Bitcoin Forum
May 04, 2024, 01:18:56 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Aggregated Schnorr Signatures Are Not Provably Secure Without Key-Prefixing
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Aggregated Schnorr Signatures Are Not Provably Secure Without Key-Prefixing  (Read 849 times)
kushti (OP)
Full Member
***
Offline Offline

Activity: 315
Merit: 103


View Profile WWW
May 03, 2016, 08:46:58 PM
Merited by ABCbits (1)
 #1
From briefly observing Bitcoin/secp256k1 code of Schnorr sigs implementation, I've came to the conclusion it is assumed there multi-user Schnorr is about the same security as single-user. That was proven, but recently D. Bernstein did show the proof was incorrect, and multi-user Schnorr is provably secure only if key-prefixing. The paper is there: https://eprint.iacr.org/2015/996.pdf .

Please note absence of a provable security doesn't mean a practical attack exists. It could be found few years after though. Bitcoin devs please take care.

Ergo Platform core dev. Previously IOHK Research / Nxt core dev / SmartContract.com cofounder.
1714785536
Hero Member
*
Offline Offline

Posts: 1714785536

View Profile Personal Message (Offline)

Ignore
1714785536
1714785536
Reply with quote  #2
1714785536
Report to moderator
1714785536
Hero Member
*
Offline Offline

Posts: 1714785536

View Profile Personal Message (Offline)

Ignore
1714785536
1714785536
Reply with quote  #2
1714785536
Report to moderator
1714785536
Hero Member
*
Offline Offline

Posts: 1714785536

View Profile Personal Message (Offline)

Ignore
1714785536
1714785536
Reply with quote  #2
1714785536
Report to moderator
The Bitcoin software, network, and concept is called "Bitcoin" with a capitalized "B". Bitcoin currency units are called "bitcoins" with a lowercase "b" -- this is often abbreviated BTC.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1714785536
Hero Member
*
Offline Offline

Posts: 1714785536

View Profile Personal Message (Offline)

Ignore
1714785536
1714785536
Reply with quote  #2
1714785536
Report to moderator
1714785536
Hero Member
*
Offline Offline

Posts: 1714785536

View Profile Personal Message (Offline)

Ignore
1714785536
1714785536
Reply with quote  #2
1714785536
Report to moderator
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4158
Merit: 8382



View Profile WWW
May 04, 2016, 07:20:18 AM
Merited by ABCbits (1)
 #2
Quote from: kushti on May 03, 2016, 08:46:58 PM
From briefly observing Bitcoin/secp256k1 code of Schnorr sigs implementation, I've came to the conclusion it is assumed there multi-user Schnorr is about the same security as single-user. That was proven, but recently D. Bernstein did show the proof was incorrect, and multi-user Schnorr is provably secure only if key-prefixing. The paper is there: https://eprint.iacr.org/2015/996.pdf .

Please note absence of a provable security doesn't mean a practical attack exists. It could be found few years after though. Bitcoin devs please take care.
We're aware. (Though thank you, we could have not been as well).  In general I prefer prefixing-- without it the signature is not really a proof of knowledge--, and the libsecp256k1 "test schnorr" construction goes out of its way to enable things like compact signature key recovery while also using prefixing.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Aggregated Schnorr Signatures Are Not Provably Secure Without Key-Prefixing
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!