Combined summary - How many nonce reuse before exposing your Musig2 private key?

The discussion revolves around the complexities and vulnerabilities associated with nonce reuse in concurrent signing sessions, specifically within the context of cryptographic signatures.

It is highlighted that extracting a signing key from merely two signatures that employ the same nonce is unfeasible due to the insufficiency of equations relative to unknowns. However, the narrative shifts towards a more concerning scenario where an attacker orchestrates multiple concurrent signing sessions, exploiting limited nonce reuse. This strategy enables the attacker to potentially forge a signature. This method of attack bears resemblance to one previously documented against "InsecureMuSig," as detailed within the MuSig2 paper, which can be found here on pages 5 and 6. The procedure becomes significantly more complex due to the necessity to adjust for various factors throughout the process.

Expanding on the technicalities, during these attack scenarios, the signer inadvertently reuses nonce pairs across different sessions. An adversary can then compute a specific product of these nonce pairs and employ algorithms like Wagner's or the faster BLLOR algorithm to find corresponding nonce pairs that satisfy a set of equations. These equations involve calculations of hash functions and corrections for 'b' values, as thoroughly explained in the provided documents. For more information on Wagner's algorithm and the BLLOR algorithm, one might refer to the respective sources here and here.

Upon receiving nonce pairs from the attacker, the honest signer responds with partial signatures. Through a series of mathematical manipulations involving these partial signatures and the predefined 'b' values, it's possible to derive an equation that mirrors the theoretical construct outlined in the referenced paper. This derivation underscores the feasibility of the attack under circumstances of nonce reuse in concurrent sessions.

Additionally, the conversation touches upon a related security notice within the Musig2 Bitcoin Improvement Proposal (BIP), specifically addressing the risks tied to signing distinct messages with the same secondary nonce (secnonce). The dialogue suggests a potential revision in the wording of the BIP to better convey the associated risks. The Musig2 BIP documentation is accessible here.

The elaboration provided offers a deep dive into the subtleties of cryptographic security, highlighting the delicate balance between operational efficiency and the imperative of maintaining rigorous nonce management to thwart potential vulnerabilities.

Discussion History

t-bastOriginal Post
March 7, 2024 12:24 UTC
March 7, 2024 12:29 UTC