Preventing Schnorr Signature Batch Verification of Invalid Signatures

In BIP-0340, in the Batch Verification section, (u - 1) randomly selected coefficients a2, ..., au are used in the batch verification equation, as opposed to just setting all of these to value of 1. The reason is given in the following two sources :

https://is.muni.cz/th/oaxta/thesis.pdf :

Page 7

A malicious party could produce an invalid signature, which would complement or cancel out another (possibly invalid) signature, thus making the batch verification succeed even for invalid signatures.

LearnMeABitcoin.com :

However, this equation isn't completely secure, as it's possible to construct a signature that will balance out the equation for an invalid signature. So to prevent this from happening, we multiply each individual verification equation by its own random number (which we call a).

However how could such a balancing out be achieved in practice? Consider the case of u = 2 and set a2 = 1 in BIP-0340 and suppose that (pk1, m1, sig1) is an INVALID signature (so that s1*G != R1 + e1*P1) and we seek some signature (pk2, m2, sig2) (valid or invalid) that we can supply so that the following batch equation balances :

(s1 + s2)*G = R1 + R2 + e1*P1 + e2*P2

My immediate thought was to choose any signature (pk2, m2, sig2) which has R2 equal to the following :

R2 = (s1 + s2)*G - R1  - e1*P1 - e2*P2

which would then make the above equation balance.

But this would not work because e2 has a hash dependency on R2, because e2 equals the hash of data which includes the x-coordinate r2 of R2.

If there was some method whereby a suitable (pk2, m2, sig2) could be found then could we not just use that same method for the case a2 != 1, with the roles of sig1 and sig2 reversed ?

ie. we could find a signature (pk1, m1, sig1) such that the following succeeds :

(s1 + a2*s2)*G = R1 + a2*R2 + e1*P1 + a2*e2*P2

where the signature (pk2, m2, sig2) is invalid.



from Recent Questions - Bitcoin Stack Exchange https://ift.tt/JdTLmnV
via IFTTT

Popular posts from this blog

Future of Bitcoin encryption and security in a QC era

How will the advancement of quantum computing impact the security of Bitcoin, and what steps are necessary to protect the network from this emerging threat? What role could lattice-based encryption play in safeguarding Bitcoin, and which of the current algorithms are best suited for this purpose? How would the implementation of such encryption technology be integrated into the existing Bitcoin infrastructure, and what challenges might arise during this process? What happens to existing addresses that rely on elliptic curve cryptography? Is there a way to seamlessly transition old addresses to the new system, or would users need to actively transfer their funds to new, more secure addresses? How could such a transition be designed to ensure user security while maintaining trust in the network? from Recent Questions - Bitcoin Stack Exchange https://ift.tt/aZeY2fo via IFTTT
Read more

Possible rollback due to lazy reveal in BRC20?

Let's assume user A committed an inscription with {"op":"deploy", "tick": "test"} at block 100 (without revealing it yet). Then user B commits and reveals the exact same inscription at block 101. Because the indexer isn't aware that A's earlier commit was actually for "test," it recognizes B's "test" token as the official one. From blocks 101 to 199, users freely perform various "test" token transactions (e.g., "mint" , "transfer" ). However, at block 200, user A finally reveals their earlier commit. In that case, will the indexer roll back all "test"-related histories that happened between blocks 101 and 199? If so, can we really trust that all BRC20 tokens recognized by the indexer are "safely" the official ones? from Recent Questions - Bitcoin Stack Exchange https://ift.tt/CsYKVTa via IFTTT
Read more

A way to recover scammed Bitcoin investment

I have learned the hard way that even the most seasoned investors can fall prey to malicious actors. When my Investment was stolen, I felt a sense of betrayal and anger. But then, I discovered this FINANCE TEAM, and their professionalism and unwavering commitment gave me a renewed sense of confidence. From the moment I reached out to this Finance Team, I was impressed by their attention to detail and their deep understanding of the Stock and real estate ecosystem. They listened patiently to my story and carefully analyzed the transaction history, leaving no stone unturned in their investigation. Throughout the recovery process, This Finance Teamkept me informed of their progress, providing me with regular updates and answering my countless questions with patience and understanding. Their unwavering dedication and determination gave me a sense of hope during a time of great uncertainty. To my astonishment, This Finance Team was able to recover a significant portion of my stolen Investme...
Read more