[Cryptography] Schnorr multisignatures based on ED22519

Phillip Hallam-Baker phill at hallambaker.com
Mon May 6 10:16:55 EDT 2019


On Sun, May 5, 2019 at 9:07 PM Dominik Pantůček <
dominik.pantucek at trustica.cz> wrote:

> Hello,
>
> On 05. 05. 19 4:22, jamesd at echeque.com wrote:
> > I have heard it said that ED25519 supports Schnorr multisignatures,
> >
> > The Libsodium documentation contains no mention of multi signatures,
> > and, because ED25519 is nonprime group, it seems to me that implementing
> > Schnorr multisignatures would require an expert in the mathematics of
> > elliptic curves - I certainly have no idea how to even begin, and would
> > not trust code written by someone not well known.
>
> the cofactor for Ed25519 is l=8. The problem of "hitting" small subgroup
> is easily mitigated if you clear the 3 least-significant bits of your
> keys. As long as you are working with points on the curve which are
> eight times multiply of the generator point (i.e. 8G, 16G, 24G ...) you
> are safe.
>
> Regarding the multisignatures - I vaguely recall there was a
> blockchain-based so-called "cryptocurrency" implementation that got this
> wrong and it was easy for attackers to empty many users' "wallets",
> because there were only 7 (or maybe 8, doesn't matter though)
> brute-force steps required to recover the private keys.
>

I think the Schnorr signatures are really useful and important. But I would
need to see a CFRG RFC and peer review before making use of them in a spec.

I do use the same types of technique for encryption but that doesn't worry
me because DH key agreement doesn't disclose the private key even if you do
it wrong. El Gamal signatures do.

It is not just disclosing the private key that is bad. There are pairs of
numbers that can be disclosed that allow an attacker to create new sigs
even if they don't know the private key.

There is a vast amount of detail there that I just don't have swap space
for in my brain right now. So lets pass it on to the people who think about
nothing else and get some grad students on the problem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190506/95f15d02/attachment.html>


More information about the cryptography mailing list