Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id EF5CDC0177 for ; Mon, 24 Feb 2020 11:23:55 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id E6FB885C9A for ; Mon, 24 Feb 2020 11:23:55 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fB87jT7mjJSu for ; Mon, 24 Feb 2020 11:23:54 +0000 (UTC) X-Greylist: delayed 00:07:06 by SQLgrey-1.7.6 Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) by whitealder.osuosl.org (Postfix) with ESMTPS id 223AA85C57 for ; Mon, 24 Feb 2020 11:23:54 +0000 (UTC) Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 48QzzK62F0zKmbT for ; Mon, 24 Feb 2020 12:16:45 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter03.heinlein-hosting.de (spamfilter03.heinlein-hosting.de [80.241.56.117]) (amavisd-new, port 10030) with ESMTP id U-bGJR7pww8P for ; Mon, 24 Feb 2020 12:16:39 +0100 (CET) Message-ID: <30bdd65dc943f698c0970ca51bfb4dfb406ea7b8.camel@timruffing.de> From: Tim Ruffing To: Bitcoin Protocol Discussion Date: Mon, 24 Feb 2020 12:16:38 +0100 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 24 Feb 2020 11:41:11 +0000 Subject: Re: [bitcoin-dev] Composable MuSig X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2020 11:23:56 -0000 On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote: > > Thus, two-phase MuSig is potentially unsafe. > > https://eprint.iacr.org/2018/417.pdf describes the argument. > > One solution is to add a signature timeout to the message (say a > block height) . > > A participant refuses to sign if that time is too far in the future, > or is at all in the past, or if a message M is the same as any > previous message within that time window. > > Seems to resolve the attacks on 2 round musig. I don't understand this. Can you elaborate? Best, Tim