Bitcoin Forum
November 13, 2024, 08:54:35 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: schnorr signature weakness, why did they do it this way?  (Read 498 times)
larry_vw_1955 (OP)
Sr. Member
****
Offline Offline

Activity: 1190
Merit: 469


View Profile
July 27, 2021, 03:58:18 AM
Last edit: August 07, 2021, 04:31:36 PM by mprep
 #21

Because the hashes are much shorter than the input data there an infinite number of second preimages for almost any hash. If that weren't true it would result in statistical discrepancies in the hash function that would distinguish it from random.


Well for one thing sha256 is not completely random. It's not a random oracle so no one really knows whether it is surjective or not. I'd probably agree with you that if you do enough inputs to it, you can get almost any hash not just once but a gazillion times maybe. But "we just don't know". Unless you've tried all possible inputs then you don't know what the set of outputs really is unless you get lucky and finish early.  Shocked



The aggregated private key is never computed

And if you ever could compute it, then you have the contributing keys and could just spend the coin.

If bitcoin ever became worth alot of money say where you could buy an entire country of people a pizza for every one of them, I bet people would be working on brute forcing all the bitcoin private keys. That is one way to get ahold of it without "computing" it. Luckily though bitcoin p2pkh addresses are secure. So that can never happen. I mean you would have to start at 0x0000...000 and work your way up to 2^256? Who needs more security than that?

[moderator's note: consecutive posts merged]
NotATether
Legendary
*
Offline Offline

Activity: 1778
Merit: 7374


Top Crypto Casino


View Profile WWW
July 27, 2021, 12:08:38 PM
 #22

I bet people would be working on brute forcing all the bitcoin private keys.

People are already doing that right now.

Luckily though bitcoin p2pkh addresses are secure. So that can never happen. I mean you would have to start at 0x0000...000 and work your way up to 2^256? Who needs more security than that?

Pollard'a Kangaroo reduces the complexity by a factor of 2^30 or so.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
kaggie
Sr. Member
****
Offline Offline

Activity: 333
Merit: 506


View Profile
July 27, 2021, 03:39:50 PM
Last edit: July 27, 2021, 06:49:13 PM by kaggie
 #23

If bitcoin ever became worth alot of money say where you could buy an entire country of people a pizza for every one of them, I bet people would be working on brute forcing all the bitcoin private keys. That is one way to get ahold of it without "computing" it. Luckily though bitcoin p2pkh addresses are secure. So that can never happen. I mean you would have to start at 0x0000...000 and work your way up to 2^256? Who needs more security than that?
It should be fine...
as long as the algorithms hold.
But consider that a megabyte was thought to be all a person would ever
need: https://www.wired.com/1997/01/did-gates-really-say-640k-is-enough-for-anyone/
Perhaps there will be dramatic computing or algorithm performance increases over time.
Individuals have more than one address so that also changes the requirements.

If quantum computing (or just computing) became powerful enough, then bitcoin could counteract this
new space perhaps by increasing key lengths. A few bytes goes a very long way.

It's hard to say what the future holds though. There may be algorithms that were considered impossible, that become possible.
The proof for Fermat's last theorem comes to mind. The FLT current proof relies on properties of elliptic curves, which are also related
to encryption algos. There are all sorts of mathematical problems, such as the millenium problems, Goldbach's or Beal's conjectures,
that remain unproven yet could impact these encryption through new number theories.
One hopes that with any of these changes that bitcoin could transition at an appropriate
rate to better algos or key/address spaces.

Elliptic curves are pretty neat.


(Below is on birthday paradox, not the main topic..)

That's little similar how the Birthday Paradox is calculated, the prob of no collision is:
For no 2 people in a group of size "M" have same Birthday (N
Prob(all different)= 1* 364/365*363/365*...*(365-X+1)/365]
(The 1st person can have any birthday, the 2nd only 364 for this to be wrong, the 3rd only 363,..)
Then it was found out that X as small as 25 can make this probability < 0.5

Except your space is much larger than 365, since it is 2^160.
So,
Probability(all different; eg. no collision) = 1 * [(2^160-1)/(2^160)] * [(3^160-1)/(3^160)] ... * [(2^160-X)/(2^160)]

If you want to calculate this, you are going to struggle with even most modern software.
You can calculate the probability by converting to exponents.

exp(y) = 1+y for very small y

(2^160-1)/(2^160) = 1-1/2^160 = exp(-1/2^160)

For X tries of addresses, the probability is

P(all different) = exp(-sum(i)/2^160)

where sum(i) is the sum of numbers from 1 to X: sum(i) = 1+2+3+...X.

