What question did this study set out to answer?

This research aims to analyze the security of Fiat-Shamir transcript binding in the Monero-Oxide CLSAG multisig implementation.

March 24, 2026Open Access

Fiat-Shamir Transcript Forking in monero-oxide CLSAG Multisig

Key Points

This research aims to analyze the security of Fiat-Shamir transcript binding in the Monero-Oxide CLSAG multisig implementation.
Conducted a security analysis on the CLSAG multi-signature implementation.
Examined the impact of omitting nonce binding in the signing process.
Demonstrated a proof of concept for the ROS attack.
Reviewed upstream dependencies for vulnerabilities.
Identified that omitting nonce binding reduces protocol security to the ROS problem.
Confirmed the attack geometry is valid for forged ring signatures.
Proposed a remediation patch to enhance security.

Abstract

Security analysis of Fiat-Shamir transcript binding in the monero-oxide CLSAG threshold multi-signature implementation. The analysis identifies that omitting individual nonce binding in the signing challenge derivation reduces the protocol to the ROS problem, enabling forged ring signatures. The vulnerability class is correctly described and the attack geometry is valid. Post-disclosure review confirmed that individual nonce binding is provided by the upstream modular-frost dependency via serai-dex/serai (crypto/frost/src/sign.rs), which was not traced during the initial analysis of monero-clsag directly. The proof of concept demonstrates the ROS attack in isolation. Includes formal description of the transcript fork, severity classification, and proposed remediation patch.

Read Full Paperexternally

Bookmark

View Full Paper

Cite This Study

David Tsarskykh (Sun,) studied this question.

synapsesocial.com/papers/69c22982aeb5a845df0d40e6 https://doi.org/https://doi.org/10.5281/zenodo.19161816

Bookmark

View Full Paper