Schnorr簽名資源

Schnorr Signature Resources

倉庫位置

Schnorr Signatures 是一個聚合多個簽名演算法,主要為了減少m-n多簽名的size,不管有多少個使用者,都可以用一個簽名來解決,從而減少區塊的大小。另外一方面這也縮短了簽名校驗的時間,因為多簽名情況下,只需要驗證一個簽名就可以。同時也可以一定程度解決匿名性,多簽名中隱藏了單個使用者的資訊。由於專利的問題,這個演算法並沒有標準實現(目前專利保護已經到期),有可能多語言之間互通還有些挑戰。Schnorr Signatures也是一種橢圓簽名演算法,不能解決量子計算攻擊。 https://bitcoincore.org/en/2017/03/23/schnorr-signature-aggregation/ by 三眼世界

2008年專利過後的區塊鏈新專案不少使用Schnorr Signature簽名,例如monero, corda, hyperledger iroha, chain等。

Medium

Ethfans

8btc

論文

  • 可防止提權攻擊之階層式安全比特幣錢包機制 隨著比特幣日益普及,人們傾向於使用比特幣錢包來管理用來支出或接受資金的金鑰。階層式確定性(HD)錢包不是隨機生成不便於存儲的金鑰對,而是從單一種子來派生所有金鑰,因此只要存儲該種子便足以恢復金鑰。HD錢包中允許使用者在不知道任何私鑰的情況下從父公鑰生成子公鑰,這個功能的一個合適情況是允許稽查人員導出所有公鑰以進行審計的案例。然而,這個優秀的特性卻使得HD錢包遭受到所謂的提權攻擊,意即任意一個子私鑰和主公鑰的洩漏就會導致整個錢包中的所有密鑰洩漏出去。為了應對這個嚴重的問題,我們提出了一種新的HD錢包機制,該機制使用陷門雜湊函數發出簽章,而不是直接提供給任何人私鑰以產生簽章,因此可以防止提權攻擊的發生。然而,我們所提出的方案提供了兩個公鑰之間的不可連結性,以實現用戶身分的匿名性和金鑰派生的高可擴展性。因此,我們的機制實現了匿名性、公鑰派生以及高可擴展性。
  • Hash function requirements for Schnorr signatures We provide two necessary conditions on hash functions for the Schnorr signature scheme to be secure, assuming compact group representations such as those which occur in elliptic curve groups. We also show, via an argument in the generic group model, that these conditions are sufficient. Our hash function security requirements are variants of the standard notions of preimage and second preimage resistance. One of them is in fact equivalent to the Nostradamus attack by Kelsey and Kohno (Eurocrypt 2006), and, when considering keyed compression functions, both are closely related to the ePre and eSec notions by Rogaway and Shrimpton (FSE 2004). Our results have a number of interesting implications in practice. First, since security does not rely on the hash function being collision resistant, Schnorr signatures can still be securely instantiated with SHA-1/SHA-256, unlike DSA signatures. Second, we conjecture that our properties require O(2n) work to solve for a hash function with n-bit output, thereby allowing the use of shorter hashes and saving twenty-five percent in signature size. And third, our analysis does not reveal any significant difference in hardness between forging signatures and computing discrete logarithms, which plays down the importance of the loose reductions in existing random-oracle proofs, and seems to support the use of “normal-size” groups.
  • Efficient Identification and Signatures for Smart CardsWe present an efficient interactive identification scheme and a related signature scheme that are based on discrete logarithms and which are particularly suited for smart cards. Previous cryptoschemes, based on the discrete logarithm, have been proposed by El Gamal (1985), Chaum, Evertse, Graaf (1988), Beth (1988) and Günter (1989). The new scheme comprises the following novel features.
  • How To Prove Yourself: Practical Solutions to Identification and Signature Problems In this paper we describe simple identification and signature schemes which enable any user to prove his identity and the authenticity of his messages to any other user without shared or public keys. The schemes are provably secure against any known or chosen message attack if factoring is difficult, and typical implementations require only 1% to 4% of the number of modular multiplications required by the RSA scheme. Due to their simplicity, security and speed, these schemes are ideally suited for microprocessor-based devices such as smart cards, personal computers, and remote control systems.
  • Attacks on Schnorr signatures with biased nonces
  • On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model The Schnorr signature scheme has been known to be provably secure in the Random Oracle Model under the Discrete Logarithm (DL) assumption since the work of Pointcheval and Stern (EUROCRYPT ’96), at the price of a very loose reduction though: if there is a forger making at most   q    h   random oracle queries, and forging signatures with probability   ε     F   , then the Forking Lemma tells that one can compute discrete logarithms with constant probability by rewinding the forger (𝑞ℎ/𝜀𝐹)O(qh/εF) times. In other words, the security reduction loses a factor (𝑞ℎ)O(qh) in its time-to-success ratio. This is rather unsatisfactory since   q     h   may be quite large. Yet Paillier and Vergnaud (ASIACRYPT 2005) later showed that under the One More Discrete Logarithm (OMDL) assumption, any   algebraic   reduction must lose a factor at least 𝑞1/2ℎqh1/2 in its time-to-success ratio. This was later improved by Garg   et al.   (CRYPTO 2008) to a factor 𝑞2/3ℎqh2/3. Up to now, the gap between 𝑞2/3ℎqh2/3 and   q     h  remained open. In this paper, we show that the security proof using the Forking Lemma is essentially the best possible. Namely, under the OMDL assumption, any algebraic reduction must lose a factor   f  (  ε     F   )  q     h   in its time-to-success ratio, where   f   ≤ 1 is a function that remains close to 1 as long as   ε     F   is noticeably smaller than 1. Using a formulation in terms of expected-time and queries algorithms, we obtain an optimal loss factor Ω(  q     h   ), independently of   ε     F   . These results apply to other signature schemes based on one-way group homomorphisms, such as the Guillou-Quisquater signature scheme.
  • Schnorr Non-interactive Zero-Knowledge Proof This document describes the Schnorr non-interactive zero-knowledge (NIZK) proof, a non-interactive variant of the three-pass Schnorr identification scheme. The Schnorr NIZK proof allows one to prove the knowledge of a discrete logarithm without leaking any information about its value. It can serve as a useful building block for many cryptographic protocols to ensure that participants follow the protocol specification honestly. This document specifies the Schnorr NIZK proof in both the finite field and the elliptic curve settings.

