[Cryptography] Schnorr multisignatures based on ED22519

Lee Clagett forum at leeclagett.com
Sun May 19 00:51:03 EDT 2019

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, May 5, 2019 8:07 AM, Dominik Pantůček <dominik.pantucek at trustica.cz> wrote:

> Hello,
> On 05. 05. 19 4:22, jamesd at echeque.com wrote:
> > I have heard it said that ED25519 supports Schnorr multisignatures,
> > The Libsodium documentation contains no mention of multi signatures,
> > and, because ED25519 is nonprime group, it seems to me that implementing
> > Schnorr multisignatures would require an expert in the mathematics of
> > elliptic curves - I certainly have no idea how to even begin, and would
> > not trust code written by someone not well known.
> the cofactor for Ed25519 is l=8. The problem of "hitting" small subgroup
> is easily mitigated if you clear the 3 least-significant bits of your
> keys. As long as you are working with points on the curve which are
> eight times multiply of the generator point (i.e. 8G, 16G, 24G ...) you
> are safe.

This isn't sufficient in cases where the attacker is providing a point
on the curve instead of a scalar.

> Regarding the multisignatures - I vaguely recall there was a
> blockchain-based so-called "cryptocurrency" implementation that got this
> wrong and it was easy for attackers to empty many users' "wallets",
> because there were only 7 (or maybe 8, doesn't matter though)
> brute-force steps required to recover the private keys.
> Cheers,
> Dominik


More information about the cryptography mailing list