Tim Ruffing [ARCHIVE] on Nostr: 📅 Original date posted:2020-02-24 📝 Original message:On Sun, 2020-02-23 at ...
📅 Original date posted:2020-02-24
📝 Original message:On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote:
> > Thus, two-phase MuSig is potentially unsafe.
> > https://eprint.iacr.org/2018/417.pdf describes the argument.
>
> One solution is to add a signature timeout to the message (say a
> block height) .
>
> A participant refuses to sign if that time is too far in the future,
> or is at all in the past, or if a message M is the same as any
> previous message within that time window.
>
> Seems to resolve the attacks on 2 round musig.
I don't understand this. Can you elaborate?
Best,
Tim
📝 Original message:On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote:
> > Thus, two-phase MuSig is potentially unsafe.
> > https://eprint.iacr.org/2018/417.pdf describes the argument.
>
> One solution is to add a signature timeout to the message (say a
> block height) .
>
> A participant refuses to sign if that time is too far in the future,
> or is at all in the past, or if a message M is the same as any
> previous message within that time window.
>
> Seems to resolve the attacks on 2 round musig.
I don't understand this. Can you elaborate?
Best,
Tim