summaryrefslogtreecommitdiff
path: root/3b/ad861deb2cb63014ae0d70eb34543e51a6a019
blob: d45740ee39447726b051e9202ededde7e75187bc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
Return-Path: <jonasdnick@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 82B80C002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  3 Nov 2022 14:43:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 49B6881EFF
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  3 Nov 2022 14:43:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 49B6881EFF
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20210112 header.b=q0hRxuqk
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 9LY5sJMWoshK
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  3 Nov 2022 14:43:25 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2095981EFD
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com
 [IPv6:2a00:1450:4864:20::330])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 2095981EFD
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  3 Nov 2022 14:43:25 +0000 (UTC)
Received: by mail-wm1-x330.google.com with SMTP id p16so1282037wmc.3
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 03 Nov 2022 07:43:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=content-transfer-encoding:in-reply-to:content-language:references
 :to:subject:user-agent:mime-version:date:message-id:from:from:to:cc
 :subject:date:message-id:reply-to;
 bh=M6D2Dh66bqKUjShc1hqRhwd/B4mGq8AOMFNrsHQJWcI=;
 b=q0hRxuqkbp6B3x3i/0TLY7hVGL6ldZ07OmvebqW9LCwnIxkFdINBKW2sj2VoF7roVC
 6EFWjr5v7HXWfQdt7GeismjK1WQfC4EV4aTjfo7vGIbnfQm2J76HxnYVJAOKxNmo89AS
 expn5/K5c3EZgcVg3npkjBtQyeKcbEjyB4nAdIJVxW379OSh9XK66HxcT4qazWET4/QK
 pblx9GxLmoFz+uICdIkpWhJHMzbwBGxQO9SqZ5okpAdaU19BPaMqEX8haj/e6DLQu2MP
 8mc/njQGnEs3c/pVGfS0V6RpXmtcHv9rg33USWmr0XxEUiE3U/Z4709R2404w43qSxXy
 3tWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:in-reply-to:content-language:references
 :to:subject:user-agent:mime-version:date:message-id:from
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=M6D2Dh66bqKUjShc1hqRhwd/B4mGq8AOMFNrsHQJWcI=;
 b=z7QP8vwDvKjbgCHiFoOQU9hQVl2olSGAAOoKAyQS8RFFFCdyC1UQmcaF3z0So+zTum
 8sannsCjWpc4wlZk987fD0jsq1n7uw+ZrZOylenUXYfdVNqZETeWlZ6O1s1SlkpYBW2U
 A2ZnAOnTgLeuMX4c+7xMfObU+SB/muIZduq4K+U7MRJ+bcep6XQaqUO2/FcggJBQKyMo
 4wJjXwwbto6EQqXbUveTRYBMNBWEpocF6LC2n3uWmuGPkqdmHzs7PaCCD3+oWVtJAjVD
 KWpCwN9F+q4sN4duBJ7LL3ca3p1blYXEP+nFhHbQVEjvQXBMYvH5rB97WI/Xu62e/PaW
 xr1g==
X-Gm-Message-State: ACrzQf3iIYBdRuEk/kMH3tfD9zBtj1xkMRiuKpwVJIbuLidycUynhrLI
 eZjbUCqZ7RkFknNUKUN8ixDabbkB0uNu7g==
X-Google-Smtp-Source: AMsMyM76J8hG7L+gRd05qiSXlkXjooUpcdUyw61F3vgSlIz7Awte3OtMGEMR+BtnhFgBQelbxAGAwQ==
X-Received: by 2002:a05:600c:5388:b0:3c5:4c1:a1f6 with SMTP id
 hg8-20020a05600c538800b003c504c1a1f6mr20072798wmb.11.1667486603283; 
 Thu, 03 Nov 2022 07:43:23 -0700 (PDT)
Received: from ?IPV6:2a02:6d40:237c:c701:a5b9:5b02:eb83:6695?
 ([2a02:6d40:237c:c701:a5b9:5b02:eb83:6695])
 by smtp.googlemail.com with ESMTPSA id
 i3-20020a1c5403000000b003a3442f1229sm14238wmb.29.2022.11.03.07.43.22
 for <bitcoin-dev@lists.linuxfoundation.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Thu, 03 Nov 2022 07:43:22 -0700 (PDT)
From: Jonas Nick <jonasdnick@gmail.com>
X-Google-Original-From: Jonas Nick <jonasd.nick@gmail.com>
Message-ID: <0d4bb432-771d-8b8e-f2f8-f86dca9f41c5@gmail.com>
Date: Thu, 3 Nov 2022 14:43:22 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.3.3
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <46175970-d2ab-a58e-7010-f29820849604@gmail.com>
 <6d823ec7-fe88-9311-09e8-be22ca8bfd89@gmail.com>
 <576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com>
Content-Language: en-US
In-Reply-To: <576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 03 Nov 2022 14:47:02 +0000
Subject: Re: [bitcoin-dev] MuSig2 BIP
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2022 14:43:26 -0000

We updated the MuSig2 BIP draft to fix the vulnerability published in an earlier
post [0].

We also wrote an article [1] that contains a description of
1. the vulnerable scheme (remember that the original MuSig2 scheme is not
    vulnerable because it doesn't allow tweaking)
2. an attack against the vulnerable scheme using Wagner's algorithm
3. a fixed scheme that permits tweaking

Moreover, we implemented the "BLLOR" attack mentioned in the article which
works against the reference python implementation of the previous version of the
MuSig2 BIP draft (takes about 7 minutes on my machine) [2].

The fix of the MuSig2 BIP is equivalent to the fix of the scheme in the article
[1]: before calling ''NonceGen'', the signer must determine the (potentially
tweaked) secret key it will use for this signature. BIP MuSig2 now ensures that
users can not accidentally violate this requirement by adding a mandatory public
key argument to ''NonceGen'', appending the public key to the ''secnonce'' array
and checking the public key against the secret key in ''Sign'' (see the pull
request for the detailed changes [3]).

[0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021000.html
[1] https://github.com/jonasnick/musig2-tweaking
[2] https://gist.github.com/robot-dreams/89ce8c3ff16f70cb2c55ba4fe9fd1b31 (must
     be copied into the bip-musig2 directory)
[3] https://github.com/jonasnick/bips/pull/74