State minimization in MuSig2 signing sessions

State minimization in MuSig2 signing sessions

Original Postby salvatoshi

Posted on: March 7, 2024 09:26 UTC

The discussion raises concerns about the potential risks associated with hashing the commitment to the transaction ID (txid) and wallet policy in the context of handling multiple Partially Signed Bitcoin Transactions (PSBTs) for the same transaction.

The introduction of a session_id is proposed as a solution to minimize the likelihood of ID collisions, which, while not posing a security risk, could lead to a signing failure. The mechanism for handling such collisions is detailed, explaining that if a second PSBT with altered parameters affecting the Nonce Generation (NonceGen) process is presented, it would result in a discrepancy in the recomputed secnonce/pubnonce for at least one pair of indices, leading to an abortion of the signing process and termination of the session. Conversely, if the changes in the second PSBT do not influence the output of NonceGen, then these alterations are deemed irrelevant since NonceGen would have produced the same result regardless of the mutation. This suggests a safeguarding strategy against potential issues arising from handling multiple PSBTs for the same transaction, underlining the importance of carefully managing parameter mutations to ensure transaction security and integrity.