How does the Related Key Attack on Schnorr Signatures work in real life?

We know that Schnorr signature is applied this way:

Key Generation

  • Define curve ( E ), field ( F_q ), order ( N ), generator ( G ), and hash ( h ).
  • Private key: ( d in (0, N) ), Public key: ( P = dG ).

Signing

  1. Random ( k in (1, N) ), compute ( R = kG ).
  2. ( c = h(R || M) ), ( s = (k + d * c) % N ).
  3. Signature: ( (R, s) ).

Verification

  • Compute ( c = h(R || M) ) and check ( sG = R + cP ).
  • Valid if true.

Related-key attack:

A Related Key Attack targets the Schnorr signature scheme by exploiting additive modifications to public keys.

If an attacker has a valid signature ( (R, s) ) for a public key ( P ), they can generate another valid signature ( (R, s + ac) ) for a related public key ( P + aG ), where ( a ) is a scalar. Thus, public keys generated via additive changes are vulnerable, as the attacker can forge valid signatures.

My doubt

What I don't understand is how this attack works in a real scenario. What should an attacker actually do?

The attacker must hope to find a victim with the exact public key ( P + aG ). The attacker cannot arbitrarily choose this public key. While the attacker can modify the scalar ( a ), it is dependent on the original public key ( P ), so the victim public key cannot be selected freely.

So, how does this attack manifest in the real world? Am I missing something here?



from Recent Questions - Bitcoin Stack Exchange https://ift.tt/CJj8qQu
via IFTTT

Popular posts from this blog

Do Kwon’s Detention Prolonged Until 2024 As Montenegro Responds To Extradition Requests

Image
According to an International Business Times report , Montenegro’s Supreme Court decided to extend the detention of TerraForm Labs founder and CEO Do Kwon until February 2024, following extradition requests from the United States and South Korea. Closed-Door Discussions Reveal Montenegro’s Plan For Do Kwon Initially set to be extradited to the US on December 15, Do Kwon’s fate turned when the Montenegrin High Court ruled to prolong his stay until February 15, 2024. The decision stems from charges related to the collapse of the TerraUSD stablecoin, which led to significant financial losses. The High Court had previously ordered Kwon’s extradition by Friday, but his defense team appealed the decision in the appellate court in Podgorica, the capital of Montenegro. The Montenegrin Court of Appeal confirmed that Kwon contested the High Court’s ruling, vehemently stating, “I do not submit to the court’s decision.” Recent reports indicate that Montenegro’s Justice Minister, Andrej Mil...
Read more

Sam Bankman-Fried Trial Begins Tomorrow: 3 Reasons Ex-SEC Official Foresees Conviction

Image
The trial of Sam Bankman-Fried, the founder of cryptocurrency exchange FTX and hedge fund Alameda Research, is set to commence in New York on Tuesday, October 3.  This comes almost a year after the collapse of both FTX and Alameda Research. The events leading up to the trial paint a picture of alleged fraudulent activities and money laundering that caused significant damage to the businesses involved. Ex-SEC Official’s Bleak Prediction As Sam Bankman-Fried Trial Commences In a nutshell, Alameda Research purportedly took customer deposits from FTX and invested them in fictitious crypto tokens, which derived their value from the confidence in FTX’s operations.  When this confidence waned, FTX and Alameda Research suffered substantial losses, which many argue contributed to a broader disillusionment in the cryptocurrency industry.  Following an investigation, federal authorities uncovered numerous alleged crimes, leading to seven federal fraud and money-laundering cha...
Read more

Future of Bitcoin encryption and security in a QC era

How will the advancement of quantum computing impact the security of Bitcoin, and what steps are necessary to protect the network from this emerging threat? What role could lattice-based encryption play in safeguarding Bitcoin, and which of the current algorithms are best suited for this purpose? How would the implementation of such encryption technology be integrated into the existing Bitcoin infrastructure, and what challenges might arise during this process? What happens to existing addresses that rely on elliptic curve cryptography? Is there a way to seamlessly transition old addresses to the new system, or would users need to actively transfer their funds to new, more secure addresses? How could such a transition be designed to ensure user security while maintaining trust in the network? from Recent Questions - Bitcoin Stack Exchange https://ift.tt/aZeY2fo via IFTTT
Read more