Re: [bitcoindev] Re: DahLIAS: Discrete Logarithm-Based Interactive Aggregate SignaturesHEADmaster

1 files changed, 197 insertions, 0 deletions

diff --git a/a5/caeb3f9ae0465e3e60cb3b5b7e53cef1298983 b/a5/caeb3f9ae0465e3e60cb3b5b7e53cef1298983
new file mode 100644
index 000000000..b67ccaa14
--- /dev/null
+++ b/a5/caeb3f9ae0465e3e60cb3b5b7e53cef1298983
@@ -0,0 +1,197 @@
+Delivery-date: Tue, 22 Apr 2025 10:02:38 -0700
+Received: from mail-oa1-f62.google.com ([209.85.160.62])
+	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+	(Exim 4.94.2)
+	(envelope-from <bitcoindev+bncBDD5RM5R7QJRBIUXT7AAMGQEPEN3ZFA@googlegroups.com>)
+	id 1u7H14-0002qA-1d
+	for bitcoindev@gnusha.org; Tue, 22 Apr 2025 10:02:38 -0700
+Received: by mail-oa1-f62.google.com with SMTP id 586e51a60fabf-2c238fbc14fsf6926653fac.1
+        for <bitcoindev@gnusha.org>; Tue, 22 Apr 2025 10:02:38 -0700 (PDT)
+ARC-Seal: i=2; a=rsa-sha256; t=1745341351; cv=pass;
+        d=google.com; s=arc-20240605;
+        b=iKU8VdpVrtY3zRWR70qo31XpS/ppJtbdeUOYdanIwqGYYub6PMVY1VvcXw+ieCFLk2
+         kdq9EIfRpc3XpUGrOa9sfIe69G3MLwKY5ZP2DDx2IkOHMbq92KHIycjvMHWk0HJ4FC2H
+         CGi9IoWrJBJeDo7gRhJ8TbyFh+gjuFt1uCWFnj24r/i7AOu9AOqFHRalBIcUojgyForf
+         00gzFR1SzttRDK0Ite9r9RRFfeWVxapBaUsirF5hUIhRpZXcWWucQxbheccsoU8Bzhpc
+         VY1JFQ/rMKJJHPiD/MQ1YpmgGUk/Ubm+Yeev/vf3JAvxUSQlz7OaedZd6dMx1AURn+oI
+         OYtA==
+ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
+        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+         :list-id:mailing-list:precedence:in-reply-to:from:content-language
+         :references:to:subject:user-agent:mime-version:date:message-id
+         :sender:dkim-signature;
+        bh=OYvMxHan/NkW77KVGYAfiJqJ2wgP84EVxcTbHmFQAvA=;
+        fh=cLGE2yF1rIkCpnowFo3UvI9cjbdhiqtMygcCzJSQhhk=;
+        b=HhSBi+BQmOCayzvhWtdshEIPrW5DdAO8tR9Z/ZFTPm1IXdEPly+5YTviNP5hC8Sc8a
+         eLWnzyabLd+YWTAteVTLTesdlgKveRscuwsXBnBPkKIvsO3abT2fiX1+tyMasZfoNmv8
+         gEg2uMd+IZXXl3VT0zzQxcNRxVV3at1qO8QYBpdYHhoUHIAw2ya2J4la7pmsCwQ5k3rz
+         ths2EYDtZITIiAyjJvyUhj27j6H8Ib61JlCvR2PkQCFhIRygToNelN4JE5JkQJuCBT+m
+         WE5+817ivfBV11O3u1hcaiZeNOM25RS4hJms+zxkorOhp+jmfujbZkt1/+nwfEc8Aup4
+         WTng==;
+        darn=gnusha.org
+ARC-Authentication-Results: i=2; gmr-mx.google.com;
+       dkim=pass header.i=@gmail.com header.s=20230601 header.b=CfK1WM7f;
+       spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
+       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
+       dara=pass header.i=@googlegroups.com
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=gmail.com; s=20230601; t=1745341351; x=1745946151; darn=gnusha.org;
+        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+         :list-id:mailing-list:precedence:x-original-authentication-results
+         :x-original-sender:in-reply-to:from:content-language:references:to
+         :subject:user-agent:mime-version:date:message-id:sender:from:to:cc
+         :subject:date:message-id:reply-to;
+        bh=OYvMxHan/NkW77KVGYAfiJqJ2wgP84EVxcTbHmFQAvA=;
