Oddbean new post about | logout
 It's not a simple question ... blatant hack-ability is mostly not considered realistic. 2 decades of usage in the wild speaks to this. Is (EC)DSA a bit weaker than Schnorr theoretically? Yes. It has some quirks. My guess, if NSA were motivated to get this in, it was more "we'll crack a few systems here and there because this is hard to get right", but even that is a stretch. The biggest pitfalls in DSA are there in Schnorr too: bad nonce randomness. DSA has more weird special cases though, like "forgeries" that aren't real forgeries.

😄 I like this conspiracy theory: NSA paid Claus Schnorr to apply for an extremely aggressive patent so no one could use the stronger signature scheme.