Confused on schorr signature

[larry_vw_1955]

do anyone know how it works and can explain using an example say for a 4 of 5 multisig setup? i'm kind of skeptical of it

[1713403209]

1713403209

[1713403209]

1713403209

[Charles-Tim]

Schnorr signature helps in key and signature aggregation, this means it will result to combining of keys while making transaction. In P2SH and P2WSH multisig transactions, the keys are not aggregated, this results to the total keys to counts and which can be known on the blockchain that a transaction is P2SH or P2WSH multisig transaction. Schnorr signature aggregate the keys into just one valid key which can be used for the transaction.

For example, in the 4-of-5 multisig transaction, 5 keys are used to generate the multisig wallet, the increase in the keys used, the more the transaction fee will increase, this is resulting to increasing in transaction fee while the blockchain can easily reveal the type of transaction as multisig, but schnorr makes key aggregation possible before transaction is presented to the blockchain.

Pubkey1 + Pubkey 2 + Pubkey3......+ Pubkey50 = Pubkey X

Signature 1 + Signature 2 + Signature 3 = Signature X

So, all multisig transaction that require Schnorr signature will only have to pay the same fee. 2-of-2 multisig transaction will even pay the same fee as 50-of-50 multisig transaction with the help of schnorr signature's key aggregation.

You can read these to know more about Schnorr signatures: Technology roadmap - Schnorr signatures and signature aggregation

[larry_vw_1955]

, but schnorr makes key aggregation possible before transaction is presented to the blockchain.

Pubkey1 + Pubkey 2 + Pubkey3......+ Pubkey50 = Pubkey X

Signature 1 + Signature 2 + Signature 3 = Signature X

what about PrivateKey1 + PrivateKey2 + PrivateKey3....+PrivateKey50= PrivateKey X

Are we just talking about one PrivateKey X in the end which if someone has that then they don't need the m of n private keys? Again forgive me if this sound like a dumb question but had to ask!

[Charles-Tim]

Are we just talking about one PrivateKey X in the end which if someone has that then they don't need the m of n private keys? Again forgive me if this sound like a dumb question but had to ask!

No, the privates private keys will generate digital signatures which will be aggregated into one valid Schnorr signature. The M-of-N private keys are very important but the signatures the private keys generated are aggregated into a single valid one.

[larry_vw_1955]

No, the privates will generate digital signatures which will be aggregated into one valid Schnorr signature. The M-of-N private keys are very important but the signatures the private keys generated are aggregated into a single valid one.

So there doesn't correspond a private key for the aggregated public key? If someone knew what that private key was would they be able to use it for anything? oh and thanks for the replies!

[BrewMaster]

So there doesn't correspond a private key for the aggregated public key?

the aggregated public key is a perfectly valid public key on the bitcoin curve just like any other public key. and any valid public key has a corresponding private key.

If someone knew what that private key was would they be able to use it for anything?

yes but they can't know that private key. if the algorithm to generate the aggregated signature is correct there is no way of knowing the private key to the aggregated public key.

[larry_vw_1955]

the aggregated public key is a perfectly valid public key on the bitcoin curve just like any other public key. and any valid public key has a corresponding private key.

indeed i think that is correct! but doesn't that kind of compromise security at the expense of convenience (having smaller transaction sizes, making all transactions look alike).  

yes but they can't know that private key. if the algorithm to generate the aggregated signature is correct there is no way of knowing the private key to the aggregated public key.

So basically then a multisig with schnorr is no more secure from being hacked than a standard P2PKH address.

So I guess the moral of the story is you don't get something for nothing. When you combine all the public keys into a single master one, you create a weakness too. You lose the ability to absolutely require m of n signatures from m of n private key holders. That seems like a glaring loophole to me! Or at least "not a good thing".

[ranochigo]

So basically then a multisig with schnorr is no more secure from being hacked than a standard P2PKH address.

So I guess the moral of the story is you don't get something for nothing. When you combine all the public keys into a single master one, you create a weakness too. You lose the ability to absolutely require m of n signatures from m of n private key holders. That seems like a glaring loophole to me! Or at least "not a good thing".

It is not feasible for an attacker to manipulate and obtain the corresponding keys without compromising all the signers. It is not a loophole because it cannot be exploited by an attacker in practice, or at the very least infeasible for anyone to execute.

You should refer to MuSig's whitepaper here: https://eprint.iacr.org/2018/068.pdf. Specifically the security excerpt proves the security of the scheme.

