Return-Path: Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7AB83C0177 for ; Mon, 24 Feb 2020 15:31:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 62ED585C9F for ; Mon, 24 Feb 2020 15:31:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 311WEIBvbYV9 for ; Mon, 24 Feb 2020 15:31:07 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) by fraxinus.osuosl.org (Postfix) with ESMTPS id EEB9C85C4F for ; Mon, 24 Feb 2020 15:31:06 +0000 (UTC) Received: by mail-ot1-f50.google.com with SMTP id 66so9026187otd.9 for ; Mon, 24 Feb 2020 07:31:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Rtc7KoR6eO2E2UL1N+46bzOyp3pgwH0ibnhJ1llav1k=; b=Xh6eJGXodsMff1hhd27NPNuQFZv4vZEg27vbmYO1BO4IKnsGph9KxyZEIkQSu5cnid F2gjE+x2oCzsfmzXAu0qa6UPA/oUv0RM86s23+Pwnw1KY+/+rMWwYskTQ2vTFRxQzPpS nF7VifjevrmPWmq4pi44OuK8Dr/DMn2r30qI0XGZrkj5Y/cDAhvq61J55jSqdgFyBBuL U/UxqV0RusOxJ+BFODj1QiZbuVAIOQThu0lA3rjBJWobPJt2pXkr2IKKFjf0Mt646Ush FI5gtrFBZ+4uOO2FyuN0/RLzpiA5NliAlfFteNmkjUC3YR51EAs2VPQGyP67KVsgz62+ nG9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Rtc7KoR6eO2E2UL1N+46bzOyp3pgwH0ibnhJ1llav1k=; b=Va4JWY2hcvfK+PgcclsU7ImLNMj2RU8+ZfHqoILJpqwDFAsqCt4bCaZQBVCMTY67ek r6FfGbTkdgLyL7LyBmPQDoGvO9A+F+gEaHiNLj3q1lbeI7gNice5BZRmfIcj4FFRyyZv u0gqMkW//PVzQDPkyyozQZElUZwP40W/az6tVv+gf0uP2T6fEeiPhHb8m9mPVeCzQR6E lZKs6h2EQXoAc1Rh1+J/WRTkBnZcYkbtDNWxl9uJSMRTh55nsKcSJKIeWc2ioTo1QjB8 o/jg7Hp6eMmlt3B4YmWgD8IG+7pzUFQhVJClegjlAlHw7BDHECa5419LYnovUexE6hYX g/XQ== X-Gm-Message-State: APjAAAVVtjzlsvU1XttkX3/evR6gm9fXbPUOzUScQmlXh09LXa1PglQn UrMB7tqfnWNsVtAd1vy6uypIYOQE+3jY/WkIPhWTapQ= X-Google-Smtp-Source: APXvYqwsM6lnr4pkCyPovT2LYDu2tjpiz9kbEmaUaKvE1vcnI8mNKRUayApX3QTjQ1Sgz5cREX1tRZn2Q9xAfd3WJgk= X-Received: by 2002:a9d:7c9a:: with SMTP id q26mr43114357otn.206.1582558265986; Mon, 24 Feb 2020 07:31:05 -0800 (PST) MIME-Version: 1.0 References: <30bdd65dc943f698c0970ca51bfb4dfb406ea7b8.camel@timruffing.de> In-Reply-To: <30bdd65dc943f698c0970ca51bfb4dfb406ea7b8.camel@timruffing.de> From: Erik Aronesty Date: Mon, 24 Feb 2020 10:30:54 -0500 Message-ID: To: Tim Ruffing , Bitcoin Protocol Discussion Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Mon, 24 Feb 2020 15:44:11 +0000 Subject: Re: [bitcoin-dev] Composable MuSig X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2020 15:31:11 -0000 Basically just some mechanism for preventing repeated signings of the same message, and using a "validity" time window so that the amount of state you need to enquire about isn't unbounded. The Drijvers, et al paper is specifically concerned with parallel and aborted signings, where ksums can be used. In general, the more variables that an attacker can control ,the more "k" lists they can form, and the more likely they can find collisions. If signers refused to sign "stale" messages, refused to sign in parallel beyond a certain limit, and refused to sign the same message twice, it should help reduce the attack surface. On Mon, Feb 24, 2020 at 6:41 AM Tim Ruffing via bitcoin-dev wrote: > > On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote: > > > Thus, two-phase MuSig is potentially unsafe. > > > https://eprint.iacr.org/2018/417.pdf describes the argument. > > > > One solution is to add a signature timeout to the message (say a > > block height) . > > > > A participant refuses to sign if that time is too far in the future, > > or is at all in the past, or if a message M is the same as any > > previous message within that time window. > > > > Seems to resolve the attacks on 2 round musig. > > I don't understand this. Can you elaborate? > > Best, > Tim > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev