Is this something to be worried about? Does it potentially impact other CryptoNote coins or just Boolberry?
All they are saying there is that if you want to prune the signature data, you need to still keep a hash of the signature data in the chain of hashes (of Merkle trees) for the blocks. In other words, you need to still be able to prove which signature signed which transaction, even if you've actually discarded the signature data.
I believe BBR already does the correct thing. And afaik, Monero does not discard signature data, but I could be wrong about that. If they do, I assume they would do the right thing as well.
BBR does not include a hash of the signature data in the blockchain. I'm not sure what exactly are the alleged vulnerabilities either, but I've always been uncomfortable with it, as I said way back in the 2014 BCX free-for-all thread.
Monero does not have any kind of segregated witness so no issue there.
I think the original motivation was to remove signatures from the data that is hashed so as to make the hash of the transaction (the TX ID) orthogonal to the signature data, so as to deal with malleability since due to the use of ECDSA there are two versions of the same signature that are equivalent (one of the reasons Wuille says he wants to replace them Schnorr signatures instead).
But then to do what they are calling a "segregated witness", the security model changes from every node verifying every detail for themselves, to every node assuming that some node will publish a proof-of-cheating if any activity was incorrect. In other words, these non-full nodes are able to maintain a UTXO (and thus aren't as dumb as SPV lite nodes) but don't verify every signature themselves. So in order to construct that proof-of-cheating, there must be a means to refer to which transaction on the block chain an invalid signature applied to which can be proven because of including a hash of the signature in the block chain. So in other words, malleability only applies until the transaction gets into the block chain. Once it is in the block chain, it is safe to hash the signature data and this enables segregated witness to function as intended.
Apparently BBR is including the signatures in the hash of the TX ID. Cryptonote doesn't have the malleability issue due to ECDSA because CN employs ed25519 which is an Edwards curve (variant of Schnorr). BBR isn't really doing a segregated witness. Rather BBR just discards signature data after assuming all full nodes had verified enough blocks of history. This is just checkpointing with lossy compression. Whereas, segregated witness is where all nodes don't verify the signatures and proof-of-cheating is used as the security model instead. Remember smooth, I had told you my design required a change in the security model.
However, I don't think Bitcoin can implement segregated witness correctly:
---8<---
One of the implications in my design is that propagation of data is crucial and thus an objective truth about who is not propagating has to be established. Afaics, this can't be accomplished with an adhoc P2P network where data propagates over several peer hops.
Wuille admitted this:
http://diyhpl.us/wiki/transcripts/scalingbitcoin/hong-kong/segregated-witness-and-its-impact-on-scalability/So your security assumption goes from not being sybilled, and no miner collusion, goes to "and I am not censored from other nodes which altogether do 100% validation" (for receiving fraud proofs).
This is a far-more scalable full-node or partial-full-node model that we could evolve to. It's a security tradeoff. It's certainly not one that everyone would want to make, but it doesn't effect those who wouldn't want that.
Which I think is why they are not proposing for segregated witness to exist without the current security model still in force. And I think once they dig down in DDoS, they will realize you can't mix the two.
This is why I say Bitcoin can't graft this on. It is stuck where it is. We will need an altcoin to start over from scratch. (well I've been wrong before about certain details, so wait for me to write a very detailed paper before assuming this is certain)
Note I had mentioned to you in private weeks (or months?) ago that I had discovered a way to restore the security model to equivalent of Satoshi's. I thought I had. But once I dug into the details of DDoS, I found issues.