You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: doc/musig-spec.mediawiki
+14-7Lines changed: 14 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -129,15 +129,22 @@ The algorithm ''NonceAgg(pubnonce<sub>1..u</sub>)'' is defined as:
129
129
===== Note on ''is_infinite(R'<sub>i</sub>)'' =====
130
130
131
131
If ''is_infinite(R'<sub>i</sub>)'' there is at least one dishonest signer (except with negligible probability).
132
-
If we would fail here, we will never be able to determine who it is.
133
-
Therefore, we should continue such that the culprit is revealed when collecting and verifying partial signatures.
132
+
If we fail here, we will never be able to determine who it is.
133
+
Therefore, we continue so that the culprit is revealed when collecting and verifying partial signatures.
134
+
134
135
However, dealing with the point at infinity requires defining a serialization and may require extra code complexity in implementations.
135
-
Instead, we set the aggregate nonce to some arbitrary point, the generator.
136
+
Instead of incurring this complexity, we make two modifications (compared to the MuSig2* appendix in the [https://eprint.iacr.org/2020/1261 MuSig2 paper]) to avoid infinity while still allowing us to detect the dishonest signer:
137
+
* In ''NonceAgg'', if an output ''R'<sub>i</sub>'' would've been infinity, instead output the generator (an arbitrary choice).
138
+
* In ''Sign'', implicitly disallow the input ''aggnonce'' to contain infinity (since the serialization format doesn't support it).
139
+
140
+
The entire ''NonceAgg'' function (both the original and modified version) only depends on publicly available data (the set of public pre-nonces from every signer).
141
+
In the security proof, we consider ''NonceAgg'' to be performed by an untrusted party; thus modifications to ''NonceAgg'' do not affect the security of the scheme.
142
+
143
+
The modification to ''Sign'' is equivalent to adding a clause, "abort if the input ''aggnonce'' contained infinity".
144
+
This modification only depends on the publicly available ''aggnonce''.
145
+
Given an adversary against the security game (EUF-CMA) for the modified scheme, a reduction can win the security game for the original scheme by simulating the modification (i.e. checking whether to abort) when interacting with the adversary.
136
146
137
-
This modification does not affect the security of the scheme.
138
-
''NonceAgg'' (both the original and modified version) only depends on publicly available data (the set of public pre-nonces from every signer).
139
-
Thus in the multi-signature security game (EUF-CMA), we can consider ''NonceAgg'' to be performed by the adversary (rather than the challenger) without loss of generality.
140
-
The modification changes neither the behavior of the EUF-CMA challenger nor the condition required to win the security game (the adversary still has to output a valid forgery according to the unmodified MuSig2* scheme). Since we've already proved that MuSig2* is secure against an arbitrary adversary, we can conclude that the modified scheme is still secure.
147
+
We conclude that these two modifications preserve the security of the MuSig2* scheme.
0 commit comments