State minimization in MuSig2 signing sessions

State minimization in MuSig2 signing sessions

Original Postby real-or-random

Posted on: March 7, 2024 10:44 UTC

The discussion revolves around a specific vulnerability concerning the handling of Partially Signed Bitcoin Transactions (PSBTs).

This vulnerability emerges when a PSBT is manipulated by introducing mutations that do not affect the output of the NonceGen function. The core of this issue lies in how nonce generation for signing transactions can be exploited under certain conditions.

An attacker initiates the exploit by sending a PSBT to the victim. Upon receiving this, the victim generates a secondary nonce (secnonce) and proceeds to sign the transaction with it. The attacker then claims that there was an error and resends the same PSBT, albeit with some mutations that crucially do not alter the outcome of the NonceGen function. Consequently, the victim unknowingly generates the identical secnonce as before and signs the transaction again.

This scenario underscores a critical security flaw because the re-generation of the same secnonce for different versions of the same PSBT—assuming these versions are perceived distinct due to their mutations—can compromise the integrity of the transaction process. This method of attack highlights the need for robust mechanisms to detect and mitigate such vulnerabilities, ensuring that nonce generation processes are secure against manipulation attempts that aim to exploit the predictability of nonce outcomes based on unchanged parameters.