New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wagner's k-sum attack #34
Comments
Hi Jeff, concretely,
|
Three rounds means six-seven moves:
There are no randomness commitment phases in any of your protocols. Any known Schnorr multi-signature without randomness commitments is vulnerable. |
Can you please provide a reference? |
If I understand, I've a |
It still roughly Schnorr though, right? All Schnorr-like signatures are vulnerable, not sure about ECDSA. In fact, the "not currently involved in another signing protocol" assumption makes this secure, but that's unenforceable. |
I took a closer look. :) At least in https://github.com/KZen-networks/multi-party-schnorr/blob/master/src/protocols/aggsig/mod.rs there is a hashed commitment and Yes, the protocol by Micali, et al. survives because nonces/witnesses never get combined. It only reduces signature size by 50% over doing separate signatures, which requires only one trip. If you're trading trips for size then you'd accept three trips for 1 bit per signer. I'm therefore dubious this particular trade off ever makes sense in practice. I'm satisfied the issue I raise here no longer applies though.. |
I agree with both statements above. Thank you @burdges |
You could take https://github.com/w3f/schnorrkel/blob/master/src/musig.rs and replace all the underlying hashing, curve operations, delinearization, error types, etc. with stuff from your existing code. It still permits a two round trip use case, via I'll add our proposed fix into this in January with or without a security proof, well it'll make At some point I'd love to make some version of schnorkel to work on JubJubEngine or similar, which means making the signatures into RedDSA signatures, but mostly means waiting on their trait churn. |
If I understand, your code implements two round Schnorr multi-signature, much as https://github.com/KZen-networks/multi-party-schnorr/blob/master/papers/accountable_subgroups_multisignatures.pdf describes.
There is a somewhat viable forgery attack against all known two round Schnorr threshold/multi/etc. signatures given in https://eprint.iacr.org/2018/417.pdf that works by doing a roughly 2^40 computation while holding open 127 parallel signing queries.
We've an approach for a fix, but so far failed to prove security. We're still recommending the three round trip version as implemented in https://github.com/w3f/schnorrkel/blob/master/src/musig.rs but maybe that'll change in 2020 if we fix our fix. ;)
As an aside, you should manage MPCs with session types that encode the protocol's security requirements when using Rust, because even highly skilled developers routinely miss-use MPC libraries. These session types cannot be cloned, copied, serialized, etc. and can only be either dropped or consumed by value when advancing the state machine, like in https://github.com/w3f/schnorrkel/blob/master/src/musig.rs#L403
The text was updated successfully, but these errors were encountered: