Author: Tim Ruffing 2020-02-24 16:56:06
Published on: 2020-02-24T16:56:06+00:00
The discussion on the bitcoin-dev mailing list revolves around preventing repeated signings of the same message and using a "validity" time window to limit the amount of state an attacker can control. The Drijvers, et al paper focuses on parallel and aborted signings where ksums can be used. The more variables an attacker can control, the more "k" lists they can form, making it easier to find collisions. One solution is to add a signature timeout to the message (say a block height), which participants would refuse to sign if that time is too far in the future, or at all in the past, or if a message M is the same as any previous message within that time window.The safety of two-phase MuSig is also discussed, with a reference to a paper that argues it is potentially unsafe due to the number of parallel sessions. If the number of parallel sessions is limited to 2 or 3, the scheme may be secure, but the efficiency of Wagner's attack in practice is uncertain. Timeouts alone won't help, and instead, using 3-round MuSig could eliminate the entire issue.
Updated on: 2023-06-13T22:24:00.976632+00:00