1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
Return-Path: <lloyd.fourn@gmail.com>
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 89708C013E
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 6 Mar 2020 06:40:52 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by silver.osuosl.org (Postfix) with ESMTP id 7320C203D7
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 6 Mar 2020 06:40:52 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id OR5LRUVBaoLF
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 6 Mar 2020 06:40:51 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-io1-f54.google.com (mail-io1-f54.google.com
[209.85.166.54])
by silver.osuosl.org (Postfix) with ESMTPS id 961551FE49
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 6 Mar 2020 06:40:51 +0000 (UTC)
Received: by mail-io1-f54.google.com with SMTP id n21so1036147ioo.10
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 05 Mar 2020 22:40:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=7IEaIRBCFt5+OIE+ngsbrS79AOkLjF5JCCgu0tZgc3Q=;
b=R6IFhlTep3zPahG31dlrUKYhFToLNRWi3ugKl5hBwcFr40th+H3UKeN74E2UifPBn4
9gDYRZVwVMFTu+5FmCWVKo++I+QYyLMV4Cy93TE6C6gi8taFdI3Urry8PYpW2pHTiljZ
Ofe1cbLsa7kfpsYzOjtdqpmBNpI3UAajhu5lASPwpu8g6PV09jJmn3udEa0LnwNEl3eC
jufCOqnVLYWHZW59Ik3lr6gs8r+Xgu8rczI5+1YDLp/C0kT89zRN9XZ5upnzA8G6hxMC
PbZaa3x1X7l83b8HZ74jzok4TUWum9zKs7KmA384HJarOKcPS+3goFneT44rVcioK6Xd
uFLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=7IEaIRBCFt5+OIE+ngsbrS79AOkLjF5JCCgu0tZgc3Q=;
b=BiSGM2/Cg5uPXEz5bqNATWShYXexCWQcGx9GO9T9fYEFa8d1ObWHUfSc5SIwbPoccf
7WIzOsep7xRmeadA8pJSj9dXyEwb7DIy4AWr4kCq7icXNEhVXNCBBEqo58Udr3ooC8j3
oD7Y85r8Z9sm/Kv6eC9y59QbDCuh+WNuD/JOsoN7D3DsaXFHVO0QhmBEwObRJ5L8cFr0
Ingx8+4P4yIp3Ku6c4O3twx7++tZ7TXnj2/M4QMn/WA2L7UDLAK1AZ/h5jaFObM5PkS5
Iy3Eqorf0I01i4AkRO0Q0xp+kDXTB7ifufx0Jf4V31DArBYPgHdgsoDu7TWcvlzOKF5P
J6pg==
X-Gm-Message-State: ANhLgQ1Uu9RLKPKQfBiEcVvybN/Axo3OXGi1fpygJD8SZB/cfh+sTz41
3P65VmZtnIeFSKkDszztt0KvUPEinwm6Mx8l8YJiWpAN
X-Google-Smtp-Source: ADFU+vvaf2Hiz1PxKV/uElu05sh/L1iGzHZl0S0bZVmfQNIjNTAEL2NLLclAX6XsQGrKM7fOgFHPNiQBzSqyskEU4Rw=
X-Received: by 2002:a02:cba5:: with SMTP id v5mr1674284jap.64.1583476850813;
Thu, 05 Mar 2020 22:40:50 -0800 (PST)
MIME-Version: 1.0
References: <CAJowKg+Sgfv-FxZ2gyYWO4HmVwVFZjpjN3RkGN4y1TJwpuLMtQ@mail.gmail.com>
In-Reply-To: <CAJowKg+Sgfv-FxZ2gyYWO4HmVwVFZjpjN3RkGN4y1TJwpuLMtQ@mail.gmail.com>
From: Lloyd Fournier <lloyd.fourn@gmail.com>
Date: Fri, 6 Mar 2020 17:40:24 +1100
Message-ID: <CAH5Bsr3CbG6b4tk0hkLECfg0LM38BNp7nfspLv+NbMg6f79iDg@mail.gmail.com>
To: Erik Aronesty <erik@q32.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000033f49d05a029ef9f"
X-Mailman-Approved-At: Fri, 06 Mar 2020 08:40:00 +0000
Subject: Re: [bitcoin-dev] Schnorr sigs vs pairing sigs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2020 06:40:52 -0000
--00000000000033f49d05a029ef9f
Content-Type: text/plain; charset="UTF-8"
Hi Erik,
There are a strong arguments for and against pairing based sigs in Bitcoin.
One very strong argument in favour over non-deterministic signatures like
Schnorr over BLS is it enables a kind of signature encryption called
"adaptor signatures". This construction is key to many exciting up and
coming layer 2 protocols and isn't possible unless the signature scheme
uses randomness.
self plug: I have a paper on this topic called "One-Time Verifiably
Encrypted Signatures A.K.A Adaptor Signatures"
https://github.com/LLFourn/one-time-VES/blob/master/main.pdf
LL
On Fri, Mar 6, 2020 at 6:03 AM Erik Aronesty via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Schnorr sigs rely so heavily on the masking provided by a random
> nonce. There are so many easy ways to introduce bias (hash + modulo,
> for example).
>
> Even 2 bits of bias can result in serious attacks:
>
> https://ecc2017.cs.ru.nl/slides/ecc2017-tibouchi.pdf
>
> Maybe pairing based sigs - which are slower - might be both more
> flexible, and better suited to secure implemetnations?
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--00000000000033f49d05a029ef9f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Erik,<div><br>There are a strong arguments for and agai=
nst pairing based sigs in Bitcoin. One very strong argument in favour over =
non-deterministic signatures like Schnorr over BLS is it enables a kind of =
signature encryption called "adaptor signatures". This constructi=
on is key to many exciting up and coming layer 2 protocols and isn't po=
ssible unless the signature scheme uses randomness.=C2=A0</div><div><br></d=
iv><div>self plug: I have a paper on this topic called "One-Time Verif=
iably Encrypted Signatures A.K.A Adaptor Signatures"</div><div>=C2=A0<=
a href=3D"https://github.com/LLFourn/one-time-VES/blob/master/main.pdf">htt=
ps://github.com/LLFourn/one-time-VES/blob/master/main.pdf</a></div><div><br=
></div><div>LL</div><div><br></div></div><br><div class=3D"gmail_quote"><di=
v dir=3D"ltr" class=3D"gmail_attr">On Fri, Mar 6, 2020 at 6:03 AM Erik Aron=
esty via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundatio=
n.org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><block=
quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1=
px solid rgb(204,204,204);padding-left:1ex">Schnorr sigs rely so heavily on=
the masking provided by a random<br>
nonce.=C2=A0 =C2=A0There are so many easy ways to introduce bias (hash + mo=
dulo,<br>
for example).<br>
<br>
Even 2 bits of bias can result in serious attacks:<br>
<br>
<a href=3D"https://ecc2017.cs.ru.nl/slides/ecc2017-tibouchi.pdf" rel=3D"nor=
eferrer" target=3D"_blank">https://ecc2017.cs.ru.nl/slides/ecc2017-tibouchi=
.pdf</a><br>
<br>
Maybe pairing based sigs=C2=A0 - which are slower - might be both more<br>
flexible, and better suited to secure implemetnations?<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--00000000000033f49d05a029ef9f--
|