If you want a 50% chance, then

P(a.d.) = .5 = exp(-sum(i)/2^160) --->  log(0.5) = -0.3 = -sum(i)/2^160
sum(i) = 0.3 * 2^160

sum(i) has a closed form solution, sum(i) = X(X+1)/2

So, X(X+1)/2 = 0.3 *2^160
X(X+1) = 0.6 *2^160
X^2 + X = 0.6 * 2^160

Because the number is so large, we can drop out the single powered term, X, and solve:

X^2 ~= 0.6 *2^160
X ~= 0.77*2^(160/2) ~= 2^80 ~=10^24

So, if birthday paradox applies, you'd still have to search a space that is quite large (10^24) for a
50% chance to collide with one address -- but requires that there are X = 10^24 addresses worth finding, which isn't true.

Birthday paradox requires that the number of searches is also the number of interesting birthdays/addresses, which isn't true
in a collision search, where the searches can easily outnumber the interesting birthdays/addresses.

----

There are several things that change this from a birthday problem:
1) keys/addresses will not overlap between individuals, as one can assume that individuals want
to keep their addresses unique from others
[so that 364/365*363/365...(365-X)/365 doesn't apply, raising the difficulty]
2) the reward for any given collision is not equal
3) not all individuals with addresses are searching the entire space
4) Birthday paradox doesn't change the probability of finding the key to a single specific address

Using either point one, three or four above reduces the chances of a collision, i.e. the X^2+X term goes to a simple X.
That's because you are searching for a simple match of one address per go, reducing your search space by that amount per search.

Probability(no collision) = 1 * [(2^160-1)/(2^160-0)] * [(2^160-1)/(2^160-1)] ... * [(2^160-1)/(2^160-X)]
which is probability(no collision) = 1 * [(2^160-1)/(2^160)]^X due to the insignificant effect of the -X term on 2^160.

P = 0.5 = exp(-X/2^160)
-log(0.5) = -X / 2^160
X = log(2) * 2^160

Thus, fancy mathematics shows that to obtain a 50% collision with a single address, you have to search just under half of the space. A bit of a weird result, but does not use birthday paradox.

To change the functions to include that you might have N number of addresses that are not empty worth searching, so the needed searches is smaller (by the factor of interesting addresses):
Probability(no collision) = 1 * [(2^160-N_interesting)/(2^160)]^X
X = log(2) * 2^160 / N_interesting

I think I got that correct... but there are obviously a lot of pitfalls in stats.

For those that disagree with me, wikipedia agrees with you: https://en.wikipedia.org/wiki/Birthday_problem

You can raise the probability of collisions with using a priori knowledge (public states, pollard's kangaroo, poor randomisation, poor k),
but that's no longer birthday paradox.
Shymaa-Arafat
Full Member
***
Offline Offline

Activity: 228
Merit: 156


View Profile
July 28, 2021, 06:48:11 AM
Last edit: July 29, 2021, 09:35:53 AM by Shymaa-Arafat
 #24

I was talking about the probability that the M out of N signatures r all not malicious/compromised and that it's not exactly the original ratio X/N
i.e., if u r using M=3 signatures out of N=5 with X=2 could be compromised (1-X/N =3/5)
Prob(all M correct)= 3*2*1/(5*4*3)=6/60=0.1=10%
If only one is compromised X=1
Prob(all correct)=4*3*2/60=40%
.
As for the collisions ( prob ≥0.5 that all hash trials r different), the denominator here is like the Birthday days population don't change, each time the result population is still 2¹⁶⁰, N in our terminology,

What u did is saying if the inequality hold for those terms, then it still holds for their logs ..

N(N-1)(N-2)...(N-X+1)/(N^X)≥1/2
2N(N-1)(N-2)...(N-X+1)≥ N^X

implies it holds for the logs too

log(N-1)+..+log(N-X+1)+1≥
(X-1)logN

After some math& abbreviation it will lead to
X~ O(square root of N) for the inequality to hold (the probability to be ≥1/2)
In our case N=2¹⁶⁰, so X=2⁸⁰


kaggie
Sr. Member
****
Offline Offline

Activity: 333
Merit: 506


View Profile
July 28, 2021, 02:33:44 PM
 #25

I was talking about the probability that the M out of N signatures r all not malicious/compromised and that it's not exactly the original ratio X/N

I have to admit that I hate stats since small language differences can make large changes in the defined problem!
Shymaa-Arafat
Full Member
***
Offline Offline

Activity: 228
Merit: 156


View Profile
August 04, 2021, 07:14:31 PM
 #26

 To whom it might concern
I found out an interesting fact about why schnorr was not used from the beginning in Bitcoin in here ( min 55/56 I think)
https://youtu.be/0Q5IimX-AAc
In short, they had to wait 20 years for a copy right issue
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8805



View Profile WWW
August 06, 2021, 01:52:58 AM
 #27

The schnorr patent (not copyright) had expired by the time Bitcoin was created.  But there were no mature or standardized industrial grade implementations of a schnorr ECC signature until a couple years later (I believe the ed25519 work was the first and it was published in late 2011).
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!