[larry_vw_1955]

It is not feasible for an attacker to manipulate and obtain the corresponding key without compromising all the signers. It is not a loophole because it cannot be exploited by an attacker in practice, or at the very least infeasible for anyone to execute.

You should refer to MuSig's whitepaper here: https://eprint.iacr.org/2018/068.pdf. Specifically the security excerpt proves the security of the scheme.

I'll be happy to take a look at the pdf but it's not really very easy to understand. And how does one go about defining "security" anyway? I think there's different levels of security. For example, if i need to know 2 private keys then that's not just double the security over needing to know 1 private key. The security increases by an exponential factor, from 1/2^256 to 1/2^512. All other things being equal. So it's actually 2^256 more times as secure. See what I mean?

You can say 1/2^256 is secure enough but that's your opinion. People can have their own opinion of what is secure enough for them and they should be able to use tools that give them that desired level. Maybe 1/2^(256*6) is secure enough for someone else so they make a 6 of 8 multisig wallet. They don't want to hear that it's really not that secure and that a single private key could bust them down to 1/2^256 level of security...

[ranochigo]

And how does one go about defining "security" anyway? I think there's different levels of security. For example, if i need to know 2 private keys then that's not just double the security over needing to know 1 private key.

We define being secure as something that is infeasible with current and future computational capabilities.

You can say 1/2^256 is secure enough but that's your opinion. People can have their own opinion of what is secure enough for them and they should be able to use tools that give them that desired level. Maybe 1/2^(256*6) is secure enough for someone else so they make a 6 of 8 multisig wallet. They don't want to hear that it's really not that secure and that a single private key could bust them down to 1/2^256 level of security...

Multisig security isn't defined by that. We attack the weakest link; produce a pre-image by having a redeem script that is able to be hashed to the address we desire.** That is far less complex than having to find individual private keys. No matter what kind of requirements you include, if we find a pre-image of a redeem script that hashes to your address and is able to fulfill our own requirements, your security is compromised (don't necessarily have to know any of your private keys). P2SH at it's current form suffers many forms of limitations; requiring 6 signatures makes a transaction unnecessarily big, and computationally expensive.

It is not reasonable at all to demand security levels which leaves attacks *more than* astronomically difficult. That would just be paranoia and a waste of resources.

** This is quite difficult, even for now. I doubt that it would be more difficult than trying to find individual private keys through bruteforce and random combinations (if redeem script is not revealed).

[larry_vw_1955]

Multisig security isn't defined by that.

So I dont know what to call it then. I guess I need a name for it though. Where there is no weaker link than having to sign with the required number of private keys. What's the name for that?

It is not reasonable at all to demand security levels which leaves attacks *more than* astronomically difficult. That would just be paranoia and a waste of resources.

OK.

** This is quite difficult, even for now. I doubt that it would be more difficult than trying to find individual private keys through bruteforce and random combinations (if redeem script is not revealed).

Well even if it was known to be the same difficulty, I wouldnt like it simply because it's a backdoor and an exploit. You wanna keep those things to a minimum I hear.

** This is quite difficult, even for now. I doubt that it would be more difficult than trying to find individual private keys through bruteforce and random combinations (if redeem script is not revealed).

the little hashing collission weakness you're talking about may not scale in difficulty as the number of keys increases, in other words, your chances of finding a hash collission on a 2 of 3 wallet are the same as they would be if it was say 12 of 15. Does that seem reasonable to you?

[moderator's note: consecutive posts merged]

[ranochigo]

Well even if it was known to be the same difficulty, I wouldnt like it simply because it's a backdoor and an exploit. You wanna keep those things to a minimum I hear.

Okay, let's throw the collision and everything aside. I'm not sure of anyway to measure the difficulty of both, because the argument has never really made enough sense for people to investigate.

Well even if it was known to be the same difficulty, I wouldnt like it simply because it's a backdoor and an exploit. You wanna keep those things to a minimum I hear.

Let's use an analogy to explain this. Would you consider spending trillions of dollars and probably centuries, trying to find a key that is worth $10?

There is no such thing as perfect security, that is an utopia. Bitcoin's security functions on basic math, which we can conclude that it is so improbable of it happening and it is not worth to even mention this. It would be good if you could suggest alternative schemes, various cryptographers with years of experience has worked on Bitcoin. Don't you think someone knowledgeable would've at least mentioned something about fundamental insecurities within the system?

[larry_vw_1955]

Okay, let's throw the collision and everything aside. I'm not sure of anyway to measure the difficulty of both, because the argument has never really made enough sense for people to investigate.

