Bitcoin Forum
May 25, 2024, 01:35:44 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Aggregated Schnorr Signatures Are Not Provably Secure Without Key-Prefixing
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Aggregated Schnorr Signatures Are Not Provably Secure Without Key-Prefixing  (Read 849 times)
kushti (OP)
Full Member
***
Offline Offline

Activity: 315
Merit: 103


View Profile WWW
May 03, 2016, 08:46:58 PM
Merited by ABCbits (1)
 #1
From briefly observing Bitcoin/secp256k1 code of Schnorr sigs implementation, I've came to the conclusion it is assumed there multi-user Schnorr is about the same security as single-user. That was proven, but recently D. Bernstein did show the proof was incorrect, and multi-user Schnorr is provably secure only if key-prefixing. The paper is there: https://eprint.iacr.org/2015/996.pdf .

Please note absence of a provable security doesn't mean a practical attack exists. It could be found few years after though. Bitcoin devs please take care.

Ergo Platform core dev. Previously IOHK Research / Nxt core dev / SmartContract.com cofounder.
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4186
Merit: 8426



View Profile WWW
May 04, 2016, 07:20:18 AM
Merited by ABCbits (1)
 #2
Quote from: kushti on May 03, 2016, 08:46:58 PM
From briefly observing Bitcoin/secp256k1 code of Schnorr sigs implementation, I've came to the conclusion it is assumed there multi-user Schnorr is about the same security as single-user. That was proven, but recently D. Bernstein did show the proof was incorrect, and multi-user Schnorr is provably secure only if key-prefixing. The paper is there: https://eprint.iacr.org/2015/996.pdf .

Please note absence of a provable security doesn't mean a practical attack exists. It could be found few years after though. Bitcoin devs please take care.
We're aware. (Though thank you, we could have not been as well).  In general I prefer prefixing-- without it the signature is not really a proof of knowledge--, and the libsecp256k1 "test schnorr" construction goes out of its way to enable things like compact signature key recovery while also using prefixing.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Aggregated Schnorr Signatures Are Not Provably Secure Without Key-Prefixing
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!