Latest Posts

比特幣的區塊時間戳保護規則
比特幣的區塊時間戳保護規則

摘要: 我們檢查了比特幣鮮為人知的兩個規則,這些規則用於防止不法礦工操縱區塊時間戳以獲得不公平的高額挖礦報酬。我們討論了為什麼可能選擇類似2小時MAX_FUTURE_BLOCK_TIME值之類的常數,以及該值會對比特幣現金有何特定的影響。我們得出的結論是,考慮到實施規則時缺乏功能網路,比特幣的時間保護規則似乎相當有效,令人讚嘆。6 NOVEMBER 2019, BITMEX RESEARCH

過去到現在的Bitcoin性能測試
過去到現在的Bitcoin性能測試

摘要: 我們成功地進行了 35 次初始區塊下載(Initial Block Download, IBD),並記錄了節點與網路同步所花費的時間,從而測試了 Bitcoin Core 的性能。我們使用了從 2012 年到 2019 年的軟體版本。結果表明,軟體性能得到了顯著而持續的改善,但差異也很大。即使使用最新的電腦硬體,舊版本的 Bitcoin 仍難以克服 2015 年至 2016 年期間的交易量提升。因此,我們得出結論,如果沒有軟體增強功能,今天的初始同步幾乎是不可能的。2019年11月29日, BITMEX Research

使用區塊鏈和感知雜湊達到去中心化之圖像共享和版權保護
使用區塊鏈和感知雜湊達到去中心化之圖像共享和版權保護

本篇文章翻譯自 Decentralised Image Sharing and Copyright Protection using Blockchain and Perceptual Hashes,媒體區塊鏈的範疇越來越發人深省,究竟該如何透過去中心化的機制來達到版權保護呢?一起來閱讀本篇文章吧!