a5/caeb3f9ae0465e3e60cb3b5b7e53cef1298983


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197

Delivery-date: Tue, 22 Apr 2025 10:02:38 -0700
Received: from mail-oa1-f62.google.com ([209.85.160.62])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDD5RM5R7QJRBIUXT7AAMGQEPEN3ZFA@googlegroups.com>)
	id 1u7H14-0002qA-1d
	for bitcoindev@gnusha.org; Tue, 22 Apr 2025 10:02:38 -0700
Received: by mail-oa1-f62.google.com with SMTP id 586e51a60fabf-2c238fbc14fsf6926653fac.1
        for <bitcoindev@gnusha.org>; Tue, 22 Apr 2025 10:02:38 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1745341351; cv=pass;
        d=google.com; s=arc-20240605;
        b=iKU8VdpVrtY3zRWR70qo31XpS/ppJtbdeUOYdanIwqGYYub6PMVY1VvcXw+ieCFLk2
         kdq9EIfRpc3XpUGrOa9sfIe69G3MLwKY5ZP2DDx2IkOHMbq92KHIycjvMHWk0HJ4FC2H
         CGi9IoWrJBJeDo7gRhJ8TbyFh+gjuFt1uCWFnj24r/i7AOu9AOqFHRalBIcUojgyForf
         00gzFR1SzttRDK0Ite9r9RRFfeWVxapBaUsirF5hUIhRpZXcWWucQxbheccsoU8Bzhpc
         VY1JFQ/rMKJJHPiD/MQ1YpmgGUk/Ubm+Yeev/vf3JAvxUSQlz7OaedZd6dMx1AURn+oI
         OYtA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id
         :sender:dkim-signature;
        bh=OYvMxHan/NkW77KVGYAfiJqJ2wgP84EVxcTbHmFQAvA=;
        fh=cLGE2yF1rIkCpnowFo3UvI9cjbdhiqtMygcCzJSQhhk=;
        b=HhSBi+BQmOCayzvhWtdshEIPrW5DdAO8tR9Z/ZFTPm1IXdEPly+5YTviNP5hC8Sc8a
         eLWnzyabLd+YWTAteVTLTesdlgKveRscuwsXBnBPkKIvsO3abT2fiX1+tyMasZfoNmv8
         gEg2uMd+IZXXl3VT0zzQxcNRxVV3at1qO8QYBpdYHhoUHIAw2ya2J4la7pmsCwQ5k3rz
         ths2EYDtZITIiAyjJvyUhj27j6H8Ib61JlCvR2PkQCFhIRygToNelN4JE5JkQJuCBT+m
         WE5+817ivfBV11O3u1hcaiZeNOM25RS4hJms+zxkorOhp+jmfujbZkt1/+nwfEc8Aup4
         WTng==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=CfK1WM7f;
       spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
       dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1745341351; x=1745946151; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:in-reply-to:from:content-language:references:to
         :subject:user-agent:mime-version:date:message-id:sender:from:to:cc
         :subject:date:message-id:reply-to;
        bh=OYvMxHan/NkW77KVGYAfiJqJ2wgP84EVxcTbHmFQAvA=;
        b=bredjo7qkdg/z5QNwfA8Sm/FyL5XmmeeE6Ka6Q8kKDKFhk08t4VqvrB+FH3ArP9rh7
         xjHqvWsQTNQG4bxjSoVqwBnYFsk4lR7bhz0Ac+o7LAzeksg35sdolUtDkuw5oAc42gbb
         qskxwZAzzUPV8+DOTeCTZMYI0wFH67fSxVp4+1FqUzqnkvPux+v2MrKyAyGvyRLE5POZ
         3mWO1y0WJNOge/TIX+Lu/mJQuLo66+BptRKmi4n4ilTtrm5J1iY7ygP9C4IdmVzxb6/m
         dpTRQ4Fr8jc7mx2OvCTRJ0UEK4y8VD7dGGnYQ3msNOt67mykzdoOlutGlbhfUROm0kKt
         v3Tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1745341351; x=1745946151;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:in-reply-to:from:content-language:references:to
         :subject:user-agent:mime-version:date:message-id:sender:x-beenthere
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=OYvMxHan/NkW77KVGYAfiJqJ2wgP84EVxcTbHmFQAvA=;
        b=NTklwTI+NGwIBrn+PSLtThqH3RUoMVkVpO6ERjoNEjWApj50N0HVHxg5NS+Q+418Pk
         D9gGTEo8xMzYBBWmwUZXrw72Zjd70o7tlawyxvO7XiFyS/3eVp5ilJN79Mzh7yIPNkra
         8ExnZTyBhMHLTulg9pr5oc8MSz/Rlj5pih3KrxAqYsvbWFMs6KW4f2mg+MO0+HK/vNXS
         Z5mXbG2ahtY031+XeNszxmut/taeQo3/AwG1lDRq5B6eaIktyOPn4VxaVG2FzTJGrRL6
         so49UUst2BU6Iy1wi30miTDpV+yzdpCRQN+lB9PnNzqeDfpxA0Vxkwgayjg0lLKHX//h
         hb3Q==
X-Forwarded-Encrypted: i=2; AJvYcCXob8XNbAimDtNMCifkBBaCEix+Tlh22EnzzcmGvYK4ztaR2aqStdcqP42zOOjadvgDJfq0YtqB/LKH@gnusha.org
X-Gm-Message-State: AOJu0Ywzc6pm2A2kkWpWqO5mVWirPIrPovrKZKmGUfBSJh4s9E9KvBjJ
	2AecWs+U/SvEFVOKtgs02GPonvRk3b9D5UFP8asB7d5M1ySPAl5y
X-Google-Smtp-Source: AGHT+IGM/Z4WqABAmRv66sKcaZHYHRGITfZfkrjZv8OAgI+f9OSP4xHM8IuSNThRcsodbv9nmPfqxg==
X-Received: by 2002:a05:6871:3a81:b0:2c1:4090:9263 with SMTP id 586e51a60fabf-2d526ec5b08mr10389172fac.35.1745341351018;
        Tue, 22 Apr 2025 10:02:31 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAL2L09hOvuGmaoconqC5d/EsTD/9Yv48Adu7LPl1xrNXw==
Received: by 2002:a05:6871:a9c1:b0:29f:bc7e:8f47 with SMTP id
 586e51a60fabf-2d4ec01d18cls120321fac.1.-pod-prod-09-us; Tue, 22 Apr 2025
 10:02:26 -0700 (PDT)
