1

Let's consider the following assumptions:

  1. A computer can compute the private key from the public key in n years (with n being a small number, give or take). Of course, this assumption is highly hypothetical and currently considered unrealistic.

  2. The public keys for multisignature accounts are known. We assume here that they are not hashed or otherwise hidden. I'm also assuming that MuSig2 is used for multisignature accounts. This is expected to happen in Bitcoin, if I'm not mistaken. Besides, MuSig2 cannot be used for CISA since it only allows a single message to be passed (tell me if I'm wrong).

Now, since Assumption 2 holds, we can aggregate the set of public keys using MuSig2, producing a single aggregate public key, AggPub. Because it's a valid x-only public key, there are exactly two corresponding private keys, Priv1 and Priv2, linked to AggPub. By knowing one of them, you can easily know the other by negating the first private key.

From Assumption 1, can we compute one of the private keys (Priv1 or Priv2) from AggPub in the same amount of time, i.e., n years? From my perspective, yes we can.

Of course, Assumption 1 is too strong. But if the answer to the question is yes, it would suggest that signature compression is not the best trade-off here. In fact, this could even be exploited for zombie accounts using MuSig2, allowing the unlocking of dormant funds with just a single private key by performing a simple Schnorr signature.

Improve this question

1 Answer 1

Reset to default
3

Yes, absolutely.

The output of MuSig2 key aggregation is a normal public key, which has a corresponding private key; it just so happens that no individual party knows that aggregate private key. They could, if they wished to, compute the aggregate private key by revealing their individual private keys to each other. That wouldn't be advisable (as it undoes the benefits of having separate key holders in the first place), but it is theoretically possible, and computationally trivial.

The point of MuSig2 is having observable behavior that is indistinguishable from a normal individual single signer. The aggregate public keys are indistinguishable from individual single public keys, and the resulting signature is indistinguishable from an individual single signature for it. Without this property, the privacy benefits of MuSig2 would be largely moot. But that does imply the same for attackers: they can treat it as if it were a single public key too.

But if the answer to the question is yes, it would suggest that signature compression is not the best trade-off here. In fact, this could even be exploited for zombie accounts using MuSig2, allowing the unlocking of dormant funds with just a single private key by performing a simple Schnorr signature.

If you are concerned about the security of secp256k1, for whatever reason, you shouldn't use it at all. No multi-signature scheme, aggregated or not, is going to save you if the cryptography beneath it all is broken.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.