path: root/7f/251722ba1174e94e235c698e2ea828f952c4c8

Return-Path: <jonasdnick@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id B2CFBC002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 11 Oct 2022 15:34:29 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 78F0540227
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 11 Oct 2022 15:34:29 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 78F0540227
Authentication-Results: smtp4.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20210112 header.b=Azk+YwQV
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id U50WToGeB0aX
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 11 Oct 2022 15:34:28 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7637740223
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com
 [IPv6:2607:f8b0:4864:20::f31])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 7637740223
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 11 Oct 2022 15:34:28 +0000 (UTC)
Received: by mail-qv1-xf31.google.com with SMTP id g9so9146157qvo.12
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 11 Oct 2022 08:34:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=content-transfer-encoding:in-reply-to:content-language:references
 :to:subject:user-agent:mime-version:date:message-id:from:from:to:cc
 :subject:date:message-id:reply-to;
 bh=6bRSM4LjkTVkF4XHYbhiKafFK6vqMtJ2Lx0N/dgfhtI=;
 b=Azk+YwQVPespXEXhf03ZbltSvdaRvOL7OPCD+QsPkLg1jpHmclNOZxIr1v1CB6of86
 EcSGJTlY4DC0xDP39bLBHf7iUoQ6zd4btmu706lpeZdyXQ9+wG+HxA7Redu6RGXHUfVm
 4GFOUQ5lbQpzQv0xk7sxLmNiZvZUvfVuuyoklnuwKeQTj7zFIiFebvsRiUrlcb/nPlYg
 ygkB1/FEwJ4pbgqtArLV5qxOecNfhZdNJdNVD0z1cOM6BVCwpy8Qew+R5s27rTbMu10F
 bnmwqgyfrmgBxnaISMqGGfbj69TCqr1fEw/F3mhAmKn2TCAYslLYch/poN21/hRm+wkO
 sikw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:in-reply-to:content-language:references
 :to:subject:user-agent:mime-version:date:message-id:from
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=6bRSM4LjkTVkF4XHYbhiKafFK6vqMtJ2Lx0N/dgfhtI=;
 b=Nf5E1ksDBATsK8SjRECrBbsodssqRwSRRFH/c3FdnIJaZnkyh3Yd6WfJ5cIOUy4+h5
 ax/PPV1Lz1T7C2ZS4ljf7wOZiSuYx8HRCUJbDmUEV2pXk++D5DRMW+654127MwvY14Et
 T+w2xTf0AiGwxFsl84R3Bh2jbhUL9lg3T92MWlUheAkXTFPxqpInBrl9jhB1zsOB9D67
 WKJmdFGIO8ZYaXIGhBcbke4zA1fSAocX7PX1Qp750IE6P8xWmSmFr5Z6Xxo1psGW9zeT
 1P0eh6usAUVsnInbVKg+ogqvzrCSftqe5+TDa7cRXtpSXPoG/jFhnglMt5b1stBnY53e
 PpCQ==
X-Gm-Message-State: ACrzQf20FYtInXotnlvRDadHyUNUGp+cBIHLt0OWy6VbyWJJ2pkfE5Hz
 mM9W9DvwyYMDelFk4tPE7f1dO1ZFcJSK9T+S
X-Google-Smtp-Source: AMsMyM5xB0d39iNq1TAsvYcJzTXodY08vgfD4YtSHlsCsnwYyZKtIwx3cRoCZ6bF/VMlzRW7QonDGQ==
X-Received: by 2002:ad4:5aee:0:b0:4b4:595:fb54 with SMTP id
 c14-20020ad45aee000000b004b40595fb54mr8719290qvh.5.1665502467245; 
 Tue, 11 Oct 2022 08:34:27 -0700 (PDT)
Received: from ?IPV6:2607:fb90:d75b:d6e6:6e3c:4f33:e65e:f1f?
 ([2607:fb90:d75b:d6e6:6e3c:4f33:e65e:f1f])
 by smtp.googlemail.com with ESMTPSA id
 t24-20020a37ea18000000b006e42a8e9f9bsm13128454qkj.121.2022.10.11.08.34.25
 for <bitcoin-dev@lists.linuxfoundation.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 11 Oct 2022 08:34:26 -0700 (PDT)
From: Jonas Nick <jonasdnick@gmail.com>
X-Google-Original-From: Jonas Nick <jonasd.nick@gmail.com>
Message-ID: <576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com>
Date: Tue, 11 Oct 2022 15:34:23 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.3.1
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <46175970-d2ab-a58e-7010-f29820849604@gmail.com>
 <6d823ec7-fe88-9311-09e8-be22ca8bfd89@gmail.com>
Content-Language: en-US
In-Reply-To: <6d823ec7-fe88-9311-09e8-be22ca8bfd89@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 11 Oct 2022 19:47:29 +0000
Subject: Re: [bitcoin-dev] MuSig2 BIP
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2022 15:34:29 -0000

It is still true that cryptography is hard, unfortunately. Yannick Seurin, Tim
Ruffing, Elliott Jin, and I discovered an attack against the latest version of
BIP MuSig2 in the case that a signer's individual key A = a*G is tweaked before
giving it as input to key aggregation.

In more detail, a signer may be vulnerable if _all_ of the following conditions
are true:

1. The signer supports signing with a tweaked individual key (as provided to
    key aggregation) and the tweak is known to the attacker (e.g., as in BIP 32
    unhardened derivation).
2. The signer's public key appears at least two times with different tweaks in
    the set of public keys that are aggregated. This would, for example, be the
    case if a signer with public key A=a*G creates partial signatures for an
    aggregate key corresponding to public key set {A, A+t*G} where t is some
    tweak. Note that an attacker could make this condition true by using the key
    B = A+t*G after having seen A.
3. The signer uses "concurrent signing", i.e., the signer stores secnonces for
    multiple signing sessions.
4. The secret key provided to the Sign algorithm is not yet fully determined when the
    NonceGen algorithm is called. This would, for example, be the case if the
    attacker, after having seen the nonce of the signer, can influence whether a
    or a+t will be provided as a secret key to Sign.

In this scenario, an attacker may forge a signature for any message and any
aggregate public key that contains the signer's individual public key A (with
any attacker-chosen tweak). In particular, the attacker may forge a signature
for any message and the public key A itself.

Condition 4 should only apply in relatively rare cases unless the signer is
tricked into such a situation.

Fix:
Note that if the optional secret key argument is provided to the NonceGen
algorithm and matches the secret key provided to the Sign algorithm, then
Condition 4 will not hold. Thus, one definite fix is to make the secret key
argument to the NonceGen algorithm mandatory. We are investigating other options
and will follow up shortly with a concrete fix of the BIP draft.

This discovery does not invalidate the security proof of the scheme as presented
in the MuSig2 paper because the security model in the paper does not support
tweaking a signer's key.

If you've implemented the BIP draft in your library or are already using it in
production don't hesitate to reach out to clarify the implications of this
discovery.

Tim Ruffing, Elliott Jin, Jonas Nick