On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote: > > Thus, two-phase MuSig is potentially unsafe. > > https://eprint.iacr.org/2018/417.pdf describes the argument. > > One solution is to add a signature timeout to the message (say a > block height) . > > A participant refuses to sign if that time is too far in the future, > or is at all in the past, or if a message M is the same as any > previous message within that time window. > > Seems to resolve the attacks on 2 round musig.
I don't understand this. Can you elaborate? Best, Tim _______________________________________________ bitcoin-dev mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
