Basically just some mechanism for preventing repeated signings of the same message, and using a "validity" time window so that the amount of state you need to enquire about isn't unbounded.
The Drijvers, et al paper is specifically concerned with parallel and aborted signings, where ksums can be used. In general, the more variables that an attacker can control ,the more "k" lists they can form, and the more likely they can find collisions. If signers refused to sign "stale" messages, refused to sign in parallel beyond a certain limit, and refused to sign the same message twice, it should help reduce the attack surface. On Mon, Feb 24, 2020 at 6:41 AM Tim Ruffing via bitcoin-dev <[email protected]> wrote: > > On Sun, 2020-02-23 at 02:27 -0500, Erik Aronesty via bitcoin-dev wrote: > > > Thus, two-phase MuSig is potentially unsafe. > > > https://eprint.iacr.org/2018/417.pdf describes the argument. > > > > One solution is to add a signature timeout to the message (say a > > block height) . > > > > A participant refuses to sign if that time is too far in the future, > > or is at all in the past, or if a message M is the same as any > > previous message within that time window. > > > > Seems to resolve the attacks on 2 round musig. > > I don't understand this. Can you elaborate? > > Best, > Tim > > _______________________________________________ > bitcoin-dev mailing list > [email protected] > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev _______________________________________________ bitcoin-dev mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
