1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
Return-Path: <jonasdnick@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 82B80C002D
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 3 Nov 2022 14:43:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 49B6881EFF
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 3 Nov 2022 14:43:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 49B6881EFF
Authentication-Results: smtp1.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20210112 header.b=q0hRxuqk
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 9LY5sJMWoshK
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 3 Nov 2022 14:43:25 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2095981EFD
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com
[IPv6:2a00:1450:4864:20::330])
by smtp1.osuosl.org (Postfix) with ESMTPS id 2095981EFD
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 3 Nov 2022 14:43:25 +0000 (UTC)
Received: by mail-wm1-x330.google.com with SMTP id p16so1282037wmc.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 03 Nov 2022 07:43:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=content-transfer-encoding:in-reply-to:content-language:references
:to:subject:user-agent:mime-version:date:message-id:from:from:to:cc
:subject:date:message-id:reply-to;
bh=M6D2Dh66bqKUjShc1hqRhwd/B4mGq8AOMFNrsHQJWcI=;
b=q0hRxuqkbp6B3x3i/0TLY7hVGL6ldZ07OmvebqW9LCwnIxkFdINBKW2sj2VoF7roVC
6EFWjr5v7HXWfQdt7GeismjK1WQfC4EV4aTjfo7vGIbnfQm2J76HxnYVJAOKxNmo89AS
expn5/K5c3EZgcVg3npkjBtQyeKcbEjyB4nAdIJVxW379OSh9XK66HxcT4qazWET4/QK
pblx9GxLmoFz+uICdIkpWhJHMzbwBGxQO9SqZ5okpAdaU19BPaMqEX8haj/e6DLQu2MP
8mc/njQGnEs3c/pVGfS0V6RpXmtcHv9rg33USWmr0XxEUiE3U/Z4709R2404w43qSxXy
3tWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:in-reply-to:content-language:references
:to:subject:user-agent:mime-version:date:message-id:from
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=M6D2Dh66bqKUjShc1hqRhwd/B4mGq8AOMFNrsHQJWcI=;
b=z7QP8vwDvKjbgCHiFoOQU9hQVl2olSGAAOoKAyQS8RFFFCdyC1UQmcaF3z0So+zTum
8sannsCjWpc4wlZk987fD0jsq1n7uw+ZrZOylenUXYfdVNqZETeWlZ6O1s1SlkpYBW2U
A2ZnAOnTgLeuMX4c+7xMfObU+SB/muIZduq4K+U7MRJ+bcep6XQaqUO2/FcggJBQKyMo
4wJjXwwbto6EQqXbUveTRYBMNBWEpocF6LC2n3uWmuGPkqdmHzs7PaCCD3+oWVtJAjVD
KWpCwN9F+q4sN4duBJ7LL3ca3p1blYXEP+nFhHbQVEjvQXBMYvH5rB97WI/Xu62e/PaW
xr1g==
X-Gm-Message-State: ACrzQf3iIYBdRuEk/kMH3tfD9zBtj1xkMRiuKpwVJIbuLidycUynhrLI
eZjbUCqZ7RkFknNUKUN8ixDabbkB0uNu7g==
X-Google-Smtp-Source: AMsMyM76J8hG7L+gRd05qiSXlkXjooUpcdUyw61F3vgSlIz7Awte3OtMGEMR+BtnhFgBQelbxAGAwQ==
X-Received: by 2002:a05:600c:5388:b0:3c5:4c1:a1f6 with SMTP id
hg8-20020a05600c538800b003c504c1a1f6mr20072798wmb.11.1667486603283;
Thu, 03 Nov 2022 07:43:23 -0700 (PDT)
Received: from ?IPV6:2a02:6d40:237c:c701:a5b9:5b02:eb83:6695?
([2a02:6d40:237c:c701:a5b9:5b02:eb83:6695])
by smtp.googlemail.com with ESMTPSA id
i3-20020a1c5403000000b003a3442f1229sm14238wmb.29.2022.11.03.07.43.22
for <bitcoin-dev@lists.linuxfoundation.org>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Thu, 03 Nov 2022 07:43:22 -0700 (PDT)
From: Jonas Nick <jonasdnick@gmail.com>
X-Google-Original-From: Jonas Nick <jonasd.nick@gmail.com>
Message-ID: <0d4bb432-771d-8b8e-f2f8-f86dca9f41c5@gmail.com>
Date: Thu, 3 Nov 2022 14:43:22 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Thunderbird/102.3.3
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <46175970-d2ab-a58e-7010-f29820849604@gmail.com>
<6d823ec7-fe88-9311-09e8-be22ca8bfd89@gmail.com>
<576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com>
Content-Language: en-US
In-Reply-To: <576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 03 Nov 2022 14:47:02 +0000
Subject: Re: [bitcoin-dev] MuSig2 BIP
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2022 14:43:26 -0000
We updated the MuSig2 BIP draft to fix the vulnerability published in an earlier
post [0].
We also wrote an article [1] that contains a description of
1. the vulnerable scheme (remember that the original MuSig2 scheme is not
vulnerable because it doesn't allow tweaking)
2. an attack against the vulnerable scheme using Wagner's algorithm
3. a fixed scheme that permits tweaking
Moreover, we implemented the "BLLOR" attack mentioned in the article which
works against the reference python implementation of the previous version of the
MuSig2 BIP draft (takes about 7 minutes on my machine) [2].
The fix of the MuSig2 BIP is equivalent to the fix of the scheme in the article
[1]: before calling ''NonceGen'', the signer must determine the (potentially
tweaked) secret key it will use for this signature. BIP MuSig2 now ensures that
users can not accidentally violate this requirement by adding a mandatory public
key argument to ''NonceGen'', appending the public key to the ''secnonce'' array
and checking the public key against the secret key in ''Sign'' (see the pull
request for the detailed changes [3]).
[0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021000.html
[1] https://github.com/jonasnick/musig2-tweaking
[2] https://gist.github.com/robot-dreams/89ce8c3ff16f70cb2c55ba4fe9fd1b31 (must
be copied into the bip-musig2 directory)
[3] https://github.com/jonasnick/bips/pull/74
|