|
Title: What's the worst thing that could happen with Schnorr signature Post by: LeGaulois on April 03, 2018, 07:18:28 PM If the Schnorr signature protocol is not robust enough, badly implemented, broken or whatever. What could be worse for Bitcoin?
(Speaking of the technical side and not the speculative.) While most of us are excited to see these solution coming, there are still some fears we should have, don't you think? Schnorr needs to be robustly developed and tested prior to potential rollout, because Bitcoin is a multi-billion dollar market cap, and not a test environment in your VM with a 250 Mb ram Didn't we have the case, developers found that Schnorr signatures made Bitcoin susceptible to new ‘rogue attack’ vectors ? It can also be considered as a threat so, the word may sound exaggerated but...well Title: Re: What's the worst thing that could happen with Schnorr signature Post by: achow101 on April 03, 2018, 08:17:20 PM Schnorr signatures is actually a somewhat broad topic that includes many things. Schnorr signatures are a cryptographic scheme, but to actually be used in Bitcoin, you still have to use that cryptography in a specific way besides just the signature algorithm itself. There are certainly insecure ways to use Schnorr signatures, just as there are insecure ways to use ECDSA or RSA signatures.
Didn't we have the case, developers found that Schnorr signatures made Bitcoin susceptible to new ‘rogue attack’ vectors ? Yes, there was. There was a scheme using Schnorr signatures for key aggregation that was originally thought of that was insecure. But this doesn't mean Schnorr signatures themselves are insecure, just that specific cryptosystem that happened to use Schnorr signatures.If the Schnorr signature protocol is not robust enough, badly implemented, broken or whatever. What could be worse for Bitcoin? It would mean that, at worst, sensitive data such as private keys (but not necessarily private keys) are revealed which allows an attacker to be able to forge or create a signature that he should not be able to. This could result in coins be stolen.While most of us are excited to see these solution coming, there are still some fears we should have, don't you think? ] Not really. The cryptography itself can be proven to be sound. It is just mathematics, there's nothing special about it. For example, the key and signature aggregation scheme that uses Schnorr signatures that is likely to be used - MuSig - has a formal security proof that takes up a large part of the paper describing that scheme. Since it is just mathematics, the proof, assuming that there are no errors in it (so it needs review from other cryptographers), proves that the cryptography is sound assuming that the discrete logarithm problem is hard (which we currently do assume). This means that any software which follows the spec for MuSig will not create anything that results in sensitive data being leaked.Of course there could be some insecure implementation of MuSig, but that's not a problem unique to it. There have been many insecure implementations of ECDSA which has resulted in lost coins. Even secure implementations that use a bad PRNG results in leaked private keys. Schnorr needs to be robustly developed and tested prior to potential rollout, because Bitcoin is a multi-billion dollar market cap, and not a test environment in your VM with a 250 Mb ram It certainly will. But with regards to the cryptography itself, the scheme itself will probably not be accepted unless it has a formal security proof. |