Paper 2024/437

Insecurity of MuSig and Bellare-Neven Multi-Signatures with Delayed Message Selection

Sela Navot, University of Washington
Abstract

Multi-signature schemes in pairing-free settings require multiple communication rounds, prompting efforts to reduce the number of signing rounds that need to be executed after the signers receive the message to sign. In MuSig and Bellare-Neven multi-signatures, the signing protocol does not use the message until the third (and final) signing round. This structure seemingly allows pre-processing of the first two signing rounds before the signers receive the message. However, we demonstrate that this approach compromises security and enables a polynomial time attack, which uses the algorithm of Benhamouda et al. to solve the ROS problem.

Note: Updated July 4th 2024: improvements to the attacks against Bellare-Neven multi-signatures and major editorial changes throughout the paper.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
multi-signaturesROS problem
Contact author(s)
senavot @ cs washington edu
History
2024-07-04: revised
2024-03-13: received
See all versions
Short URL
https://ia.cr/2024/437
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/437,
      author = {Sela Navot},
      title = {Insecurity of {MuSig} and Bellare-Neven Multi-Signatures with Delayed Message Selection},
      howpublished = {Cryptology ePrint Archive, Paper 2024/437},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/437}},
      url = {https://eprint.iacr.org/2024/437}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.