[bitcoin-dev] Schnorr sigs vs pairing sigs

Erik Aronesty erik at q32.com
Thu Mar 5 19:01:27 UTC 2020


Schnorr sigs rely so heavily on the masking provided by a random
nonce.   There are so many easy ways to introduce bias (hash + modulo,
for example).

Even 2 bits of bias can result in serious attacks:

https://ecc2017.cs.ru.nl/slides/ecc2017-tibouchi.pdf

Maybe pairing based sigs  - which are slower - might be both more
flexible, and better suited to secure implemetnations?


More information about the bitcoin-dev mailing list