[Resource Topic] 2024/437: Insecurity of MuSig and BN Multi-Signatures with Delayed Message Selection

Welcome to the resource topic for 2024/437

Title:
Insecurity of MuSig and BN Multi-Signatures with Delayed Message Selection

Authors: Sela Navot

Abstract:

This note reveals a vulnerability of MuSig and BN multi-signatures when used with delayed message selection. Despite the fact that both schemes can be correctly implemented with preprocessing of the first two signing rounds before the message to sign is selected, we show that they are insecure (i.e. not existentially unforgeable against chosen message attacks) when the message selection is deferred to the third signing round and when parallel signing sessions are permitted. The attack, which uses the algorithm by Benhamouda et al. to solve the ROS problem, is practical and runs in polynomial time.

ePrint: https://eprint.iacr.org/2024/437

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .