Author: Jonas Nick 2023-07-26 14:59:42+00:00
Published on: 2023-07-26T14:59:42+00:00
The issue at hand is that while the proposed solution may address the problem of blinding, it does not solve the issue of client-controlled challenge e', which allows for signature forgery. This vulnerability is not unique to MuSig(2) but also applies to original blind Schnorr signatures, as demonstrated in David Wagner's "A Generalized Birthday Problem" paper.For those interested in recent developments regarding blind Schnorr signatures, two papers are worth exploring. The first paper titled "Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Mode" (available at https://eprint.iacr.org/2019/877.pdf) proposes a less efficient variant of blind Schnorr signatures that is secure under concurrent signing, assuming the hardness of the "mROS" problem, which is deemed plausible. Another potential approach discussed in the thread involves using commitments and a Zero-Knowledge Proof (ZKP). This approach, often referred to as "folklore", has been mentioned sporadically but lacks a detailed specification and a security proof to the best of my knowledge.These references provide additional insights and alternative perspectives on blind Schnorr signatures, offering further avenues for exploration and potential solutions to the security concerns raised.
Updated on: 2023-07-27T01:55:57.768459+00:00