Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id B2CFBC002D for ; Tue, 11 Oct 2022 15:34:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 78F0540227 for ; Tue, 11 Oct 2022 15:34:29 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 78F0540227 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=Azk+YwQV X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U50WToGeB0aX for ; Tue, 11 Oct 2022 15:34:28 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7637740223 Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) by smtp4.osuosl.org (Postfix) with ESMTPS id 7637740223 for ; Tue, 11 Oct 2022 15:34:28 +0000 (UTC) Received: by mail-qv1-xf31.google.com with SMTP id g9so9146157qvo.12 for ; Tue, 11 Oct 2022 08:34:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:content-language:references :to:subject:user-agent:mime-version:date:message-id:from:from:to:cc :subject:date:message-id:reply-to; bh=6bRSM4LjkTVkF4XHYbhiKafFK6vqMtJ2Lx0N/dgfhtI=; b=Azk+YwQVPespXEXhf03ZbltSvdaRvOL7OPCD+QsPkLg1jpHmclNOZxIr1v1CB6of86 EcSGJTlY4DC0xDP39bLBHf7iUoQ6zd4btmu706lpeZdyXQ9+wG+HxA7Redu6RGXHUfVm 4GFOUQ5lbQpzQv0xk7sxLmNiZvZUvfVuuyoklnuwKeQTj7zFIiFebvsRiUrlcb/nPlYg ygkB1/FEwJ4pbgqtArLV5qxOecNfhZdNJdNVD0z1cOM6BVCwpy8Qew+R5s27rTbMu10F bnmwqgyfrmgBxnaISMqGGfbj69TCqr1fEw/F3mhAmKn2TCAYslLYch/poN21/hRm+wkO sikw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:content-language:references :to:subject:user-agent:mime-version:date:message-id:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=6bRSM4LjkTVkF4XHYbhiKafFK6vqMtJ2Lx0N/dgfhtI=; b=Nf5E1ksDBATsK8SjRECrBbsodssqRwSRRFH/c3FdnIJaZnkyh3Yd6WfJ5cIOUy4+h5 ax/PPV1Lz1T7C2ZS4ljf7wOZiSuYx8HRCUJbDmUEV2pXk++D5DRMW+654127MwvY14Et T+w2xTf0AiGwxFsl84R3Bh2jbhUL9lg3T92MWlUheAkXTFPxqpInBrl9jhB1zsOB9D67 WKJmdFGIO8ZYaXIGhBcbke4zA1fSAocX7PX1Qp750IE6P8xWmSmFr5Z6Xxo1psGW9zeT 1P0eh6usAUVsnInbVKg+ogqvzrCSftqe5+TDa7cRXtpSXPoG/jFhnglMt5b1stBnY53e PpCQ== X-Gm-Message-State: ACrzQf20FYtInXotnlvRDadHyUNUGp+cBIHLt0OWy6VbyWJJ2pkfE5Hz mM9W9DvwyYMDelFk4tPE7f1dO1ZFcJSK9T+S X-Google-Smtp-Source: AMsMyM5xB0d39iNq1TAsvYcJzTXodY08vgfD4YtSHlsCsnwYyZKtIwx3cRoCZ6bF/VMlzRW7QonDGQ== X-Received: by 2002:ad4:5aee:0:b0:4b4:595:fb54 with SMTP id c14-20020ad45aee000000b004b40595fb54mr8719290qvh.5.1665502467245; Tue, 11 Oct 2022 08:34:27 -0700 (PDT) Received: from ?IPV6:2607:fb90:d75b:d6e6:6e3c:4f33:e65e:f1f? ([2607:fb90:d75b:d6e6:6e3c:4f33:e65e:f1f]) by smtp.googlemail.com with ESMTPSA id t24-20020a37ea18000000b006e42a8e9f9bsm13128454qkj.121.2022.10.11.08.34.25 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 11 Oct 2022 08:34:26 -0700 (PDT) From: Jonas Nick X-Google-Original-From: Jonas Nick Message-ID: <576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com> Date: Tue, 11 Oct 2022 15:34:23 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 To: Bitcoin Protocol Discussion References: <46175970-d2ab-a58e-7010-f29820849604@gmail.com> <6d823ec7-fe88-9311-09e8-be22ca8bfd89@gmail.com> Content-Language: en-US In-Reply-To: <6d823ec7-fe88-9311-09e8-be22ca8bfd89@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 11 Oct 2022 19:47:29 +0000 Subject: Re: [bitcoin-dev] MuSig2 BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2022 15:34:29 -0000 It is still true that cryptography is hard, unfortunately. Yannick Seurin, Tim Ruffing, Elliott Jin, and I discovered an attack against the latest version of BIP MuSig2 in the case that a signer's individual key A = a*G is tweaked before giving it as input to key aggregation. In more detail, a signer may be vulnerable if _all_ of the following conditions are true: 1. The signer supports signing with a tweaked individual key (as provided to key aggregation) and the tweak is known to the attacker (e.g., as in BIP 32 unhardened derivation). 2. The signer's public key appears at least two times with different tweaks in the set of public keys that are aggregated. This would, for example, be the case if a signer with public key A=a*G creates partial signatures for an aggregate key corresponding to public key set {A, A+t*G} where t is some tweak. Note that an attacker could make this condition true by using the key B = A+t*G after having seen A. 3. The signer uses "concurrent signing", i.e., the signer stores secnonces for multiple signing sessions. 4. The secret key provided to the Sign algorithm is not yet fully determined when the NonceGen algorithm is called. This would, for example, be the case if the attacker, after having seen the nonce of the signer, can influence whether a or a+t will be provided as a secret key to Sign. In this scenario, an attacker may forge a signature for any message and any aggregate public key that contains the signer's individual public key A (with any attacker-chosen tweak). In particular, the attacker may forge a signature for any message and the public key A itself. Condition 4 should only apply in relatively rare cases unless the signer is tricked into such a situation. Fix: Note that if the optional secret key argument is provided to the NonceGen algorithm and matches the secret key provided to the Sign algorithm, then Condition 4 will not hold. Thus, one definite fix is to make the secret key argument to the NonceGen algorithm mandatory. We are investigating other options and will follow up shortly with a concrete fix of the BIP draft. This discovery does not invalidate the security proof of the scheme as presented in the MuSig2 paper because the security model in the paper does not support tweaking a signer's key. If you've implemented the BIP draft in your library or are already using it in production don't hesitate to reach out to clarify the implications of this discovery. Tim Ruffing, Elliott Jin, Jonas Nick