X-Received: by 2002:a05:6808:8704:b0:401:9175:ab1f with SMTP id 5614622812f47-401c0c38e3dmr8511128b6e.29.1745341346135;
        Tue, 22 Apr 2025 10:02:26 -0700 (PDT)
Received: by 2002:a05:600c:3b13:b0:43c:fe31:d01d with SMTP id 5b1f17b1804b1-44069ee67e8ms5e9;
        Tue, 22 Apr 2025 08:29:09 -0700 (PDT)
X-Received: by 2002:a05:600c:1c28:b0:440:6a37:be30 with SMTP id 5b1f17b1804b1-4406aba5c25mr132345275e9.16.1745335746476;
        Tue, 22 Apr 2025 08:29:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1745335746; cv=none;
        d=google.com; s=arc-20240605;
        b=C3GwnQeVwe700aColEfy87IyUWR2VP9AnnNsIYXdrVDAeEGFt4Tw6ZkrAFaKYM+zea
         P1McEUDrTcakKsxto7tt+PWf4+JeqzS5OsLTH0KSqOaWBycagYwA5RIsl+c9aFULvz82
         gHZiUzcYBoFB8PJ4EzZ33Ohl9QeLCAFDI84adt86sASmWc944L7ZQLb3YSgriBRMAA6Q
         kR8msySzA2AHw1dEXZ16GzEj3GVD6ku45neYBjcvPUaISCMDXckpdVnBGYP2YwYEcAlA
         R2lHMp2oH+D+kuIOtvbTPsSpsripF49cwHg2FWLcFABlXtLCA3Fh+FvmilRKm3M8ApCI
         voPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id
         :sender:dkim-signature;
        bh=Qvmd/RP8iK8+gryHXQikF+hwzcKTRIWSJCmm5bfEUUI=;
        fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
        b=JPGQPldhgnR5W1qHxO1j89fIfEEondnaAN5kNwpXG6zInXW0DX+eoLScWPPQzCrgq0
         sPlmW6j4hLyPbKVum9WhRFEqe9lRXK/GvkKvWyuqBl6aLEER2Ye6ZCsPvN+TtsvWGz+K
         XPLo/TsXtO30w/VuBE/mTyTZmcQSywxAcb4NsMv5psUm9cZqaDDuzUV3tMNLQOOmYikp
         GiHoejacNtg+FVjwAYi94Oj4oPi+GqODApx4S5nu0HYjo0HPbFLNQUKwNA1V17GlV8nW
         EQOZYWCU0ICHh0pdsLiqluQpAV4rIG9792qB8xK71cxJcqb49UTiUs9bt2F/g6KKEAzK
         9jYQ==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=CfK1WM7f;
       spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
       dara=pass header.i=@googlegroups.com
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com. [2a00:1450:4864:20::42e])
        by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4408d059ef2si391415e9.1.2025.04.22.08.29.06
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 22 Apr 2025 08:29:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e as permitted sender) client-ip=2a00:1450:4864:20::42e;
Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-39c14016868so5330465f8f.1
        for <bitcoindev@googlegroups.com>; Tue, 22 Apr 2025 08:29:06 -0700 (PDT)
X-Gm-Gg: ASbGncuzeifVMco70b/JuX9ZheliLjF5YYYE/txMcUXDCohL27hZ374iOHYwtkdsXIU
	hxqhTcnAvnzGvv3nfzoSkJ+B5uuQ/kkcEC8SttQps2modK3QZzgM3t5YfIRDdGtbacoago+pHnp
	7Fb1Tyif6/sFTnvOqjwa2xISIV15conYJXf4ote9EQcGujGKlqpXsWJDp6GjYrI4bffOvV2iiMI
	c0rXfTWlfPvDOB3BcVvDYPJYxK9K84nV/gWHyxGU+ppxCJcnYslQDUN9FxPHDcCG9YejmcafbEh
	bu+X/SFA2S4WZiqli7VV2OFZzGz4UWyP+UdhjZzXfCb1CmWhAEMfRJk17XW8iL559j5b43/xrNY
	=
X-Received: by 2002:a05:6000:18a5:b0:38f:2766:759f with SMTP id ffacd0b85a97d-39efbad2c1cmr12029180f8f.41.1745335745766;
        Tue, 22 Apr 2025 08:29:05 -0700 (PDT)
Received: from [10.11.10.42] (p57b13477.dip0.t-ipconnect.de. [87.177.52.119])
        by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-39efa43bf09sm15411399f8f.44.2025.04.22.08.29.04
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 22 Apr 2025 08:29:04 -0700 (PDT)
Sender: Jonas Nick <jonasdnick@gmail.com>
Message-ID: <2ede88e8-2570-442f-a073-730f7de70eca@gmail.com>
Date: Tue, 22 Apr 2025 15:29:04 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [bitcoindev] Re: DahLIAS: Discrete Logarithm-Based Interactive
 Aggregate Signatures
To: bitcoindev@googlegroups.com
References: <be3813bf-467d-4880-9383-2a0b0223e7e5@gmail.com>
 <242c6fdd-f629-4a2a-900c-7b1d770eedbbn@googlegroups.com>
Content-Language: en-US
From: Jonas Nick <jonasd.nick@gmail.com>
In-Reply-To: <242c6fdd-f629-4a2a-900c-7b1d770eedbbn@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
X-Original-Sender: jonasdnick@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@gmail.com header.s=20230601 header.b=CfK1WM7f;       spf=pass
 (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::42e
 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;       dmarc=pass
 (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;       dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)

