Bitcoin Forum
September 18, 2019, 09:11:53 PM *
News: If you like a topic and you see an orange "bump" link, click it. More info.
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: What's the worst thing that could happen with Schnorr signature  (Read 107 times)
LeGaulois
Copper Member
Legendary
*
Offline Offline

Activity: 1190
Merit: 1180

Bitcoin Ninja Unregulated Banker Unbanking Folks


View Profile
April 03, 2018, 07:18:28 PM
Merited by achow101 (3), fronti (1), d5000 (1)
 #1

If the Schnorr signature protocol is not robust enough, badly implemented, broken or whatever. What could be worse for Bitcoin?
(Speaking of the technical side and not the speculative.)

While most of us are excited to see these solution coming, there are still some fears we should have, don't you think?
Schnorr needs to be robustly developed and tested prior to potential rollout, because Bitcoin is a multi-billion dollar market cap, and not a test environment in your VM with a 250 Mb ram
Didn't we have the case, developers found that Schnorr signatures made Bitcoin susceptible to new ‘rogue attack’ vectors ?

It can also be considered as a threat so, the word may sound exaggerated but...well


Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1568841113
Hero Member
*
Offline Offline

Posts: 1568841113

View Profile Personal Message (Offline)

Ignore
1568841113
Reply with quote  #2

1568841113
Report to moderator
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1890
Merit: 2740


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
April 03, 2018, 08:17:20 PM
Merited by ebliever (2), LeGaulois (2), Xynerise (2), fronti (1), d5000 (1)
 #2

Schnorr signatures is actually a somewhat broad topic that includes many things. Schnorr signatures are a cryptographic scheme, but to actually be used in Bitcoin, you still have to use that cryptography in a specific way besides just the signature algorithm itself. There are certainly insecure ways to use Schnorr signatures, just as there are insecure ways to use ECDSA or RSA signatures.

Didn't we have the case, developers found that Schnorr signatures made Bitcoin susceptible to new ‘rogue attack’ vectors ?
Yes, there was. There was a scheme using Schnorr signatures for key aggregation that was originally thought of that was insecure. But this doesn't mean Schnorr signatures themselves are insecure, just that specific cryptosystem that happened to use Schnorr signatures.

If the Schnorr signature protocol is not robust enough, badly implemented, broken or whatever. What could be worse for Bitcoin?
It would mean that, at worst, sensitive data such as private keys (but not necessarily private keys) are revealed which allows an attacker to be able to forge or create a signature that he should not be able to. This could result in coins be stolen.

While most of us are excited to see these solution coming, there are still some fears we should have, don't you think? ]
Not really. The cryptography itself can be proven to be sound. It is just mathematics, there's nothing special about it. For example, the key and signature aggregation scheme that uses Schnorr signatures that is likely to be used - MuSig - has a formal security proof that takes up a large part of the paper describing that scheme. Since it is just mathematics, the proof, assuming that there are no errors in it (so it needs review from other cryptographers), proves that the cryptography is sound assuming that the discrete logarithm problem is hard (which we currently do assume). This means that any software which follows the spec for MuSig will not create anything that results in sensitive data being leaked.

Of course there could be some insecure implementation of MuSig, but that's not a problem unique to it. There have been many insecure implementations of ECDSA which has resulted in lost coins. Even secure implementations that use a bad PRNG results in leaked private keys.

Schnorr needs to be robustly developed and tested prior to potential rollout, because Bitcoin is a multi-billion dollar market cap, and not a test environment in your VM with a 250 Mb ram
It certainly will. But with regards to the cryptography itself, the scheme itself will probably not be accepted unless it has a formal security proof.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!