rich1.0Jonas Nick [ARCHIVE] (npub1at…y3z5a)https://yabu.me/npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5anjumphttps://yabu.me📅 Original date posted:2021-10-09 📝 Original message: Hi, it seems like parts of this proposal rely on deterministic nonces in MuSig. Generally, this is insecure unless combined with heavy machinery that proves correctness of the nonce derivation in zero knowledge. If one signer uses deterministic nonces and another signer uses random nonces, then two signing sessions will have different challenge hashes which results in nonce reuse by the first signer [0]. Is there a countermeasure against this attack in the proposal? What are the inputs to the function that derive DA1, DA2? Is the assumption that a signer will not sign the same message more than once? It may be worth pointing out that an adaptor signature scheme can not treat MuSig2 as a black box as indicated in the "Adaptor Signatures" section [1]. In particular, generally the secret X must be input to the hash function that generates nonce coefficient k. Otherwise, an attacker can grind through challenge hashes by varying X without affecting the aggregate nonce and produce a forgery. For the same reason, the message m is included in hash function inputs of k. However, taking X into account when computing k shouldn't be an issue for protocols making use of adaptor signatures because k does not need to be determined before signing time and X is required to be known at that point anyway. [0] https://medium.com/blockstream/musig-dn-schnorr-multisignatures-with-verifiably-deterministic-nonces-27424b5df9d6 See "The attack works as follows." [1] MuSig2 adaptor signature issue: https://github.com/ElementsProject/scriptless-scripts/issues/23, PR: https://github.com/ElementsProject/scriptless-scripts/pull/24