[bitcoin-dev] Schnorr sigs vs pairing sigs

Erik Aronesty erik at q32.com
Thu Mar 5 19:01:27 UTC 2020

Schnorr sigs rely so heavily on the masking provided by a random
nonce.   There are so many easy ways to introduce bias (hash + modulo,
for example).

Even 2 bits of bias can result in serious attacks:


Maybe pairing based sigs  - which are slower - might be both more
flexible, and better suited to secure implemetnations?

More information about the bitcoin-dev mailing list