diff options
| author | Tim Ruffing <crypto@timruffing.de> | 2019-09-08 16:38:55 +0200 |
|---|---|---|
| committer | Pieter Wuille <pieter.wuille@gmail.com> | 2020-01-19 14:47:33 -0800 |
| commit | 29037bd1230d235129f4673ddac5db845b294bb5 (patch) | |
| tree | 8aa998b69cc115acc8ef4e948e942393e6009c9b /bip-schnorr.mediawiki | |
| parent | 4491902569315b375f5bd41e66d0a21a4e570852 (diff) | |
| download | bips-29037bd1230d235129f4673ddac5db845b294bb5.tar.xz | |
Add a footnote about 32-byte security
Diffstat (limited to 'bip-schnorr.mediawiki')
| -rw-r--r-- | bip-schnorr.mediawiki | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki index bb2f9dc..de55ded 100644 --- a/bip-schnorr.mediawiki +++ b/bip-schnorr.mediawiki @@ -79,7 +79,7 @@ For ''P'' the speed of signing and verification does not significantly differ be It is important to not mix up the 32-byte bip-schnorr public key format and other existing public key formats (e.g. encodings used in Bitcoin's ECDSA). Concretely, a verifier should only accept 32-byte public keys and not, for example, convert a 33-byte public key by throwing away the first byte. Otherwise, two public keys would be valid for a single signature which can result in subtle malleability issues (although this type of malleability already exists in the case of ECDSA signatures). -Implicit Y coordinates are not a reduction in security when expressed as the number of elliptic curve operations an attacker is expected to perform to compute the secret key. An attacker can normalize any given public key to a point whose Y coordinate is a quadratic residue by negating the point if necessary. This is just a subtraction of field elements and not an elliptic curve operation. +Implicit Y coordinates are not a reduction in security when expressed as the number of elliptic curve operations an attacker is expected to perform to compute the secret key. An attacker can normalize any given public key to a point whose Y coordinate is a quadratic residue by negating the point if necessary. This is just a subtraction of field elements and not an elliptic curve operation<ref>This can be formalized by a simple reduction that reduces an attack on Schnorr signatures with implicit Y coordinates to an attack to Schnorr signatures with explicit Y coordinates. The reduction works by reencoding public keys and negating the result of the hash function, which is modeled as random oracle, whenever the challenge public key has an explicit Y coordinate that is not a quadratic residue.</ref>. '''Tagged Hashes''' Cryptographic hash functions are used for multiple purposes in the specification below and in Bitcoin in general. To make sure hashes used in one context can't be reinterpreted in another one, hash functions can be tweaked with a context-dependent tag name, in such a way that collisions across contexts can be assumed to be infeasible. Such collisions obviously can not be ruled out completely, but only for schemes using tagging with a unique name. As for other schemes collisions are at least less likely with tagging than without. |