1
0
mirror of https://github.com/bitcoinbook/bitcoinbook synced 2024-11-30 03:48:31 +00:00

CH08: Add new intro to ECDSA to compare it to schnorr

This commit is contained in:
David A. Harding 2023-04-08 09:12:30 -10:00
parent 4749fc033f
commit 4f53af3f4e

View File

@ -785,15 +785,54 @@ yet, although significant research into the subject has been performed
by multiple Bitcoin contributors and we expect peer-reviewed solutions by multiple Bitcoin contributors and we expect peer-reviewed solutions
will become available after the publication of this book. will become available after the publication of this book.
[[ecdsa_math]] [[ecdsa_signatures]]
==== ECDSA Math === ECDSA signatures
Unfortunately for the future development of Bitcoin and many other Unfortunately for the future development of Bitcoin and many other
applications, Schnorr patented the algorithm and effectively prevented applications, Claus Schnorr patented the algorithm he discovered and
its use for almost two decades. prevented its use in open standards and open source software for almost
two decades. Cryptographers in the early 1990s who were blocked from
using the schnorr signature scheme developed an alternative construction
called the _Digital Signature Algorithm_ (DSA), with a version adapted
to Elliptic Curves called ECDSA.
((("Elliptic Curve Digital Signature Algorithm (ECDSA)")))As mentioned The ECDSA scheme and standardized parameters for curves it could be used
previously, signatures are created by a mathematical function _F_~_sig_~ with were widely implemented in cryptographic libraries by the time
development on Bitcoin began in 2007. This was almost certainly the
reason why ECDSA was the only digital signature protocol that Bitcoin
supported from its first release version until the activation of the
taproot soft fork in 2021. ECDSA remains supported today for all
non-taproot transactions. Some of the differences compared to schnorr
signatures include:
More complex::
As we'll see, ECDSA requires more operations to create or verify a
signature than the schnorr signature protocol. It's not significantly
more complex from an implementation standpoint, but that extra
complexity makes ECDSA less flexible, less performant, and harder to
prove secure.
Less provable security::
The interactive schnorr signature identification protocol depends only
on the strength of the Elliptic Curve Discrete Logarithm Problem
(ECDLP). The non-interactive authentication protocol used in Bitcoin
also relies on the Random Oracle Model (ROM). However, ECDSA's extra
complexity has prevented a complete proof of its security being
published (to the best of our knowledge). We are not experts in
proving cryptographic algorithms, but it seems unlikely after 30 years
that ECDSA will be proven to only require the same two assumptions as
schnorr.
Non-linear::
ECDSA signatures cannot be easily combined to create scriptless
multisignatures or used in related advanced applications such as
multi-party signature adaptors. There are workarounds for this
problem, but they involve additional extra complexity which
significantly slows down operations and which, in some cases, has
resulted in software accidentally leaking private keys.
Looking at the math of ECDSA,
signatures are created by a mathematical function _F_~_sig_~
that produces a signature composed of two values. In ECDSA, those two that produces a signature composed of two values. In ECDSA, those two
values are _R_ and _S_. In this values are _R_ and _S_. In this
section we look at the function _F_~_sig_~ for ECDSA in more detail. section we look at the function _F_~_sig_~ for ECDSA in more detail.
@ -884,7 +923,7 @@ is part of the DER encoding scheme.
[[nonce_warning]] [[nonce_warning]]
=== The Importance of Randomness in Signatures === The Importance of Randomness in Signatures
((("digital signatures", "randomness in")))As we saw in <<ecdsa_math>>, ((("digital signatures", "randomness in")))As we saw in <<schnorr_signatures>> and <<ecdsa_signatures>>,
the signature generation algorithm uses a random key _k_, as the basis the signature generation algorithm uses a random key _k_, as the basis
for an ephemeral private/public key pair. The value of _k_ is not for an ephemeral private/public key pair. The value of _k_ is not
important, _as long as it is random_. If the same value _k_ is used to important, _as long as it is random_. If the same value _k_ is used to