Author: Jonas Nick 2021-10-09 12:21:03
Published on: 2021-10-09T12:21:03+00:00
The proposal being discussed involves the use of deterministic nonces in MuSig, which is generally considered insecure without heavy machinery to prove that nonce derivation is correct in zero knowledge. If one signer uses deterministic nonces and another uses random ones, then two signing sessions will have different challenge hashes which can result in nonce reuse by the first signer. It is unclear whether there is a countermeasure against this attack in the proposal or what the inputs to the function are that derive DA1 and DA2. Additionally, it is worth noting that an adaptor signature scheme cannot treat MuSig2 as a black box, as secret X must be input to the hash function that generates nonce coefficient k to prevent an attacker from grinding through challenge hashes by varying X without affecting the aggregate nonce and producing a forgery. The message m is also included in hash function inputs of k. However, taking X into account when computing k should not be an issue for protocols making use of adaptor signatures because k does not need to be determined before signing time, and X is required to be known at that point anyway.
Updated on: 2023-06-03T06:18:57.695385+00:00