Erik Aronesty [ARCHIVE] on Nostr: π Original date posted:2020-02-24 π Original message:Basically just some ...
π
Original date posted:2020-02-24
π Original message:Basically just some mechanism for preventing repeated signings of the
same message, and using a "validity" time window so that the amount of
state you need to enquire about isn't unbounded.
The Drijvers, et al paper is specifically concerned with parallel and
aborted signings, where ksums can be used. In general, the more
variables that an attacker can control ,the more "k" lists they can
form, and the more likely they can find collisions.
If signers refused to sign "stale" messages, refused to sign in
parallel beyond a certain limit, and refused to sign the same message
twice, it should help reduce the attack surface.
On Mon, Feb 24, 2020 at 6:41 AM Tim Ruffing via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
>
> On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote:
> > > Thus, two-phase MuSig is potentially unsafe.
> > > https://eprint.iacr.org/2018/417.pdf describes the argument.
> >
> > One solution is to add a signature timeout to the message (say a
> > block height) .
> >
> > A participant refuses to sign if that time is too far in the future,
> > or is at all in the past, or if a message M is the same as any
> > previous message within that time window.
> >
> > Seems to resolve the attacks on 2 round musig.
>
> I don't understand this. Can you elaborate?
>
> Best,
> Tim
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
π Original message:Basically just some mechanism for preventing repeated signings of the
same message, and using a "validity" time window so that the amount of
state you need to enquire about isn't unbounded.
The Drijvers, et al paper is specifically concerned with parallel and
aborted signings, where ksums can be used. In general, the more
variables that an attacker can control ,the more "k" lists they can
form, and the more likely they can find collisions.
If signers refused to sign "stale" messages, refused to sign in
parallel beyond a certain limit, and refused to sign the same message
twice, it should help reduce the attack surface.
On Mon, Feb 24, 2020 at 6:41 AM Tim Ruffing via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
>
> On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote:
> > > Thus, two-phase MuSig is potentially unsafe.
> > > https://eprint.iacr.org/2018/417.pdf describes the argument.
> >
> > One solution is to add a signature timeout to the message (say a
> > block height) .
> >
> > A participant refuses to sign if that time is too far in the future,
> > or is at all in the past, or if a message M is the same as any
> > previous message within that time window.
> >
> > Seems to resolve the attacks on 2 round musig.
>
> I don't understand this. Can you elaborate?
>
> Best,
> Tim
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev