17:04:56 Very interesting preprint on an attack applying to (among other things) two-round MuSig: https://eprint.iacr.org/2020/945.pdf 17:06:01 Previously it wasn't known if 2-round MuSig was secure in practice, but there was not a proof 17:06:08 Now there's an answer! 17:27:56 and the answer is no? 17:45:42 If correct, it means there's a polynomial-time algorithm against two-round MuSig 17:46:06 But the MuSig authors had already noted you need 3 rounds for provable security 17:46:18 This preprint also claims polynomial complexity attacks on some blind signature schemes too 17:46:25 I'm going through it now 17:55:28 Just started preparing for multisig security patches 17:55:36 yesterday 17:57:52 How so UkoeHB_? 17:58:13 (bearing in mind that existing keys need to keep working) 18:00:40 Figuring out what needs changing 18:01:04 Yeah maintaining backwards compatibility seems like the trickiest part =p 18:01:06 Robust key aggregation should be safe and relatively easy 18:07:32 Sure; the practical issue seems more about ensuring that existing multisig key distributions continue operating 18:10:22 Similar things arise for old-version transaction proofs, wallet signatures, etc. 21:12:30 sarang: I know it just came out, but do you know when you'll be able to finish your review of the Atomic Swap paper? 21:13:06 plenty of excitement around and I'm not sure if it needs to be tempered a bit until we hear your opinion 21:14:21 also, the author said the paper was written "together with the MRL" while you commented that "it's still being reviewed". wondering about that 21:20:35 I kind of wonder how much backward compatibility is required. If barely anyone is using multisig, then we might be able to get by with 'yo, upgrade and try try again' 21:22:13 We can't allow any loopholes where old formats are still permitted, meaning people can hack the client to exploit the weakness