Paper 2024/437

Insecurity of MuSig and BN Multi-Signatures with Delayed Message Selection

Sela Navot, University of Washington
Abstract

This note reveals a vulnerability of MuSig and BN multi-signatures when used with delayed message selection. Despite the fact that both schemes can be correctly implemented with preprocessing of the first two signing rounds before the message to sign is selected, we show that they are insecure (i.e. not existentially unforgeable against chosen message attacks) when the message selection is deferred to the third signing round and when parallel signing sessions are permitted. The attack, which uses the algorithm by Benhamouda et al. to solve the ROS problem, is practical and runs in polynomial time.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
multi-signaturesROS problem
Contact author(s)
senavot @ cs washington edu
History
2024-03-15: approved
2024-03-13: received
See all versions
Short URL
https://ia.cr/2024/437
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/437,
      author = {Sela Navot},
      title = {Insecurity of MuSig and BN Multi-Signatures with Delayed Message Selection},
      howpublished = {Cryptology ePrint Archive, Paper 2024/437},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/437}},
      url = {https://eprint.iacr.org/2024/437}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.