Caution on tweaking in bip 327

AdamISZ commented at 1:25 pm on September 11, 2025: contributor

The BIP is quite difficult to parse in terms of understanding the functionality and safety of tweaking keys.

In particular, while it is a terrible idea for more than one reason, constructing a MuSig2 aggregated key using related (bip32 unhardened) individual keys in the list is very specifically insecure, but that is not noted.

It’s admittedly debatable whether you ever have to specify that a certain kind of stupid behaviour is to be warned against, but my justification is:

The BIP is very explicitly “supporting tweaking” right from the Abstract. It isn’t immediately clear that this means tweaking the ouput, not the input. Perhaps a minor note early on would help with that.
Pre- this patch, in the section I’m editing, the document again explicitly says it supports tweaking, and this time, in relation to the input keys. It then goes on to explain the background of the attack outlined on the mailing list (I updated to a gnusha link: https://gnusha.org/pi/bitcoindev/576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com/ ), which is much more “in scope” in the sense that the honest signer behaviour isn’t stupid, but at the same time, the conditions of that attack are quite obscure.
While the behaviour is stupid, it’s not inconceivable, and it sits within perhaps the most likely/common usage pattern of MuSig2: multisig for better cold storage/savings security. Multiple keys controlled by the same signer, using multiple hardware devices for redundant security. As noted by Jonas Nick in an earlier email convo we had, there is at least one reason such stupid behaviour might be considered: less backup (and/or laziness). I admit that a large majority would have the common sense to not reuse the same wallet seed across devices, but in case anyone did it, they are exposed in a specific way that is very unobvious.
To generalize the above, for me the BIP is not sufficiently explicit that the design of the MuSig2 algorithm does not address the possibility of related input keys at all (and it would be easy as an engineer consumer to assume that related keys would be safe, if they didn’t look at the mathematical formulas too much).

If you want a concrete description of the attack, here you go (see Appendix A.2 of DahLIAS for what I mean by “multipliers:”):

2 devices set up with one secret key each, where the keys are on the same branch so that sk1 = sk2 + t for “public” t (handwave).

The network is compromised by the attacker. It exchanges messages with device 1 (sk1); receives nonces, maliciously calculates the response nonces (with the multipliers), receives a partial sig for sk1 and can complete the signing protocol just from knowing t.

The higher-level idea here is (I’m cribbing from an earlier email I wrote):

… which I think nicely illustrates something that occurred to me earlier: there’s a question of “what is authorization?” being raised here. In a single key signature, there is a single authorizing event, so we never worry too much about the “semantics” of the action of signing. It’s one action, and it’s all or nothing: you authorize, or you don’t.

In multi-signing it’s not atomic. The semantics of individual signing events are something decided on by the operator(s) of the protocol. I might want to say “I authorize if and only if 3 different hardware devices sign” (or 3 people or whatever). How does the security definition represent this? I believe the rationale for applying EUF-CMA as in the paper is “we take a maximally pessimistic approach and assume that all except honest are the adversary, then we demand the adversary produce a signature without authorizing events from the honest signer” on the basis that, if the honest signer did authorize, then there is no security failure (the honest signer wanted it!) - but that’s exactly the point I’m questioning.

So it’s back to the slightly confusion position of “that this is possible is worrying, but all the obvious ways of exploiting it as a weakness reduce to an already fundamentally insecure multisig setup (using calculable tweaks of existing keys), and the base security model does not include this” (“capture”, perhaps).

Whimsically I wonder if this can be seen as analogous to EUF style security vs SUF style security: for most purposes you don’t need strong unforgeability but it can cause implementation headaches if you don’t have it (MtGox, hehe).

Update bip-0327.mediawiki

The BIP is quite difficult to parse in terms of understanding the functionality and safety of tweaking keys.

In particular, while it is a terrible idea for more than one reason, constructing a MuSig2 aggregated key using related (bip32 unhardened) individual keys in the list is very specifically insecure, but that is not noted.

It's admittedly debatable whether you ever have to specify that a certain kind of stupid behaviour is to be warned against, but my justification is:

1. The BIP is very explicitly "supporting tweaking" right from the Abstract. It isn't immediately clear that this means tweaking the ouput, not the input. Perhaps a minor note early on would help with that.

2. Pre- this patch, in the section I'm editing, the document again explicitly says it supports tweaking, and this time, in relation to the *input* keys. It then goes on to explain the background of the attack outlined on the mailing list (I updated to a gnusha link: https://gnusha.org/pi/bitcoindev/576db60c-b05b-5b9a-75e5-9610f3e04eda@gmail.com/ ), which is much more "in scope" in the sense that the honest signer behaviour isn't stupid, but at the same time, the conditions of that attack are quite obscure.

3. While the behaviour is stupid, it's not inconceivable, and it sits within perhaps the most likely/common usage pattern of MuSig2: multisig for better cold storage/savings security. Multiple keys controlled by the same signer, using multiple hardware devices for redundant security. As noted by Jonas Nick in an earlier email convo we had, there is at least one reason such stupid behaviour might be considered: less backup (and/or laziness). I admit that a large majority would have the common sense to not reuse the same wallet seed across devices, but in case anyone did it, they are exposed in a specific way that is very unobvious.

