Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7277AC002A for ; Fri, 28 Apr 2023 18:13:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 3EB44418DF for ; Fri, 28 Apr 2023 18:13:22 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3EB44418DF Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=Z7JXofCk X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DTu0X1UGHIgB for ; Fri, 28 Apr 2023 18:13:21 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0453E41755 Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) by smtp4.osuosl.org (Postfix) with ESMTPS id 0453E41755 for ; Fri, 28 Apr 2023 18:13:20 +0000 (UTC) Date: Fri, 28 Apr 2023 18:13:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1682705598; x=1682964798; bh=rc1v/kuAryWhGco9aPY2i7/ZQe5lOal8JampH6ZTcUc=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=Z7JXofCksDxxoW2gAXgheVWFjGinvfLkb3H/UkmQhD9wWG/gjz+OQl+kEI/Co3wLg RhHQPTuHa6GWLUeD2m8GBY9Y3hl5OhfLjQHKG2hj73X8NYsFhSQupwUygfmAB1cwXD mBAYBeyuRdrLTFuAdFKqG8jZRCxYFwWLf+16VyLW9snV3x04yoP1yP6kU2g2Y6XOTc g1n0vLLM5FW3eK9cpbe1DSc5ZfmGepPOeSdRAblk4T5uEr0FkdT5dZFSWANP4msxCO XvIm2dv7CL9LvKWvbJQUNNP3+Yo0DmHGOUXJ4HEO7j/uibITEa+7AKQ/COkX5Rg5Ee Lv5MeCxI99lLg== To: Bitcoin Protocol Discussion From: AdamISZ Message-ID: Feedback-ID: 11565511:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Sat, 29 Apr 2023 16:19:45 +0000 Subject: [bitcoin-dev] On adaptor security (in protocols) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2023 18:13:22 -0000 Hi list, I was motivated to look more carefully at the question of the security of u= sing signature adaptors after recently getting quite enthused about the ide= a of using adaptors across N signing sessions to do a kind of multiparty sw= ap. But of course security analysis is also much more important for the bas= e case of 2 party swapping, which is of .. some considerable practical impo= rtance :) There is work (referenced in Section 3 here) that's pretty substantial on "= how secure are adaptors" (think in terms of security reductions) already fr= om I guess the 2019-2021 period. But I wanted to get into scenarios of mult= iple adaptors at once or multiple signing sessions at once with the *same* = adaptor (as mentioned above, probably this is the most important scenario). To be clear this is the work of an amateur and is currently unreviewed - he= nce (a) me posting it here and (b) putting the paper on github so people ca= n easily add specific corrections or comments if they like: https://github.com/AdamISZ/AdaptorSecurityDoc/blob/main/adaptorsecurity.pdf I'll note that I did the analysis only around MuSig, not MuSig2. The penultimate ("third case"), that as mentioned, of "multiple signing ses= sions, same adaptor" proved to be the most interesting: in trying to reduce= this to ECDLP I found an issue around sequencing. It may just be irrelevan= t but I'd be curious to hear what others think about that. If nothing else, I'd be very interested to hear what experts in the field h= ave to say about security reductions for this primitive in the case of mult= iple concurrent signing sessions (which of course has been analyzed very ca= refully already for base MuSig(2)). Cheers, AdamISZ/waxwing Sent with Proton Mail secure email.