVg3npkjBtQyeKcbEjyB4nAdIJVxW379OSh9XK66HxcT4qazWET4/QK pblx9GxLmoFz+uICdIkpWhJHMzbwBGxQO9SqZ5okpAdaU19BPaMqEX8haj/e6DLQu2MP 8mc/njQGnEs3c/pVGfS0V6RpXmtcHv9rg33USWmr0XxEUiE3U/Z4709R2404w43qSxXy 3tWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:content-language:references :to:subject:user-agent:mime-version:date:message-id:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=M6D2Dh66bqKUjShc1hqRhwd/B4mGq8AOMFNrsHQJWcI=; b=z7QP8vwDvKjbgCHiFoOQU9hQVl2olSGAAOoKAyQS8RFFFCdyC1UQmcaF3z0So+zTum 8sannsCjWpc4wlZk987fD0jsq1n7uw+ZrZOylenUXYfdVNqZETeWlZ6O1s1SlkpYBW2U A2ZnAOnTgLeuMX4c+7xMfObU+SB/muIZduq4K+U7MRJ+bcep6XQaqUO2/FcggJBQKyMo 4wJjXwwbto6EQqXbUveTRYBMNBWEpocF6LC2n3uWmuGPkqdmHzs7PaCCD3+oWVtJAjVD KWpCwN9F+q4sN4duBJ7LL3ca3p1blYXEP+nFhHbQVEjvQXBMYvH5rB97WI/Xu62e/PaW xr1g== X-Gm-Message-State: ACrzQf3iIYBdRuEk/kMH3tfD9zBtj1xkMRiuKpwVJIbuLidycUynhrLI eZjbUCqZ7RkFknNUKUN8ixDabbkB0uNu7g== X-Google-Smtp-Source: AMsMyM76J8hG7L+gRd05qiSXlkXjooUpcdUyw61F3vgSlIz7Awte3OtMGEMR+BtnhFgBQelbxAGAwQ== X-Received: by 2002:a05:600c:5388:b0:3c5:4c1:a1f6 with SMTP id hg8-20020a05600c538800b003c504c1a1f6mr20072798wmb.11.1667486603283; Thu, 03 Nov 2022 07:43:23 -0700 (PDT) Received: from ?IPV6:2a02:6d40:237c:c701:a5b9:5b02:eb83:6695? ([2a02:6d40:237c:c701:a5b9:5b02:eb83:6695]) by smtp.googlemail.com with ESMTPSA id i3-20020a1c5403000000b003a3442f1229sm14238wmb.29.2022.11.03.07.43.22 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 03 Nov 2022 07:43:22 -0700 (PDT) From: Jonas Nick X-Google-Original-From: Jonas Nick Message-ID: <0d4bb432-771d-8b8e-f2f8-f86dca9f41c5@gmail.com> Date: Thu, 3 Nov 2022 14:43:22 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.3 To: Bitcoin Protocol Discussion References: <46175970-d2ab-a58e-7010-f29820849604@gmail.com> <6d823ec7-fe88-9311-09e8-be22ca8bfd89@gmail.com> <576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com> Content-Language: en-US In-Reply-To: <576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 03 Nov 2022 14:47:02 +0000 Subject: Re: [bitcoin-dev] MuSig2 BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Nov 2022 14:43:26 -0000 We updated the MuSig2 BIP draft to fix the vulnerability published in an earlier post [0]. We also wrote an article [1] that contains a description of 1. the vulnerable scheme (remember that the original MuSig2 scheme is not vulnerable because it doesn't allow tweaking) 2. an attack against the vulnerable scheme using Wagner's algorithm 3. a fixed scheme that permits tweaking Moreover, we implemented the "BLLOR" attack mentioned in the article which works against the reference python implementation of the previous version of the MuSig2 BIP draft (takes about 7 minutes on my machine) [2]. The fix of the MuSig2 BIP is equivalent to the fix of the scheme in the article [1]: before calling ''NonceGen'', the signer must determine the (potentially tweaked) secret key it will use for this signature. BIP MuSig2 now ensures that users can not accidentally violate this requirement by adding a mandatory public key argument to ''NonceGen'', appending the public key to the ''secnonce'' array and checking the public key against the secret key in ''Sign'' (see the pull request for the detailed changes [3]). [0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021000.html [1] https://github.com/jonasnick/musig2-tweaking [2] https://gist.github.com/robot-dreams/89ce8c3ff16f70cb2c55ba4fe9fd1b31 (must be copied into the bip-musig2 directory) [3] https://github.com/jonasnick/bips/pull/74