4. To generalize the above, for me the BIP is not sufficiently explicit that the design of the MuSig2 algorithm does not address the possibility of related input keys at all (and it would be easy as an engineer consumer to assume that related keys would be safe, if they didn't look at the mathematical formulas too much).

If you want a concrete description of the attack, here you go (see Appendix A.2 of [DahLIAS](https://eprint.iacr.org/2025/692) for what I mean by "multipliers:"):

2 devices set up with one secret key each, where the keys are on the same branch so that sk1 = sk2 + t for "public" t (handwave).

The network is compromised by the attacker. It exchanges messages with device 1 (sk1); receives nonces, maliciously calculates the response nonces (with the multipliers), receives a partial sig for sk1 and can complete the signing protocol just from knowing t.

The higher-level idea here is (I'm cribbing from an earlier email I wrote):

> ... which I think nicely illustrates something that occurred to me earlier: there's a question of "what is authorization?" being raised here. In a single key signature, there is a single authorizing event, so we never worry too much about the "semantics" of the action of signing. It's one action, and it's all or nothing: you authorize, or you don't.

> In multi-signing it's not atomic. The semantics of individual signing events are something decided on by the operator(s) of the protocol. I might want to say "I authorize if and only if 3 different hardware devices sign" (or 3 people or whatever). How does the security definition represent this? I believe the rationale for applying EUF-CMA as in the paper is "we take a maximally pessimistic approach and assume that all except honest are the adversary, then we demand the adversary produce a signature without authorizing events from the honest signer" on the basis that, if the honest signer did authorize, then there is no security failure (the honest signer wanted it!) - but that's exactly the point I'm questioning.

> So it's back to the slightly confusion position of "that this is possible is worrying, but all the obvious ways of exploiting it as a weakness reduce to an already fundamentally insecure multisig setup (using calculable tweaks of existing keys), and the base security model does not include this" ("capture", perhaps).

> Whimsically I wonder if this can be seen as analogous to EUF style security vs SUF style security: for most purposes you don't need strong unforgeability but it can cause implementation headaches if you don't have it (MtGox,  hehe).

bf696165b3

AdamISZ renamed this:
~~Update bip-0327.mediawiki~~
Caution on tweaking in bip 327
on Sep 11, 2025

jonatack added the label Proposed BIP modification on Sep 11, 2025

jonatack added the label Pending acceptance on Sep 11, 2025

in bip-0327.mediawiki:536 in bf696165b3

532@@ -533,8 +533,10 @@ The reference implementation is for demonstration purposes only and not to be us
533 
534 === Signing with Tweaked Individual Keys ===
535 
536-The scheme in this proposal has been designed to be secure
537-even if signers tweak their individual secret keys with tweaks known to the adversary (e.g., as in BIP32 unhardened derivation)
538+Using 2 signing keys that are related with publically known tweaks (such as unhardened BIP32 derivation) is **not secure** in MuSig2 (see the attack described in [https://eprint.iacr.org/2025/692 the DahLIAS paper], Appendix A.2, which applies directly), in the specific sense that an attacker can complete the signing protocol after receiving only 1 partial signature, not 2. If a user were to spread signing keys across multiple hardware devices, but using the same wallet seed and different addresses from the same BIP32 branch, it would therefore not be secure. The same would be true for publically known multiplicative tweaks (K2 = c * K1), as well as additive tweaks (K2 = K1 + t*G).

jonatack commented at 3:40 pm on September 11, 2025:

Changing these two words will make the CI happy.

0Using 2 signing keys that are related with publicly known tweaks (such as unhardened BIP32 derivation) is **not secure** in MuSig2 (see the attack described in [https://eprint.iacr.org/2025/692 the DahLIAS paper], Appendix A.2, which applies directly), in the specific sense that an attacker can complete the signing protocol after receiving only 1 partial signature, not 2. If a user were to spread signing keys across multiple hardware devices, but using the same wallet seed and different addresses from the same BIP32 branch, it would therefore not be secure. The same would be true for publicly known multiplicative tweaks (K2 = c * K1), as well as additive tweaks (K2 = K1 + t*G).

AdamISZ commented at 5:02 pm on September 11, 2025:

Thanks for taking the trouble @jonatack ! I will fix up the spellings (and I think a bunch of other not-quite-right stuff) if the content turns out to be useful.

jonatack commented at 3:42 pm on September 11, 2025: member

cc BIP authors @jonasnick @real-or-random @robot-dreams for feedback

jonasnick commented at 4:02 pm on September 11, 2025: contributor

Hi @AdamISZ, I do not quite understand this PR. The BIP does support unhardened tweaking of the input keys and as far as we know there’s no vulnerability when using this BIP with tweaked input keys. That’s because the BIP implements the countermeasure mentioned in the bitcoin-dev email: “fix is to make the secret key argument to the NonceGen algorithm mandatory”, except that we’ve chosen to make the public key argument mandatory instead of the secret key.

