Attacking Schnorr based protocols with ROS: DahLIAS and Cross-Input Signature Aggregation

This thesis investigates the cryptographic security of Schnorr-based signature schemes, centering on the significant and evolving threat posed by the Random Inhomogeneities in a Overdetermined Solvable system of linear equations (ROS) attack. While the linearity of Schnorr signatures is fundamental to the scalability and privacy enhancements introduced in Bitcoin's Taproot upgrade, this same property creates an intrinsic vulnerability that can be exploited to compromise protocol security. The core of the research is a detailed examination of the ROS attack, tracing its cryptanalytic origins and analyzing its modern variants, including recently developed polynomial-time attacks that challenge the foundational assumptions of numerous cryptographic constructions. In response to this persistent threat, the thesis evaluates the design and security of key countermeasures. Protocols such as MuSig and MuSig2 are analyzed not merely as incremental improvements, but as critical developments engineered specifically to neutralize ROS-based exploits in multi-party computations. The study further extends to the frontier of Cross-Input Signature Aggregation (CISA), presenting an in-depth analysis of the DahLIAS protocol as an advanced, provably secure solution. A key contribution of this work is demonstrating how the meticulous design of DahLIAS, particularly its internal validation mechanisms, provides a robust and elegant defense against the ROS attack. This work posits that a thorough understanding of the ROS problem is indispensable for the secure development of next-generation cryptographic protocols. It connects the theoretical underpinnings of the attack to the practical engineering of resilient signature schemes, framing the evolution of Schnorr-based cryptography as a direct response to this fundamental security challenge.