● Everything is broken by Cory Fields ( transcript , video ), a talk that describes how Bitcoin is at risk not just from its own software bugs but also from the bugs introduced into the libraries, operating systems, and even hardware that it depends upon. Fields then looks back in time when a large number of certain classes of bugs were affecting another major open source project, Mozilla Firefox, and at that project’s foresight for attempting to categorically eliminate some of those problems by starting the development ten years ago of a new programming language (Rust) that could provide stronger automatic guarantees. Finally, Fields asks the audience to contemplate initiates we could start now that would, over the course of the next ten years, help categorically eliminate some types of problems that Bitcoin users and developers currently need to worry about.

● Near misses: What could have gone wrong by Ethan Heilman ( transcript , video ), a survey of five problems in Bitcoin’s past that could’ve lead to significant losses in user funds or user confidence. Following the survey, Heilman asks the audience to consider what a worst-case software failure in Bitcoin would look like today, or what would’ve happened if one of the previously-encountered problems had been exploited by an attacker to its worst extent. We recommend attempting this exercise: it can obviously emphasize the dangers that remain in Bitcoin—but it may also help highlight the ways in which Bitcoin is more secure than you initially expect.

● The quest for practical threshold Schnorr signatures by Tim Ruffing (transcript, video), a description of the research performed by the speaker and his colleagues into trying to find a secure, compact, practical, and flexible scheme for threshold-based schnorr signatures. Ruffing first describes the difference between generalized threshold signatures and the specific case of multi-signatures. A threshold signature allows a subset of a group to sign (e.g. k-of-n); multi-signatures are a special case of threshold signatures where the whole group signs (n-of-n). Protocols like MuSig (see Newsletter #35) and MSDL provide multi-signature signing compatible with bip-schnorr, but threshold signatures for a subset of signers have not been solved to the same degree.

As an example of outstanding problems, Ruffing notes that the security proofs for existing Discrete Log Problem (DLP) based threshold signature schemes assume that the majority of potential signers are honest. So a 2-of-3 arrangement is secure because the worst case you planned for would be one dishonest signer (which is less than a majority). In a 6-of-9 arrangement, you want the scheme to be secure against up to five dishonest signers—but five signers would constitute a majority and undermine the expectations in the security proof.

Another potential problem is that previously-described protocols expect each participant has a secure and reliable method of communicating with all other participants. Someone who can eavesdrop or manipulate the communication may be able to recover the ultimate private key that would allow them to sign any spend they want. This seems solvable, but the proposed solution doesn’t have a security proof yet.

Ruffing concludes with a wishlist for what he’d like to see in a schnorr-based threshold signature scheme, including several stretch goals.