Author: Jonas Nick 2022-05-26 15:32:33
Published on: 2022-05-26T15:32:33+00:00
The author responds to feedback on key aggregation and the MuSig2 BIP draft. They disagree with the suggestion that identifying dishonest signers is useless in cases of duplicate keys. However, they do agree that honest signers should not continue to protect broken implementations. The author thinks it's implausible to find a single instance of an implementation that doesn't survive partial signature creation by looking at duplicate public keys. The author does agree that aborting in KeyAgg when encountering duplicate public keys is compatible with the MuSig2 BIP draft. The author states that they don't follow the argument that identifying signers claiming the public key of other signers is useless. In the persistent case, there are opportunities for an attacker to overtake a participant and try to disrupt the protocol. The author mentions that duplicating keys would require "a Sybil at two indices," but actually a single malicious signer that copies some public key is sufficient. Regarding the spontaneous case, the author points out that partial signature verification identifies at least one of the dishonest signers and allows making progress. This closes the DoS vector as far as the MuSig protocol is concerned. If there are multiple disruptive signers, they may not all be identified in a single round but require multiple signing attempts. Lastly, the author agrees that the claim "any signer who prevents a signing session from completing successfully by sending incorrect contributions in the session can be identified" is incorrect. They opened a pull request to fix the wording.
Updated on: 2023-06-15T18:48:40.823925+00:00