[Cryptography] Schnorr multisignatures based on ED22519

Dominik Pantůček dominik.pantucek at trustica.cz
Sun May 5 04:07:37 EDT 2019


On 05. 05. 19 4:22, jamesd at echeque.com wrote:
> I have heard it said that ED25519 supports Schnorr multisignatures,
> The Libsodium documentation contains no mention of multi signatures,
> and, because ED25519 is nonprime group, it seems to me that implementing
> Schnorr multisignatures would require an expert in the mathematics of
> elliptic curves - I certainly have no idea how to even begin, and would
> not trust code written by someone not well known.

the cofactor for Ed25519 is l=8. The problem of "hitting" small subgroup
is easily mitigated if you clear the 3 least-significant bits of your
keys. As long as you are working with points on the curve which are
eight times multiply of the generator point (i.e. 8G, 16G, 24G ...) you
are safe.

Regarding the multisignatures - I vaguely recall there was a
blockchain-based so-called "cryptocurrency" implementation that got this
wrong and it was easy for attackers to empty many users' "wallets",
because there were only 7 (or maybe 8, doesn't matter though)
brute-force steps required to recover the private keys.


More information about the cryptography mailing list