|
Title: Aggregated Schnorr Signatures Are Not Provably Secure Without Key-Prefixing Post by: kushti on May 03, 2016, 08:46:58 PM From briefly observing Bitcoin/secp256k1 code of Schnorr sigs implementation, I've came to the conclusion it is assumed there multi-user Schnorr is about the same security as single-user. That was proven, but recently D. Bernstein did show the proof was incorrect, and multi-user Schnorr is provably secure only if key-prefixing. The paper is there: https://eprint.iacr.org/2015/996.pdf .
Please note absence of a provable security doesn't mean a practical attack exists. It could be found few years after though. Bitcoin devs please take care. Title: Re: Aggregated Schnorr Signatures Are Not Provably Secure Without Key-Prefixing Post by: gmaxwell on May 04, 2016, 07:20:18 AM From briefly observing Bitcoin/secp256k1 code of Schnorr sigs implementation, I've came to the conclusion it is assumed there multi-user Schnorr is about the same security as single-user. That was proven, but recently D. Bernstein did show the proof was incorrect, and multi-user Schnorr is provably secure only if key-prefixing. The paper is there: https://eprint.iacr.org/2015/996.pdf . We're aware. (Though thank you, we could have not been as well). In general I prefer prefixing-- without it the signature is not really a proof of knowledge--, and the libsecp256k1 "test schnorr" construction goes out of its way to enable things like compact signature key recovery while also using prefixing.Please note absence of a provable security doesn't mean a practical attack exists. It could be found few years after though. Bitcoin devs please take care. |