Schnorr sig implementation diverges from the BIP340 standard #22435

issue antonio-fr opened this issue on July 12, 2021
  1. antonio-fr commented at 8:24 PM on July 12, 2021: contributor

    The BIP340 SchrorrSig standard states that during the signature there is a verification step, aborting the signature if verification fails. It is not mandatory, "it is recommended, but can be omitted if the computation cost is prohibitive".

    The underlying secp256k1 library is written in C and ASM is very very efficient on multiple platforms. I can't see so much case where this cost is prohibitive. The only cases I can see is on small connected devices, embedded systems, or security chips, which are running below 50 Mhz, without full crypto-accelerator. Also this library is the central security implementation in Bitcoin and many other blockchains, and it should should enforce best security practices. Plus the embedded small platforms would be the most vulnerable about the provoked computation errors to leak the private keys. But it is not an issue if the small devices has only a small amount in its private key.

    The reference implementation in Python is performing this verification step, in accordance with the standard.

    The libsecp256k1 library code documentation used here explains that the secp256k1_schnorrsig_sign method "does not strictly follow BIP-340 because it does not verify the resulting signature. Instead, you can manually use secp256k1_schnorrsig_verify and abort if it fails." So this is up to the secp256k1 library users, here the Bitcoin developers, to add the verification of the signature.

    I propose the following change :

    Adding the verification step in src/key.cpp CKey::SignSchnorr method. And make this optional with compilation flags, by default activated, and users of this consensus software can choose to disengage this security intentionally if they feel that can hurt the computation time over security when signing. For example a leaf key making hundred thousands small transactions a day, with small amount in the address balance, in a small slow embedding device.

    At the very least, one should add a comment note in the SignSchnorr code (or header), explaining and justifying how the computation cost is prohibitive, so the verification step is omitted. For now the comment says SignSchnorr "create a BIP-340 Schnorr signature" and that builds an incorrect feeling of security like as it would follow the given standard.

    An other way, can be to amend the standard, to relax the recommendation, and it could state the verification step is only a possibility to zealous user for stronger security.

    From the security point of view, the verification step has to be added. We just need to discuss users experiences and usage of this software, if the removal of this security protection is a benefit for most users. And especially, from the standard statement, justify that the computation cost is prohibitive, so this security step can be omitted like it is now. The standard makes the choice to strengthen the security against some kind of attacks, and states this can be disabled if this security measure uses prohibitive resources in practice. The standard doesn't say this is an extra feature up to the implementation choice. Actually, this is recommended, but there are specific conditions covering the reasons when it can be omitted.

    The optimizations to reduce the computation resources is focused on signatures checks, and should not be a matter over security for the signing process.

  2. antonio-fr added the label Bug on Jul 12, 2021
  3. tylerchambers commented at 9:36 PM on July 30, 2021: contributor

    We should definitely be verifying signatures, IMO. Is there any prior discussion on this that might indicate why it was left out? Perhaps @sipa could provide some additional context here? (thanks in advance!)

  4. achow101 commented at 9:44 PM on July 30, 2021: member

    It's unnecessary to verify the signature immediately after signing because a transaction's witness is fully verified after signing. It is not detrimental to security to not have the verification in SignSchnorr, and no security is really gained by having it IMO.

  5. sipa commented at 11:08 PM on July 30, 2021: member

    Hmm, but isn't it possible that a potentially corrupted signature ends up in PSBT?

  6. achow101 commented at 11:27 PM on July 30, 2021: member

    Hmm, but isn't it possible that a potentially corrupted signature ends up in PSBT?

    But we still use VerifyScript at the end of ProduceSignature. Even so, if there is memory corruption which results in the signature copied into the PSBT being invalid, verifying immediately after signing wouldn't protect against that.

  7. sipa commented at 11:31 PM on July 30, 2021: member

    @achow101 The concern is a memory/CPU error during signing, because those can leak private key information. If a correctly-created signature accidentally gets corrupted there is no issue.

  8. achow101 commented at 11:49 PM on July 30, 2021: member

    That makes sense. We should do that for the ECDSA functions too then (Sign and SignCompact).

  9. sipa commented at 3:34 AM on July 31, 2021: member

    Yeah, I think so.

  10. laanwj referenced this in commit cb4adbd8ab on Nov 9, 2021
  11. sidhujag referenced this in commit 8d4ffa82f2 on Nov 9, 2021
  12. sipa commented at 6:30 PM on June 8, 2022: member

    I believe this is fixed in #22934. Comment if that's not the case and we can reopen.

  13. sipa closed this on Jun 8, 2022
  14. DrahtBot locked this on Jun 8, 2023
Contributors
antonio-frtylerchambersachow101sipa
Labels
Bug
Linked (view graph)
#22934 Add verification to `Sign`, `SignCompact` and `SignSchnorr`
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 21:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me