+        b=bredjo7qkdg/z5QNwfA8Sm/FyL5XmmeeE6Ka6Q8kKDKFhk08t4VqvrB+FH3ArP9rh7
+         xjHqvWsQTNQG4bxjSoVqwBnYFsk4lR7bhz0Ac+o7LAzeksg35sdolUtDkuw5oAc42gbb
+         qskxwZAzzUPV8+DOTeCTZMYI0wFH67fSxVp4+1FqUzqnkvPux+v2MrKyAyGvyRLE5POZ
+         3mWO1y0WJNOge/TIX+Lu/mJQuLo66+BptRKmi4n4ilTtrm5J1iY7ygP9C4IdmVzxb6/m
+         dpTRQ4Fr8jc7mx2OvCTRJ0UEK4y8VD7dGGnYQ3msNOt67mykzdoOlutGlbhfUROm0kKt
+         v3Tw==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=1e100.net; s=20230601; t=1745341351; x=1745946151;
+        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+         :list-id:mailing-list:precedence:x-original-authentication-results
+         :x-original-sender:in-reply-to:from:content-language:references:to
+         :subject:user-agent:mime-version:date:message-id:sender:x-beenthere
+         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
+        bh=OYvMxHan/NkW77KVGYAfiJqJ2wgP84EVxcTbHmFQAvA=;
+        b=NTklwTI+NGwIBrn+PSLtThqH3RUoMVkVpO6ERjoNEjWApj50N0HVHxg5NS+Q+418Pk
+         D9gGTEo8xMzYBBWmwUZXrw72Zjd70o7tlawyxvO7XiFyS/3eVp5ilJN79Mzh7yIPNkra
+         8ExnZTyBhMHLTulg9pr5oc8MSz/Rlj5pih3KrxAqYsvbWFMs6KW4f2mg+MO0+HK/vNXS
+         Z5mXbG2ahtY031+XeNszxmut/taeQo3/AwG1lDRq5B6eaIktyOPn4VxaVG2FzTJGrRL6
+         so49UUst2BU6Iy1wi30miTDpV+yzdpCRQN+lB9PnNzqeDfpxA0Vxkwgayjg0lLKHX//h
+         hb3Q==
+X-Forwarded-Encrypted: i=2; AJvYcCXob8XNbAimDtNMCifkBBaCEix+Tlh22EnzzcmGvYK4ztaR2aqStdcqP42zOOjadvgDJfq0YtqB/LKH@gnusha.org
+X-Gm-Message-State: AOJu0Ywzc6pm2A2kkWpWqO5mVWirPIrPovrKZKmGUfBSJh4s9E9KvBjJ
+	2AecWs+U/SvEFVOKtgs02GPonvRk3b9D5UFP8asB7d5M1ySPAl5y
+X-Google-Smtp-Source: AGHT+IGM/Z4WqABAmRv66sKcaZHYHRGITfZfkrjZv8OAgI+f9OSP4xHM8IuSNThRcsodbv9nmPfqxg==
+X-Received: by 2002:a05:6871:3a81:b0:2c1:4090:9263 with SMTP id 586e51a60fabf-2d526ec5b08mr10389172fac.35.1745341351018;
+        Tue, 22 Apr 2025 10:02:31 -0700 (PDT)
+X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAL2L09hOvuGmaoconqC5d/EsTD/9Yv48Adu7LPl1xrNXw==
+Received: by 2002:a05:6871:a9c1:b0:29f:bc7e:8f47 with SMTP id
+ 586e51a60fabf-2d4ec01d18cls120321fac.1.-pod-prod-09-us; Tue, 22 Apr 2025
+ 10:02:26 -0700 (PDT)
+X-Received: by 2002:a05:6808:8704:b0:401:9175:ab1f with SMTP id 5614622812f47-401c0c38e3dmr8511128b6e.29.1745341346135;
+        Tue, 22 Apr 2025 10:02:26 -0700 (PDT)
+Received: by 2002:a05:600c:3b13:b0:43c:fe31:d01d with SMTP id 5b1f17b1804b1-44069ee67e8ms5e9;
+        Tue, 22 Apr 2025 08:29:09 -0700 (PDT)
+X-Received: by 2002:a05:600c:1c28:b0:440:6a37:be30 with SMTP id 5b1f17b1804b1-4406aba5c25mr132345275e9.16.1745335746476;
+        Tue, 22 Apr 2025 08:29:06 -0700 (PDT)
+ARC-Seal: i=1; a=rsa-sha256; t=1745335746; cv=none;
+        d=google.com; s=arc-20240605;
+        b=C3GwnQeVwe700aColEfy87IyUWR2VP9AnnNsIYXdrVDAeEGFt4Tw6ZkrAFaKYM+zea
+         P1McEUDrTcakKsxto7tt+PWf4+JeqzS5OsLTH0KSqOaWBycagYwA5RIsl+c9aFULvz82
+         gHZiUzcYBoFB8PJ4EzZ33Ohl9QeLCAFDI84adt86sASmWc944L7ZQLb3YSgriBRMAA6Q
+         kR8msySzA2AHw1dEXZ16GzEj3GVD6ku45neYBjcvPUaISCMDXckpdVnBGYP2YwYEcAlA
+         R2lHMp2oH+D+kuIOtvbTPsSpsripF49cwHg2FWLcFABlXtLCA3Fh+FvmilRKm3M8ApCI
