Author: Adam Back 2018-07-11 10:35:08
Published on: 2018-07-11T10:35:08+00:00
In a post to the bitcoin-dev mailing list, Erik Aronesty suggested that by replacing addition with interpolation across the musig construction, one could potentially prevent adaptive public key choice from being used to break the scheme using Wagner's attack. However, this would require a delinearization mechanism to be put in place to protect against such attacks. This mechanism involves hashing all public keys along with a per value hash, which pre-commits and forces the public keys to be non-adaptively chosen. Failure to do so could result in adaptively chosen public keys, which can be easily exploited. For instance, if party C chooses an adaptively chosen public key (C'=C-A-B), then A+B+C can be signed using this key. It is important to note that Wagner had previously broken an earlier delinearization scheme where S=H(A)*A+H(B)*B+H(C)*C.
Updated on: 2023-06-13T03:55:39.303473+00:00