DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures

AdamISZ, also known as waxwing, raises a technical inquiry regarding the paper's explanation of an attack on Musig2-IAS within Appendix A2. He points out that the document details how a partial signature can be forged on a tweaked key of an honest signer. This concern is rooted in the confusion over why this specific attack cannot also be applied to MuSig2 itself, especially considering the multisig-to-IAS (Implicitly Authenticated Signatures) translation is largely understandable. The translation process acknowledges a known weakness highlighted in a 2018 study, mainly revolving around the concept that the message involves a concatenation of individual messages and keys. Despite this, AdamISZ questions the fundamental difference that would prevent the same structure of attack from being applicable to MuSig2, emphasizing an attack methodology where R-values are adjusted (multiplied by a ratio of a2/a1), followed by a similar adjustment to the partial signature before adding the tweak.

Furthermore, AdamISZ notes that a three-round version of MuSig and certain Proofs of Knowledge (PoK) of R are not susceptible to this attack, hinting at some overlooked detail or misunderstanding on his part regarding the mechanism that safeguards MuSig2 from such vulnerabilities. This particular discussion is pertinent to members of the Bitcoin Development Mailing List, indicating a high level of technical exchange aimed at understanding and potentially fortifying cryptographic methods within blockchain development.