We updated the MuSig2 BIP draft to fix the vulnerability published in an earlier post [0].
We also wrote an article [1] that contains a description of 1. the vulnerable scheme (remember that the original MuSig2 scheme is not vulnerable because it doesn't allow tweaking) 2. an attack against the vulnerable scheme using Wagner's algorithm 3. a fixed scheme that permits tweaking Moreover, we implemented the "BLLOR" attack mentioned in the article which works against the reference python implementation of the previous version of the MuSig2 BIP draft (takes about 7 minutes on my machine) [2]. The fix of the MuSig2 BIP is equivalent to the fix of the scheme in the article [1]: before calling ''NonceGen'', the signer must determine the (potentially tweaked) secret key it will use for this signature. BIP MuSig2 now ensures that users can not accidentally violate this requirement by adding a mandatory public key argument to ''NonceGen'', appending the public key to the ''secnonce'' array and checking the public key against the secret key in ''Sign'' (see the pull request for the detailed changes [3]). [0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021000.html [1] https://github.com/jonasnick/musig2-tweaking [2] https://gist.github.com/robot-dreams/89ce8c3ff16f70cb2c55ba4fe9fd1b31 (must be copied into the bip-musig2 directory) [3] https://github.com/jonasnick/bips/pull/74 _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
