Author: Lloyd Fournier 2019-11-29 05:50:33
Published on: 2019-11-29T05:50:33+00:00
In an email sent to bitcoin-dev, ZmnSCPxj discusses the MuSig composition problem. Specifically, the issue of ensuring that the three-phase MuSig protocol is used instead of a potentially unsafe two-phase variant when one of the protocol participants is an aggregate entity. The proposed solution involves exchanging commitments to `R` and validating that the sum of these commitments equals the committed value. The potential security issues with the two-phase MuSig protocol are highlighted, including the Wagner Generalized Birthday Paradox attack and a flaw in the security proof that allows one participant to delay a side of an R exchange to control the resulting sum R. To combat this problem, Schnorr signatures and homomorphic commitment schemes such as Pedersen commitments are discussed.The MuSig signing protocol has also been found to be vulnerable to an attack that involves multiple signing sessions, reducing the required effort from 2^128 to within a few seconds with parallel sessions. To fix this vulnerability, a modification called the Multi-R proposal is suggested, which adds an "R commitment exchange" phase to ensure a simultaneous exchange of R points. This modification is expected to have no effect on the security proof of MuSig.The email also notes that the number of commitments exchanged during the MuSig protocol can reveal whether a participant is an aggregate or not. Alternative proposals for MuSig, such as using Pedersen or ElGamal commitments in the first phase, are discussed but are found to have security flaws that could allow a malicious participant to control the resulting signature. The author consulted with other experts in the field regarding these proposals and potential attacks.
Updated on: 2023-06-13T22:21:16.599587+00:00