[Cryptography] Schnorr multisignatures based on ED22519

Lee Clagett forum at leeclagett.com
Sun May 19 00:52:33 EDT 2019


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, May 7, 2019 7:06 AM, <jamesd at echeque.com> wrote:

> > On Sun, May 5, 2019 at 9:07 PM Dominik Pantůček
>
> > >     the cofactor for Ed25519 is l=8. The problem of "hitting" small subgroup
> > >     is easily mitigated if you clear the 3 least-significant bits of your
> > >     keys. As long as you are working with points on the curve which are
> > >     eight times multiply of the generator point (i.e. 8G, 16G, 24G ...) you
> > >     are safe.
> > >
>
> On 06/05/2019 22:16, Phillip Hallam-Baker wrote:
>
> > I think the Schnorr signatures are really useful and important. But I
> > would need to see a CFRG RFC and peer review before making use of them
> > in a spec.
>
> My ignorant opinion is that you would be fine using a well known
> algorithm, such as Schnorr signatures, in a prime group such as
> ristretto255, but in a non prime group such as Ed25519, likely to shoot
> yourself in the foot, and if you roll your own algorithm, likely to
> shoot yourself in the foot even with a prime group.
>

An excerpt taken directly from the Ed25519 paper[1]:

    Our verification equation is the same as Schnorr’s verification
    equation with double-size hashing instead of half-size hashing,
    with A inserted as an extra hash input, and without Schnorr’s
    compression of R.

The EdDSA equations used for the Ed25519 curve are similar to the
equations for Schnorr signatures. ECDSA uses the group order _directly_
in signature verification/generation, but Schnorr and EdDSA do not.

There is some existing information [2][3] on how to construct Ed25519
multisig schemes. The nice part is that the verification portion does
not need to change (unless the pubkeys participating need to be listed
explicitly). The difficulty isn't really with the cofactor of Ed25519,
its preventing leakage of a participants private key. The implementation
_must_ ensure that the signing point includes the users "random" (or
deterministically hashed) value.

Lee

[1] https://ed25519.cr.yp.to/ed25519-20110926.pdf
[2] https://datatracker.ietf.org/doc/draft-ford-cfrg-cosi/
[3] https://crypto.stackexchange.com/questions/50448/schnorr-signatures-multisignature-support



More information about the cryptography mailing list