delvingbitcoin

How many nonce reuse before exposing your Musig2 private key?

Original Postby real-or-random

Posted on: March 7, 2024 12:29 UTC

The discussion revolves around the complexities and vulnerabilities associated with nonce reuse in concurrent signing sessions, notably within the context of cryptographic signature schemes.

A specific attack vector is outlined, demonstrating how an attacker can exploit limited nonce reuse across many concurrent signing sessions to forge a signature. This method draws parallels to vulnerabilities highlighted in the MuSig2 protocol, as detailed in the referenced MuSig2 paper, particularly on pages 5 and 6. The attack leverages the fact that while it's not possible to extract a signing key from just two signatures sharing the same nonce, the security assumptions break down when an attacker can orchestrate many signing sessions where nonces are reused in a controlled manner.

In this scenario, the attacker manipulates nonce pairs across multiple session pairs, aiming to calculate a target message's signature by solving complex equations involving these nonce pairs. Techniques such as Wagner's algorithm or the more recent BLLOR algorithm are employed for finding nonce pairs that meet specific criteria, facilitating the forgery. These methods are elaborately documented in the provided links to Wagner's algorithm and the BLLOR algorithm. Through mathematical manipulation involving the nonce pairs and partial signatures from the honest signer, the attacker can derive a signature equation that mirrors the one used legitimately in the signing process.

Additionally, the discussion touches upon a related issue mentioned in the Musig2 Bitcoin Improvement Proposal (BIP), specifically in the Musig2 BIP, which states that signing two different messages with the same secret nonce can lead to the exposure of the private key. A suggestion is made to possibly revise the wording in the BIP to better reflect the nuances of this security concern.

This exchange underscores the intricate balance between functionality and security in cryptographic protocols, highlighting the need for meticulous design and analysis to prevent potential exploits. It reflects ongoing efforts within the cryptographic community to identify and mitigate vulnerabilities, ensuring the robustness of digital signature schemes against sophisticated attacks.