{"type":"rich","version":"1.0","title":"Jonas Nick [ARCHIVE] wrote","author_name":"Jonas Nick [ARCHIVE] (npub1at…y3z5a)","author_url":"https://yabu.me/npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5a","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2021-10-09\n📝 Original message:\nHi,\n\nit seems like parts of this proposal rely on deterministic nonces in MuSig.\nGenerally, this is insecure unless combined with heavy machinery that proves\ncorrectness of the nonce derivation in zero knowledge. If one signer uses\ndeterministic nonces and another signer uses random nonces, then two signing\nsessions will have different challenge hashes which results in nonce reuse by\nthe first signer [0]. Is there a countermeasure against this attack in the\nproposal? What are the inputs to the function that derive DA1, DA2? Is the\nassumption that a signer will not sign the same message more than once?\n\nIt may be worth pointing out that an adaptor signature scheme can not treat\nMuSig2 as a black box as indicated in the \"Adaptor Signatures\" section [1]. In\nparticular, generally the secret X must be input to the hash function that\ngenerates nonce coefficient k. Otherwise, an attacker can grind through\nchallenge hashes by varying X without affecting the aggregate nonce and produce\na forgery. For the same reason, the message m is included in hash function\ninputs of k. However, taking X into account when computing k shouldn't be an\nissue for protocols making use of adaptor signatures because k does not need to\nbe determined before signing time and X is required to be known at that point\nanyway.\n\n[0] https://medium.com/blockstream/musig-dn-schnorr-multisignatures-with-verifiably-deterministic-nonces-27424b5df9d6\n     See \"The attack works as follows.\"\n[1] MuSig2 adaptor signature issue: https://github.com/ElementsProject/scriptless-scripts/issues/23,\n     PR: https://github.com/ElementsProject/scriptless-scripts/pull/24"}