Published on: 2020-03-06T06:40:24+00:00
In a recent discussion on the Bitcoin-dev mailing list, the topic of debate revolves around the use of pairing-based signatures versus non-deterministic signatures like Schnorr over BLS. The main point of contention is whether randomness in signature schemes is preferable as it enables a type of signature encryption known as "adaptor signatures," which holds significance for layer 2 protocols. To support their argument, the original poster shares a paper they wrote on the subject titled "One-Time Verifiably Encrypted Signatures A.K.A Adaptor Signatures. "However, Erik Aronesty presents an opposing viewpoint by emphasizing that Schnorr signatures heavily depend on the masking provided by a random nonce. Aronesty points out that there are various straightforward methods to introduce bias in these signatures, such as using hash + modulo. He further cites a study presented at ECC2017, which reveals that even a mere 2 bits of bias can lead to severe attacks. In light of this vulnerability, Aronesty suggests considering pairing-based signatures as they may be slower but offer more flexibility and better security implementations.Overall, the discussion highlights the trade-offs between different signature schemes, with proponents of randomness arguing for the inclusion of adaptor signatures in layer 2 protocols, while others caution against the potential biases that can compromise the security of Schnorr signatures. Ultimately, the decision regarding the choice of signature scheme depends on striking a balance between performance, flexibility, and security.
Updated on: 2023-08-02T01:55:05.387322+00:00