Combined summary - Schnorr signatures BIP

Combined summary - Schnorr signatures BIP

Pieter Wuille's proposal for a BIP (Bitcoin Improvement Proposal) aims to introduce 64-byte elliptic curve Schnorr signatures into the Bitcoin development community.

This draft specification is an important step towards standardizing the signature scheme, although it does not directly address consensus rules or aggregation. Wuille plans to collaborate with others to create production-ready reference implementations and conduct tests using the proposed scheme. It is also noted that this signature scheme may have applications beyond the scope of Bitcoin.In the discussion surrounding the proposal, Andrew Poelstra clarifies that M-of-N threshold MuSig signatures can be created for any values of M and N. By combining Schnorr signatures with Pedersen Secret Sharing, a secure interactive threshold signature scheme can be achieved, ensuring that signatures can only be produced by predetermined sets of signers. Poelstra also mentions that he has implemented the combination of MuSig and VSS (Verifiable Secret Sharing) in his code. However, there are unanswered questions raised by Erik Aronesty regarding building up threshold signatures via concatenation.The discussion further explores the topic of threshold signatures in the context of Bitcoin. The paper suggests using M-of-N signatures to validate one of the permutations of M that signed. It acknowledges that Musig, which is M-of-M, is prone to loss if a key is lost or a participant aborts during signing. However, it is possible to create M-of-N threshold MuSig signatures for any M and N, as demonstrated in an implementation shared on GitHub. Erik Aronesty raises concerns about Bitcoin releasing a multisig scheme that encourages loss, but it is clarified that there is currently no proposal for a non-redistributable multisig solution.Erik Aronesty discusses the security advantages of a redistributable threshold system and raises concerns about an M-1 rogue-key attack. Gregory Maxwell responds by explaining the possibility of constructing a 2-of-2 signature by adding keys and carrying out an attack using interpolation. The Musig paper describes a delinearization technique to prevent such attacks, but Erik Aronesty has not tested whether the R,s version is susceptible to these attacks.The author of a Medium article responds to feedback from Gregory Maxwell and clarifies that they switched to the Medium platform to edit and improve their work. They mention that no research has been done on the R,s version and explain that an M-1 rogue-key attack would require attacking either the hash function or the Discrete Logarithm Problem (DLP), neither of which gives an advantage to someone with M-1 keys. However, Gregory Maxwell suggests that the author may be ignoring unfavorable feedback.In another instance, Erik Aronesty reposts a broken scheme on Bitcointalk, but there is no response to the original post. This scheme raises concerns about security and functionality. In contrast, Musig is presented as a secure and functional multisig solution. Pieter Wuille suggests implementing a CAS (Compare and Swap) mechanism for precise communication in both directions.The discussion revolves around an M-of-N Bitcoin multisig scheme, with some questioning why there is so much debate around it. Others point out flaws in the scheme and express confusion caused by the person promoting it.In an email exchange, Erik Aronesty asks why his M-of-N Bitcoin multisig scheme is referred to as FUD (Fear, Uncertainty, and Doubt). Andrew Poelstra explains that Aronesty's scheme doesn't work, despite being repeatedly told so, and that Aronesty continues to post incomplete and incoherent versions of it. Poelstra states that Aronesty's scheme is broken.The FUD surrounding a specific Bitcoin multisig scheme is deemed unnecessary. The M-of-N shared public key is generated in advance, and signature fragments can be generated offline without communication between participants. Andrew Poelstra clarifies that there are no non-interactive Schnorr signatures.In the same email exchange, Erik Aronesty notes that his spec cannot be used directly with a Shamir scheme for single-round threshold multisigs. Andrew Poelstra clarifies that (R,s) schemes can still be used online if participants publish the R(share).In various discussions and exchanges, questions are raised regarding the implementation and encoding of public and private keys in the proposed Schnorr signature scheme. Various suggestions and clarifications are provided to address these concerns.There is also a discussion about the optimal order of inputs for hashing in ECDSA signatures, with arguments for both nonce-first and message-first approaches. The debate touches on security benefits, standard hash function design, and optimization techniques.Overall, the context encompasses proposals, discussions, clarifications, and concerns related to implementing 64-byte elliptic curve Schnorr signatures in Bitcoin, including threshold signatures and multisig schemes.

Discussion History

Pieter WuilleOriginal Post
July 6, 2018 18:08 UTC
July 6, 2018 21:05 UTC
July 6, 2018 22:00 UTC
July 6, 2018 22:01 UTC
July 7, 2018 02:47 UTC
July 8, 2018 14:36 UTC
July 14, 2018 15:42 UTC
July 14, 2018 21:20 UTC
August 4, 2018 12:22 UTC
August 5, 2018 14:33 UTC
August 6, 2018 08:39 UTC
August 6, 2018 14:00 UTC
August 6, 2018 21:12 UTC
August 12, 2018 16:37 UTC
August 29, 2018 12:09 UTC
September 3, 2018 00:05 UTC
September 5, 2018 12:26 UTC
September 5, 2018 13:05 UTC
September 5, 2018 13:14 UTC
September 5, 2018 15:35 UTC
September 11, 2018 16:34 UTC
September 11, 2018 17:00 UTC
September 11, 2018 17:20 UTC
September 11, 2018 17:27 UTC
September 11, 2018 17:37 UTC
September 11, 2018 17:51 UTC
September 11, 2018 18:30 UTC
September 13, 2018 18:46 UTC
September 13, 2018 20:20 UTC
September 14, 2018 14:38 UTC
September 20, 2018 21:12 UTC