+         voPQ==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
+        h=content-transfer-encoding:in-reply-to:from:content-language
+         :references:to:subject:user-agent:mime-version:date:message-id
+         :sender:dkim-signature;
+        bh=Qvmd/RP8iK8+gryHXQikF+hwzcKTRIWSJCmm5bfEUUI=;
+        fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
+        b=JPGQPldhgnR5W1qHxO1j89fIfEEondnaAN5kNwpXG6zInXW0DX+eoLScWPPQzCrgq0
+         sPlmW6j4hLyPbKVum9WhRFEqe9lRXK/GvkKvWyuqBl6aLEER2Ye6ZCsPvN+TtsvWGz+K
+         XPLo/TsXtO30w/VuBE/mTyTZmcQSywxAcb4NsMv5psUm9cZqaDDuzUV3tMNLQOOmYikp
+         GiHoejacNtg+FVjwAYi94Oj4oPi+GqODApx4S5nu0HYjo0HPbFLNQUKwNA1V17GlV8nW
+         EQOZYWCU0ICHh0pdsLiqluQpAV4rIG9792qB8xK71cxJcqb49UTiUs9bt2F/g6KKEAzK
+         9jYQ==;
+        dara=google.com
+ARC-Authentication-Results: i=1; gmr-mx.google.com;
+       dkim=pass header.i=@gmail.com header.s=20230601 header.b=CfK1WM7f;
+       spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
+       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
+       dara=pass header.i=@googlegroups.com
+Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com. [2a00:1450:4864:20::42e])
+        by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4408d059ef2si391415e9.1.2025.04.22.08.29.06
+        for <bitcoindev@googlegroups.com>
+        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
+        Tue, 22 Apr 2025 08:29:06 -0700 (PDT)
+Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) client-ip=2a00:1450:4864:20::42e;
+Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-39c14016868so5330465f8f.1
+        for <bitcoindev@googlegroups.com>; Tue, 22 Apr 2025 08:29:06 -0700 (PDT)
+X-Gm-Gg: ASbGncuzeifVMco70b/JuX9ZheliLjF5YYYE/txMcUXDCohL27hZ374iOHYwtkdsXIU
+	hxqhTcnAvnzGvv3nfzoSkJ+B5uuQ/kkcEC8SttQps2modK3QZzgM3t5YfIRDdGtbacoago+pHnp
+	7Fb1Tyif6/sFTnvOqjwa2xISIV15conYJXf4ote9EQcGujGKlqpXsWJDp6GjYrI4bffOvV2iiMI
+	c0rXfTWlfPvDOB3BcVvDYPJYxK9K84nV/gWHyxGU+ppxCJcnYslQDUN9FxPHDcCG9YejmcafbEh
+	bu+X/SFA2S4WZiqli7VV2OFZzGz4UWyP+UdhjZzXfCb1CmWhAEMfRJk17XW8iL559j5b43/xrNY
+	=
+X-Received: by 2002:a05:6000:18a5:b0:38f:2766:759f with SMTP id ffacd0b85a97d-39efbad2c1cmr12029180f8f.41.1745335745766;
+        Tue, 22 Apr 2025 08:29:05 -0700 (PDT)
+Received: from [10.11.10.42] (p57b13477.dip0.t-ipconnect.de. [87.177.52.119])
+        by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-39efa43bf09sm15411399f8f.44.2025.04.22.08.29.04
+        for <bitcoindev@googlegroups.com>
+        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
+        Tue, 22 Apr 2025 08:29:04 -0700 (PDT)
+Sender: Jonas Nick <jonasdnick@gmail.com>
+Message-ID: <2ede88e8-2570-442f-a073-730f7de70eca@gmail.com>
+Date: Tue, 22 Apr 2025 15:29:04 +0000
+MIME-Version: 1.0
+User-Agent: Mozilla Thunderbird
+Subject: Re: [bitcoindev] Re: DahLIAS: Discrete Logarithm-Based Interactive
+ Aggregate Signatures
+To: bitcoindev@googlegroups.com
+References: <be3813bf-467d-4880-9383-2a0b0223e7e5@gmail.com>
+ <242c6fdd-f629-4a2a-900c-7b1d770eedbbn@googlegroups.com>
+Content-Language: en-US
+From: Jonas Nick <jonasd.nick@gmail.com>
