Fix 'Wagner/Drijvers attack' in Monero multisig [$2500]

[erciccione]

Monero's multisig is vulnerable to the Wagner attack, where if multiple signatures are constructed for a given address, and the wagner attack is executed, then the attacker can learn the private key shares of other participants.

This (and #102 ) has been discussed with Monero's core team (@luigi1111) and researchers (@moneromooo-monero, @SarangNoether and @UkoeHB.)

Sarang's suggestion is to fix the vulnerability by implementing the constructions specified in MRL-0009. Discussions are ongoing.

[github-actions]

There is a bounty on this issue, the amount is in the title. The bounty will be awarded to the first person(s) who resolves this issue. Read the full conditions in the 'bounties.md' file. If you are starting to work on this issue, please write a comment here, so that we can assign the issue to you and avoid duplicated work.

[UkoeHB]

Hi @AAH20, thanks for your interest in this topic :)

both arguments will be swapped with a fresh generated obfuscated secret key alternatives using the permutation method

The 'Wagner attack' is not related to the multisig private view key. Instead, it is thought to be a problem with generating multisig signatures (e.g. Schnorr proofs, etc.).

therefore i've an important note about the implementation of the account_keys data structure as a struct bec. it is not efficient when it comes to garbage management , should have been implemented as a class to facilitate using of destructor methods.

In C++, struct and class are two names for the same thing. Structs/classes have default/implicit destructors if not user-defined. When a struct instance goes out-of-scope or is de-allocated, all its member variables' destructors will be called (if they are user-defined types; built-in types get cleaned up automatically).

A bit more detail:

[When destroying an object, t]he body of an object's destructor is executed, followed by the destructors of the object's data members (in reverse order of their appearance in the class definition), followed by the destructors of the object's base classes (in reverse order of their appearance in the class definition).

[chaserene]

going by this comment, maybe a more actionable title for this bounty would be "Implement thring signatures", wouldn't it? or do you see a better solution?

[UkoeHB]

Fixing this should be a lot easier than expected with FROST-style binonce signing. Here is a technical note I wrote discussing the problem and solution.

[selsta]

As far as I know monero-project/monero#8113 fixes Wagner/Drijvers attack. @UkoeHB could you confirm?

[UkoeHB]

Yes

[UkoeHB]

This was fixed here, the original author @perfect-daemon gets credit if he ever wants to claim this bounty.

[woodser]

Excellent. @perfect-daemon, please let me know if you want to claim this bounty. :) Thanks @UkoeHB!

[woodser]

Closing this issue. @perfect-daemon please let us know if you wish to claim the bounty. :)