Thanks for bringing this up. It's an interesting question and it made us realize
that we should clarify this section of the paper, as there are indeed some
subtleties here that are currently unmentioned.

 > I don't understand why this same attack cannot be applied to MuSig2 itself?

There are nuances, but I think it's fair to say that the same attack cannot be
applied to MuSig2 itself. During the attack, the adversary requests a partial
signature for public key X and message m from the honest signer. Using this, the
adversary is able to create a partial signature for public key X' = TweakPK(X,
t), where t is some tweak chosen by the adversary, and message m'. When applying
the attack to MuSig2, we have that m' = m, and when applying it to MuSig2-IAS,
we may have m != m'.

So, using the attack, the adversary is able to produce a signature sigma_1 for
MuSig2 and sigma_2 for MuSig2-IAS such that

- MuSig2.Verify(KeyAgg(X, X'), m, sigma_1) = 1, and
- MuSig2-IAS.Verify((X, m), (X', m'), sigma_2) = 1.

sigma_2 is clearly a forgery under the EUF-CMA-TK security model defined in the
DahLIAS paper because it is a signature for a message m' that the honest signer
hasn't signed. In contrast, sigma_1 only covers the message that the honest
signer actually signed. Whether sigma_1 counts as a forgery depends on the
abstract security notion that you consider for multisignature tweaking. We
didn't provide such a model in the MuSig2 paper and I am not aware of a standard
one. It would be easy to design a security model where sigma_1 constitutes a
forgery and one where it doesn't.

More importantly, could this be a problem for MuSig2 in practice? I can only
come up with contrived scenarios, but it may still be worth mentioning in the
BIP, for example.

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/2ede88e8-2570-442f-a073-730f7de70eca%40gmail.com.