Return-Path: <earonesty@gmail.com>
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 7AB83C0177
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Feb 2020 15:31:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by fraxinus.osuosl.org (Postfix) with ESMTP id 62ED585C9F
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Feb 2020 15:31:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 311WEIBvbYV9
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Feb 2020 15:31:07 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com
 [209.85.210.50])
 by fraxinus.osuosl.org (Postfix) with ESMTPS id EEB9C85C4F
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Feb 2020 15:31:06 +0000 (UTC)
Received: by mail-ot1-f50.google.com with SMTP id 66so9026187otd.9
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 24 Feb 2020 07:31:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=q32-com.20150623.gappssmtp.com; s=20150623;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
 bh=Rtc7KoR6eO2E2UL1N+46bzOyp3pgwH0ibnhJ1llav1k=;
 b=Xh6eJGXodsMff1hhd27NPNuQFZv4vZEg27vbmYO1BO4IKnsGph9KxyZEIkQSu5cnid
 F2gjE+x2oCzsfmzXAu0qa6UPA/oUv0RM86s23+Pwnw1KY+/+rMWwYskTQ2vTFRxQzPpS
 nF7VifjevrmPWmq4pi44OuK8Dr/DMn2r30qI0XGZrkj5Y/cDAhvq61J55jSqdgFyBBuL
 U/UxqV0RusOxJ+BFODj1QiZbuVAIOQThu0lA3rjBJWobPJt2pXkr2IKKFjf0Mt646Ush
 FI5gtrFBZ+4uOO2FyuN0/RLzpiA5NliAlfFteNmkjUC3YR51EAs2VPQGyP67KVsgz62+
 nG9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to;
 bh=Rtc7KoR6eO2E2UL1N+46bzOyp3pgwH0ibnhJ1llav1k=;
 b=Va4JWY2hcvfK+PgcclsU7ImLNMj2RU8+ZfHqoILJpqwDFAsqCt4bCaZQBVCMTY67ek
 r6FfGbTkdgLyL7LyBmPQDoGvO9A+F+gEaHiNLj3q1lbeI7gNice5BZRmfIcj4FFRyyZv
 u0gqMkW//PVzQDPkyyozQZElUZwP40W/az6tVv+gf0uP2T6fEeiPhHb8m9mPVeCzQR6E
 lZKs6h2EQXoAc1Rh1+J/WRTkBnZcYkbtDNWxl9uJSMRTh55nsKcSJKIeWc2ioTo1QjB8
 o/jg7Hp6eMmlt3B4YmWgD8IG+7pzUFQhVJClegjlAlHw7BDHECa5419LYnovUexE6hYX
 g/XQ==
X-Gm-Message-State: APjAAAVVtjzlsvU1XttkX3/evR6gm9fXbPUOzUScQmlXh09LXa1PglQn
 UrMB7tqfnWNsVtAd1vy6uypIYOQE+3jY/WkIPhWTapQ=
X-Google-Smtp-Source: APXvYqwsM6lnr4pkCyPovT2LYDu2tjpiz9kbEmaUaKvE1vcnI8mNKRUayApX3QTjQ1Sgz5cREX1tRZn2Q9xAfd3WJgk=
X-Received: by 2002:a9d:7c9a:: with SMTP id q26mr43114357otn.206.1582558265986; 
 Mon, 24 Feb 2020 07:31:05 -0800 (PST)
MIME-Version: 1.0
References: <u1IeyK5A7zyklXzl26UpCliJrFEsDp5SXUGbtXGBCrEWw6Wi7vNcoy4HNv2WXUTG_SBuMURDLhvh3YCwL2r53rL0Yj19TZpumYFD5WqmYL8=@protonmail.com>
 <CAJowKgJP7FgF1KWOg4Wn=D4CjBgoE-ZYXv8LnfbVfh62ZNG5kQ@mail.gmail.com>
 <30bdd65dc943f698c0970ca51bfb4dfb406ea7b8.camel@timruffing.de>
In-Reply-To: <30bdd65dc943f698c0970ca51bfb4dfb406ea7b8.camel@timruffing.de>
From: Erik Aronesty <erik@q32.com>
Date: Mon, 24 Feb 2020 10:30:54 -0500
Message-ID: <CAJowKgJSaDUGM-X7U-eaaCSCSr6x0s+Z5U=Tt3Bt4J1D7SSnnA@mail.gmail.com>
To: Tim Ruffing <crypto@timruffing.de>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
X-Mailman-Approved-At: Mon, 24 Feb 2020 15:44:11 +0000
Subject: Re: [bitcoin-dev] Composable MuSig
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 15:31:11 -0000

Basically just some mechanism for preventing repeated signings of the
same message, and using a "validity" time window so that the amount of
state you need to enquire about isn't unbounded.

The Drijvers, et al paper is specifically concerned with parallel and
aborted signings, where ksums can be used.  In general, the more
variables that an attacker can control ,the more "k" lists they can
form, and the more likely they can find collisions.

If signers refused to sign "stale" messages, refused to sign in
parallel beyond a certain limit, and refused to sign the same message
twice, it should help reduce the attack surface.

On Mon, Feb 24, 2020 at 6:41 AM Tim Ruffing via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote:
> > > Thus, two-phase MuSig is potentially unsafe.
> > > https://eprint.iacr.org/2018/417.pdf describes the argument.
> >
> > One solution is to add a signature timeout to the message (say a
> > block height) .
> >
> > A participant refuses to sign if that time is too far in the future,
> > or is at all in the past, or if a message M is the same as any
> > previous message within that time window.
> >
> > Seems to resolve the attacks on 2 round musig.
>
> I don't understand this. Can you elaborate?
>
> Best,
> Tim
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev