Very interesting preprint on an attack applying to (among other things) two-round MuSig: eprint.iacr.org/2020/945.pdf

Previously it wasn't known if 2-round MuSig was secure in practice, but there was not a proof

Now there's an answer!

and the answer is no?

If correct, it means there's a polynomial-time algorithm against two-round MuSig

But the MuSig authors had already noted you need 3 rounds for provable security

This preprint also claims polynomial complexity attacks on some blind signature schemes too

I'm going through it now

Just started preparing for multisig security patches

yesterday

How so UkoeHB_?

(bearing in mind that existing keys need to keep working)

Figuring out what needs changing

Yeah maintaining backwards compatibility seems like the trickiest part =p

Robust key aggregation should be safe and relatively easy

Sure; the practical issue seems more about ensuring that existing multisig key distributions continue operating

Similar things arise for old-version transaction proofs, wallet signatures, etc.

sarang: I know it just came out, but do you know when you'll be able to finish your review of the Atomic Swap paper?

plenty of excitement around and I'm not sure if it needs to be tempered a bit until we hear your opinion

also, the author said the paper was written "together with the MRL" while you commented that "it's still being reviewed". wondering about that

I kind of wonder how much backward compatibility is required. If barely anyone is using multisig, then we might be able to get by with 'yo, upgrade and try try again'

We can't allow any loopholes where old formats are still permitted, meaning people can hack the client to exploit the weakness