Well you're the one that brought up the pre-image collission issue in the first place which showed that you do have an understanding of some of the problematic things about P2SH. I appreciate you being honest about those issues.

Let's use an analogy to explain this. Would you consider spending trillions of dollars and probably centuries, trying to find a key that is worth $10?

they would make more money by dedicating their hardware to mining ethereum while it is still proof of work. that would be my guess but i honestly am not sure how much people making brute forcing private keys. but it's not hard. just start at 0 and work your way up to 2^256 because all bitcoin private keys fall in that range so there's no guessing. you just iterate through them and check the balance. how hard could that be? doesn't matter if they have 2fa on their wallet or not.

There is no such thing as perfect security, that is an utopia. Bitcoin's security functions on basic math, which we can conclude that it is so improbable of it happening and it is not worth to even mention this.

But there are ideal security levels which would be nice to have. Features. Like multisignature where the only way to spend is to sign with the required number of keys with no other way possible theoretically. the problem is we don't have that today with bitcoin. as you mentioned there's the old p2sh collission trick. maybe not probable but in theory it could happen. if it can happen in theory then i don't want it in my cryptocurrency. that's how i see it. but i do want a way that requires 3 of 5 people to actually sign knowing that there doesn't even exist another way period the end. forget about oh it's highly improbable to happen. i get that. i don't want it to even be a possibility. not even a theoretical possibility. because the theoretical possibility existing shows that the whole setup was poorly designed. just my opinion.

you could say what about the $5 wrench attack? isn't that a theoretical possibility and isn't that a problem? yes it is but some things you have control over and some you can't and just have to react to. there's alot of things you can't control but the things you can that's the ones you have to work on.

It would be good if you could suggest alternative schemes, various cryptographers with years of experience has worked on Bitcoin. Don't you think someone knowledgeable would've at least mentioned something about fundamental insecurities within the system?

Actually I already did. It's in another posting I made a couple days ago. I'm sure you would be highly against it so if you want to flame away on that thread go for it but I'm just saying what features I want to have.

Don't you think someone knowledgeable would've at least mentioned something about fundamental insecurities within the system?

Bitcoin security is probably "just good enough" I would think. Not great but just good enough.

[hd49728]

[Education] Bitcoin Privacy and Anonymity has a section for Schorr signature.

Please check it 11. Schnorr Signature and if you have questions, you can ask more in your topic or in the topic of Husna QA.

[ranochigo]

that would be my guess but i honestly am not sure how much people making brute forcing private keys. but it's not hard. just start at 0 and work your way up to 2^256 because all bitcoin private keys fall in that range so there's no guessing. you just iterate through them and check the balance. how hard could that be? doesn't matter if they have 2fa on their wallet or not.

It is very hard. Do you know how much 2^256 is? It's quite hard for normal people to visualized, but just estimate the time it takes to hash and compare the address for any possible matches.

A very abstract math: 2^256/2,000,000,000,000,000 ( (assumption) of no. of address with balance) = 5.78 x 10^61 (1)
(1) / 10^20 (approx no. of hashes in the network currently -> Cannot be approximated to be the same, the ASICs for mining cannot be used for generating addresses) =5.70 x 10^40 seconds needed to find a single address that is used (2)
(2) / (3.154 x 10^7) = 1.835 x 10^33 years.

Math might be off by a bit but you get the idea.

i get that. i don't want it to even be a possibility. not even a theoretical possibility. because the theoretical possibility existing shows that the whole setup was poorly designed. just my opinion.

you could say what about the $5 wrench attack? isn't that a theoretical possibility and isn't that a problem? yes it is but some things you have control over and some you can't and just have to react to. there's alot of things you can't control but the things you can that's the ones you have to work on.

If you cannot fully appreciate the (magnitude of) probability of the events that we've covered so far, then I'm sorry none of the cryptos are for you. Cryptography operates by the basis of probability and the improbability of the event is what makes it secure.

$5 wrench attack is very practical. Finding a properly generated Bitcoin address by bruteforcing isn't.

Actually I already did. It's in another posting I made a couple days ago. I'm sure you would be highly against it so if you want to flame away on that thread go for it but I'm just saying what features I want to have.

Bitcoin security is probably "just good enough" I would think. Not great but just good enough.

I really don't blindly come on the forum and flame others. I'm not qualified enough for that. If none of the cryptographers has ever criticized Bitcoin so far, then any assertions about the insecurities is probably just pure paranoia. Trust me, if we haven't thought of people attempting bruteforcing addresses or any small weaknesses within MuSig, we would've shot it down in 2009 and 2018 respectively.