AdamISZ commented at 5:01 pm on September 11, 2025: contributor

Hi @AdamISZ, I do not quite understand this PR. The BIP does support unhardened tweaking of the input keys and as far as we know there’s no vulnerability when using this BIP with tweaked input keys. That’s because the BIP implements the countermeasure mentioned in the bitcoin-dev email: “fix is to make the secret key argument to the NonceGen algorithm mandatory”, except that we’ve chosen to make the public key argument mandatory instead of the secret key.

I also do not understand :) As per our earlier discussion, the scenario: victim has 2 signing devices with sk1 on device 1 and sk2 on device 2, where sk2 = sk1 + t, allows a completed MuSig2 aggregated signature if device 1 follows the steps: (1) share nonces R11, R12 and then after receiving R21, R22, shares partial sig s_1 = r_11 + b*r_12 + H(X~, R, m)a_1sk1 . Based on the attacker calculating R21 and R22 as multiples (a2/a1)*R11, (a2/a1)*R12. (I believe you’d earlier agreed that this does constitute an attack, though, as qualified at perhaps painful length in my description above, it’s only an “attack” against a very unwise/stupid setup!).

How does the mitigation you mention affect this? That mitigation addresses the possibility that the honest signer might have pre-stored nonces and then the attacker can grind t values to use those nonces with different tweaked keys and parallel executions to do a Wagner attack. Here I’m just talking about using a key and a publicly known tweak at two indices (the whole thing about “outside the security definition” to have “two honest signer indices”).

jonasnick commented at 9:20 pm on September 11, 2025: contributor

Ah, sorry, you’re referring to this discussion on the ML from April which I had forgotten about. This is indeed not fixed by making the public key a mandatory argument to NonceGen. And on the ML I did say that it may make sense to mention this in the BIP. I was thrown off by

MuSig2 aggregated key using related (bip32 unhardened) individual keys in the list is very specifically insecure

because I don’t think it’s very specifically insecure. Security here is a matter of definitions. In the attack you outline, both signing devices have the same secret key, but with different tweaks. This is “stupid” as you say because it defeats the purpose of multisignatures, where a compromise of one of the keys does not allow forging signatures. Your attack allows to completing the signature to a Schnorr signature, even though only one device has signed. However, because a partial signature is needed, the owner of the secret key did authorize the message. We also do not specifically point out in the BIP that using the same key multiple times is insecure, because a partial signature for one of the keys is also a partial signature for the others. That’s why the wording “is insecure” sounds a bit too strong to me.

Also, there’s maybe a better citation than Appendix A.2 of the DahLIAS paper because it attacks a different scheme (MuSig2-IAS) and the attack is qualitatively different: it allows forging a signature for a different message, not the same one.

AdamISZ commented at 0:35 am on September 12, 2025: contributor

We also do not specifically point out in the BIP that using the same key multiple times is insecure, because a partial signature for one of the keys is also a partial signature for the others. That’s why the wording “is insecure” sounds a bit too strong to me.

Yes. It’s clearly debatable whether this needs to be written somewhere, given the extensive caveats, and also the wording/presentation is debatable as you say; this PR was basically a first, or a zero-th draft.

I think what leads me to suggest adding a note is that it’s a weakness, of some sort, that slips between the cracks; while you’d struggle to find any engineer that thought using related keys like this was a good idea, I’m not at all sure if you’d get an overwhelming number of them that knew that doing it is unsafe not only because getting access to one key gains control of both (or more) signers, but even when the secret key is not leaked (with an active attack).

Further, depending on the implementation, this is a deployment decision, i.e. it’s not only a coder but more a user that can make this bad decision.

If I were trying to be imaginative and come up with some new scheme (using multisig) where this mattered, I would fail, because I can’t imagine a scheme where someone might think it sensible to have two keys governed by the same secret key material, acting as additional authorization, when they could use two actually different keys instead. Perhaps I just lack imagination! So I did my best to outline in the above, a situation where, however badly considered, someone in user-land might actually do it.

Without any warning at any level of the “stack” (neither the original paper for the protocol, nor the BIP, nor any implementation of the BIP), it is conceivable that a user of an implementation might foolishly do it, thinking that “MuSig2 is designed to be safe in the presence of tweaks”, which is a reasonable conclusion to draw from this BIP, at least absent a super-careful reading, and most specifically because there is an existing paragraph defining how (public) key checking in NonceGen defends against one real (if very corner-case-y) attack that uses tweaks.

Also, there’s maybe a better citation than Appendix A.2 of the DahLIAS paper because it attacks a different scheme (MuSig2-IAS) and the attack is qualitatively different: it allows forging a signature for a different message, not the same one.

Yes. I wrote this because that’s where I saw it; the attack mechanism is written clearly there. A different citation makes sense to avoid the confusion you mention.

Caution on tweaking in bip 327 #1964