Author: Dr Maxim Orlovsky 2021-02-11 14:38:57
Published on: 2021-02-11T14:38:57+00:00
Dr. Maxim Orlovsky had a discussion with Peter Wuille on different topics regarding key derivations, security, key tweaks in context of Schnorr signatures & Taproot. They discussed the need for a new BIP-43 based BIP with a new purpose field for keys used in Schnorr signatures. Keys used in Schnorr signatures must never be used in ECDSA signatures, otherwise there is a risk of private key leak via correlation attack. The issues discussed were reasons to avoid reusing the same key for privacy reasons and reasons to avoid using related keys for cryptographic reasons. Reusing the same key in Bitcoin scripts - for use in distinct signature schemes or not - should always be avoided. It has obvious privacy implications. There are some concerns to address while using related keys across ECDSA and Schnorr, but no known attacks against usage of related keys exist. In conclusion, one should use separate keys/derivation branches for different uses in all circumstances for privacy reasons, and to stay within the realm of provably security it's advisable to make sure ECDSA key and Schnorr keys use distinct hardened derivation steps.
Updated on: 2023-06-14T17:22:20.203601+00:00