Paper 2024/437
Insecurity of MuSig and BN Multi-Signatures with Delayed Message Selection
Abstract
This note reveals a vulnerability of MuSig and BN multi-signatures when used with delayed message selection. Despite the fact that both schemes can be correctly implemented with preprocessing of the first two signing rounds before the message to sign is selected, we show that they are insecure (i.e. not existentially unforgeable against chosen message attacks) when the message selection is deferred to the third signing round and when parallel signing sessions are permitted. The attack, which uses the algorithm by Benhamouda et al. to solve the ROS problem, is practical and runs in polynomial time.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- Preprint.
- Keywords
- multi-signaturesROS problem
- Contact author(s)
- senavot @ cs washington edu
- History
- 2024-03-15: approved
- 2024-03-13: received
- See all versions
- Short URL
- https://ia.cr/2024/437
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/437, author = {Sela Navot}, title = {Insecurity of MuSig and BN Multi-Signatures with Delayed Message Selection}, howpublished = {Cryptology ePrint Archive, Paper 2024/437}, year = {2024}, note = {\url{https://eprint.iacr.org/2024/437}}, url = {https://eprint.iacr.org/2024/437} }