+In-Reply-To: <242c6fdd-f629-4a2a-900c-7b1d770eedbbn@googlegroups.com>
+Content-Type: text/plain; charset="UTF-8"; format=flowed
+X-Original-Sender: jonasdnick@gmail.com
+X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
+ header.i=@gmail.com header.s=20230601 header.b=CfK1WM7f;       spf=pass
+ (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e
+ as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;       dmarc=pass
+ (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;       dara=pass header.i=@googlegroups.com
+Precedence: list
+Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
+List-ID: <bitcoindev.googlegroups.com>
+X-Google-Group-Id: 786775582512
+List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
+List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
+List-Archive: <https://groups.google.com/group/bitcoindev
+List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
+List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
+ <https://groups.google.com/group/bitcoindev/subscribe>
+X-Spam-Score: -0.5 (/)
+
+Thanks for bringing this up. It's an interesting question and it made us realize
+that we should clarify this section of the paper, as there are indeed some
+subtleties here that are currently unmentioned.
+
+ > I don't understand why this same attack cannot be applied to MuSig2 itself?
+
+There are nuances, but I think it's fair to say that the same attack cannot be
+applied to MuSig2 itself. During the attack, the adversary requests a partial
+signature for public key X and message m from the honest signer. Using this, the
+adversary is able to create a partial signature for public key X' = TweakPK(X,
+t), where t is some tweak chosen by the adversary, and message m'. When applying
+the attack to MuSig2, we have that m' = m, and when applying it to MuSig2-IAS,
+we may have m != m'.
+
+So, using the attack, the adversary is able to produce a signature sigma_1 for
+MuSig2 and sigma_2 for MuSig2-IAS such that
+
+- MuSig2.Verify(KeyAgg(X, X'), m, sigma_1) = 1, and
+- MuSig2-IAS.Verify((X, m), (X', m'), sigma_2) = 1.
+
+sigma_2 is clearly a forgery under the EUF-CMA-TK security model defined in the
+DahLIAS paper because it is a signature for a message m' that the honest signer
+hasn't signed. In contrast, sigma_1 only covers the message that the honest
+signer actually signed. Whether sigma_1 counts as a forgery depends on the
+abstract security notion that you consider for multisignature tweaking. We
+didn't provide such a model in the MuSig2 paper and I am not aware of a standard
+one. It would be easy to design a security model where sigma_1 constitutes a
+forgery and one where it doesn't.
+
+More importantly, could this be a problem for MuSig2 in practice? I can only
+come up with contrived scenarios, but it may still be worth mentioning in the
+BIP, for example.
+
+-- 
+You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
+To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
+To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/2ede88e8-2570-442f-a073-730f7de70eca%40gmail.com.
+