Require message in musig protocol in an earlier state

[jonasnick]

This PR removes the set_msg function from the musig module and adds a msg argument get_public_nonce which must be non-null if the message has not been set during initialization.

The reason for this is that I think that our current set_msg logic is vulnerable to Wagner's attack. The main problem is that by grinding the message an attacker has control over the final hash being signed.

Assume the combined pubkey of Alice and the attacker is P.
The attacker wants to forge a signature on message m' and opens 3 parallel sessions with Alice.
They exchange nonce commitments and nonces.
Let's call the combined nonces Ri for sessions i = 0,1,2.
Now the attacker draws ka and sets R' = R0 + R1 + R2 + ka*G and runs Wagner's algorithm grinding mi to find

H(P, R',m') = H(P, R1, m1) + H(P, R2, m2) + H(P, R3, m3)

with about 2^100 work (with more parallel sessions requires much less work).

Then the attacker and Alice set the message in session i to mi and Alice creates partial signatures si = ki + H(P, Ri, mi).
Now (R', s' = s0 + s1 + s2) is a valid partial signature under Alice's public key A as well:

s'*G = (k0 + k1 + k2)*G + (H(P, R1, m1) + H(P, R2, m2) + H(P, R3, m3))*A
     = R' - ka*G + H(P, R', m')*A

This signature is completed by the attacker adding the partial signature using nonce ka which results in the forgery.

This PR does keeps allows to set the message after nonce commitments have been exchanged, unfortunately the possibility of pre-sharing nonces while not knowing the messages is removed.

[real-or-random]

Oh nice observation. That the message is fixed upfront is apparently not an artefact of the formal model either...

Concept ACK.

[real-or-random]

Looks good except the nits. I haven't tested it yet.

[real-or-random]

(not touched by this PR:) maybe we can use ARG_CHECK also for the restrictions on n_signers

[real-or-random]

Should we ARG_CHECK this violation?

[jonasnick]

If the rationale for ARG_CHECKing is still "everything that the rust typesystem would have caught" then I guess no.

[apoelstra]

We could prevent this with session types, i.e. have a Session<NonceUnset> and Session<NonceSet>

[jonasnick]

I considered this but thought that this is not exactly the rust type system as you could do something similar with C. But actually this is what we'll be doing in rust. Fixing.

[jonasnick]

Fixed

[real-or-random]

ACK read the code, but did not test it

[apoelstra]

We should probably cut this comment down even further to get rid of the "unless you require" clause.

[jonasnick]

Hm, not sure what exactly you're suggesting. Something like that?

 *              msg32: the 32-byte message to be signed. Shouldn't be NULL. If NULL, must be
 *                           set with `musig_session_get_public_nonce`.

Seems to be less clear. Also I assume sharing nonce commitments won't be a very exotic thing. Lightning will likely use it to avoid roundtrips. I have an open PR in the scriptless scripts repo (BlockstreamResearch/scriptless-scripts#6) that explains how to do this because I was contacted by someone concerned that MuSig will end up being very expensive in communication costs.

[apoelstra]

I think if you change "require sharing public nonces" to "require sharing nonce commitments" I'll be happy

[jonasnick]

fixed

[apoelstra]

I don't have a strong opinion but I feel like this should also be an ARG_CHECK (and that rust-secp should prevent it statically)

[jonasnick]

By using something like a state machine/session types? Yes, fixing.

[jonasnick]

fixed

[apoelstra]

I see a bunch of stuff when I run valgrind ./tests 4 with this code.

Edit: oh for some reason I'm compiling with openssl, that's probably all it is. (Which means some broken Arch package must have depended on openssl recently, because it definitely was not installed before..)

[jonasnick]

rebased

[jonasnick]

ping @apoelstra

[real-or-random]

ACK 6a57be0

[apoelstra]

ACK 6a57be0