Author: Jonas Nick 2022-11-03 14:43:22
Published on: 2022-11-03T14:43:22+00:00
The MuSig2 BIP draft has been updated to fix a vulnerability that was published in an earlier post. In addition, an article has been written which includes a description of the vulnerable scheme, an attack against it using Wagner's algorithm, and a fixed scheme that permits tweaking. The "BLLOR" attack mentioned in the article has also been implemented, which works against the reference python implementation of the previous version of the MuSig2 BIP draft. The fix for the MuSig2 BIP is equivalent to the fix of the scheme in the article: before calling ''NonceGen'', the signer must determine the (potentially tweaked) secret key it will use for this signature. BIP MuSig2 now ensures that users cannot accidentally violate this requirement by adding a mandatory public key argument to ''NonceGen'', appending the public key to the ''secnonce'' array and checking the public key against the secret key in ''Sign''. Detailed changes can be seen in the pull request provided in the sources.
Updated on: 2023-06-15T18:48:52.004922+00:00