mimblewimble team mailing list archive

Thread
Date

Re: To Schnorr or not to Schnorr

To: Andrew Poelstra <apoelstra@xxxxxxxxxxxxxx>
From: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>
Date: Sat, 25 Mar 2017 17:51:43 -0400
Cc: "mimblewimble@xxxxxxxxxxxxxxxxxxx" <mimblewimble@xxxxxxxxxxxxxxxxxxx>
Feedback-id: G8oYroY5d92pDGib9ZSQuAzn8O3JuHnC9BYqk1_LZGLiD5_Mc-EkTbswwpCLUOpi1Q3pbIzgCwewBVSqDCwbaw==:Ext:ProtonMail
In-reply-to: <20170323231327.GQ10783@boulet.lan>
Reply-to: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>

Thanks a lot for the reply and details. I'd like to explore this a little more, to avoid stupid mistakes (most likely caused by me).

Regarding ECDSA, if the implementation is good enough for bitcoin, it seems it'd be good enough for us. Or I'm missing something? Also what are the implications of ECDSA not being a PoK? I didn't realize we needed a full PoK protocol for kernels (as opposed to just any sig).

Regarding Schnorr, as long as it's only for dev/testnet the current implementation is functional, we can just fix multisig. And even if a new libsecp makes incompatible signatures, we can just wipe whatever testnet we're on (assuming we're that far). So why wouldn't that be a better placeholder? We can still consider upstream libsecp Schnorr a blocker.

Thanks!
- Igno

-------- Original Message --------
Subject: Re: [Mimblewimble] To Schnorr or not to Schnorr
Local Time: March 23, 2017 4:13 PM
UTC Time: March 23, 2017 11:13 PM
From: apoelstra@xxxxxxxxxxxxxx
To: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>
mimblewimble@xxxxxxxxxxxxxxxxxxx <mimblewimble@xxxxxxxxxxxxxxxxxxx>

There is a lot of work to do with libsecp. The implementations of multisig in
secp-zkp and rust-secp are insecure against malicious key generation (this is
easy to overcome, just require all participants to sign with their key shard
to each other, but there is some risk that the new libsecp version will make
incompatible signatures, forcing some ugly shimming).

Presumably the Schnorr code was pulled from rust-secp? This is pulled from
secp-zkp. So they're all the same implementation, but it's one that has been
removed from upstream libsecp and won't be coming back.

We can use ECDSA as a placeholder, the API pretty-much slots in, but given
that it has no security proof and is not a PoK and its algebraic structure
is a mess, we absolutely must not release a chain with any value on it that
uses ECDSA to sign kernels.

Also, as you notice, MimbleWimble is really useless without Schnorr. You
can't even do coinjoin (incl through ValueShuffle) without multisignature
kernels (or multi-kernel transactions, which we've banned for cutthrough
reasons), so the privacy story isn't even that great.

My personal feeling is that we consider upstream libsecp Schnorr support to
be a blocker and just wait it out. Note that we're still missing sum-Merkle
tree code, and I understand Peter Todd has some thoughts on additional
structures we should be committing to that he hasn't written out, so there's
plenty of work to do even without a kernel signature algo ready to go.

Andrew

On Wed, Mar 22, 2017 at 02:52:11PM -0400, Ignotus Peverell wrote:
> Hi all,
>
> Most of our transaction schemes, whether scriptless scripts for lightning [1], multisig [2] or more robust 2-party transactions [3] all rely on Schnorr signatures. So it would seem reasonable to drop standard ECDSA in favor of Schnorr as default.
>
> However on the implementation side, things are less clear cut. I can count 4 different versions of libsecp256k1 (one on bitcoin-core, one under Blockstream Elements, one under Andrew's Rust binding and one in the Grin repo), 3 of which have some Schnorr support. I _think_ the Schnorr implementation there is enough to support most of what we have in mind, but we may need to expose a few more utility functions (similarly to what I had to do for Pedersen Commitments).
>
> So I can see 2 strategies:
> - Stick with ECDSA for now until Schnorr is brought back in the Bitcoin Core repo (which seems the best supported), then add Schnorr support.
> - Clean up our version of secp256k1 to make it a bona-fide vendor branch, add what we need there (eventually merging back upstream if desired) and standardize on Schnorr. I'm not sure the Schnorr impl is still compatible with the latest Bitcoin Core secp256k1 tree though.
>
> I have a slight preference on 2 as it seems it'd be a better starting base but it's a little more hazardous and I'd love others' opinions. If Andrew or Peter could chime in on what would work best with the libsecp256k1(-zkp or not) plan it'd be really helpful as well.
>
> - Igno
>
> [1] https://lists.launchpad.net/mimblewimble/msg00086.html
> [2] https://lists.launchpad.net/mimblewimble/msg00047.html
> [3] https://lists.launchpad.net/mimblewimble/msg00087.html

> --
> Mailing list: https://launchpad.net/~mimblewimble
> Post to : mimblewimble@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mimblewimble
> More help : https://help.launchpad.net/ListHelp

--
Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web: https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
who can never find their peace,
whether north or south or west or east"
--Joanna Newsom

Follow ups

Re: To Schnorr or not to Schnorr
From: Andrew Poelstra, 2017-03-26

References

To Schnorr or not to Schnorr
From: Ignotus Peverell, 2017-03-22
Re: To Schnorr or not to Schnorr
From: Andrew Poelstra, 2017-03-23