From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 89708C013E for ; Fri, 6 Mar 2020 06:40:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 7320C203D7 for ; Fri, 6 Mar 2020 06:40:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OR5LRUVBaoLF for ; Fri, 6 Mar 2020 06:40:51 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) by silver.osuosl.org (Postfix) with ESMTPS id 961551FE49 for ; Fri, 6 Mar 2020 06:40:51 +0000 (UTC) Received: by mail-io1-f54.google.com with SMTP id n21so1036147ioo.10 for ; Thu, 05 Mar 2020 22:40:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=7IEaIRBCFt5+OIE+ngsbrS79AOkLjF5JCCgu0tZgc3Q=; b=R6IFhlTep3zPahG31dlrUKYhFToLNRWi3ugKl5hBwcFr40th+H3UKeN74E2UifPBn4 9gDYRZVwVMFTu+5FmCWVKo++I+QYyLMV4Cy93TE6C6gi8taFdI3Urry8PYpW2pHTiljZ Ofe1cbLsa7kfpsYzOjtdqpmBNpI3UAajhu5lASPwpu8g6PV09jJmn3udEa0LnwNEl3eC jufCOqnVLYWHZW59Ik3lr6gs8r+Xgu8rczI5+1YDLp/C0kT89zRN9XZ5upnzA8G6hxMC PbZaa3x1X7l83b8HZ74jzok4TUWum9zKs7KmA384HJarOKcPS+3goFneT44rVcioK6Xd uFLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=7IEaIRBCFt5+OIE+ngsbrS79AOkLjF5JCCgu0tZgc3Q=; b=BiSGM2/Cg5uPXEz5bqNATWShYXexCWQcGx9GO9T9fYEFa8d1ObWHUfSc5SIwbPoccf 7WIzOsep7xRmeadA8pJSj9dXyEwb7DIy4AWr4kCq7icXNEhVXNCBBEqo58Udr3ooC8j3 oD7Y85r8Z9sm/Kv6eC9y59QbDCuh+WNuD/JOsoN7D3DsaXFHVO0QhmBEwObRJ5L8cFr0 Ingx8+4P4yIp3Ku6c4O3twx7++tZ7TXnj2/M4QMn/WA2L7UDLAK1AZ/h5jaFObM5PkS5 Iy3Eqorf0I01i4AkRO0Q0xp+kDXTB7ifufx0Jf4V31DArBYPgHdgsoDu7TWcvlzOKF5P J6pg== X-Gm-Message-State: ANhLgQ1Uu9RLKPKQfBiEcVvybN/Axo3OXGi1fpygJD8SZB/cfh+sTz41 3P65VmZtnIeFSKkDszztt0KvUPEinwm6Mx8l8YJiWpAN X-Google-Smtp-Source: ADFU+vvaf2Hiz1PxKV/uElu05sh/L1iGzHZl0S0bZVmfQNIjNTAEL2NLLclAX6XsQGrKM7fOgFHPNiQBzSqyskEU4Rw= X-Received: by 2002:a02:cba5:: with SMTP id v5mr1674284jap.64.1583476850813; Thu, 05 Mar 2020 22:40:50 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Lloyd Fournier Date: Fri, 6 Mar 2020 17:40:24 +1100 Message-ID: To: Erik Aronesty , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000033f49d05a029ef9f" X-Mailman-Approved-At: Fri, 06 Mar 2020 08:40:00 +0000 Subject: Re: [bitcoin-dev] Schnorr sigs vs pairing sigs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2020 06:40:52 -0000 --00000000000033f49d05a029ef9f Content-Type: text/plain; charset="UTF-8" Hi Erik, There are a strong arguments for and against pairing based sigs in Bitcoin. One very strong argument in favour over non-deterministic signatures like Schnorr over BLS is it enables a kind of signature encryption called "adaptor signatures". This construction is key to many exciting up and coming layer 2 protocols and isn't possible unless the signature scheme uses randomness. self plug: I have a paper on this topic called "One-Time Verifiably Encrypted Signatures A.K.A Adaptor Signatures" https://github.com/LLFourn/one-time-VES/blob/master/main.pdf LL On Fri, Mar 6, 2020 at 6:03 AM Erik Aronesty via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Schnorr sigs rely so heavily on the masking provided by a random > nonce. There are so many easy ways to introduce bias (hash + modulo, > for example). > > Even 2 bits of bias can result in serious attacks: > > https://ecc2017.cs.ru.nl/slides/ecc2017-tibouchi.pdf > > Maybe pairing based sigs - which are slower - might be both more > flexible, and better suited to secure implemetnations? > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000033f49d05a029ef9f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Erik,

There are a strong arguments for and agai= nst pairing based sigs in Bitcoin. One very strong argument in favour over = non-deterministic signatures like Schnorr over BLS is it enables a kind of = signature encryption called "adaptor signatures". This constructi= on is key to many exciting up and coming layer 2 protocols and isn't po= ssible unless the signature scheme uses randomness.=C2=A0

self plug: I have a paper on this topic called "One-Time Verif= iably Encrypted Signatures A.K.A Adaptor Signatures"
=C2=A0<= a href=3D"https://github.com/LLFourn/one-time-VES/blob/master/main.pdf">htt= ps://github.com/LLFourn/one-time-VES/blob/master/main.pdf
LL


On Fri, Mar 6, 2020 at 6:03 AM Erik Aron= esty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Schnorr sigs rely so heavily on= the masking provided by a random
nonce.=C2=A0 =C2=A0There are so many easy ways to introduce bias (hash + mo= dulo,
for example).

Even 2 bits of bias can result in serious attacks:

https://ecc2017.cs.ru.nl/slides/ecc2017-tibouchi= .pdf

Maybe pairing based sigs=C2=A0 - which are slower - might be both more
flexible, and better suited to secure implemetnations?
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--00000000000033f49d05a029ef9f--