A flaw in a theorem about Schnorr signatures
نویسنده
چکیده
An alleged theorem of Neven, Smart and Warinschi (NSW) about the security of Schnorr signatures seems to have a flaw described in this report. Schnorr signatures require representation of an element in a discrete logarithm group as a hashable bit string. This report describes a defective bit string representation of elliptic curve points. Schnorr signatures are insecure when used with this defective representation. Nevertheless, the defective representation meets all the conditions of the NSW theorem. Of course, a natural representation of an elliptic curve group element would not suffer from this major defect. So, the NSW theorem can probably be fixed.
منابع مشابه
Schnorr Signatures in the Multi-User Setting
A theorem by Galbraith, Malone-Lee, and Smart (GMLS) from 2002 showed that, for Schnorr signatures, single-user security tightly implies multi-user security. Recently, Bernstein pointed to an error in the above theorem and promoted a key-prefixing variant of Schnorr signatures for which he proved a tight implication from single to multi-user security. Even worse, he identified an “apparently in...
متن کاملShort Schnorr signatures require a hash function with more than just random-prefix resistance
Neven, Smart and Warinschi (NSW) proved, in the generic group model, that full-length Schnorr signatures require only random-prefix resistant hash functions to resist passive existential forgery. Short Schnorr signatures halve the length of the hash function, and have been conjectured to provide a similar level of security. The NSW result is too loose to provide a meaningful security for short ...
متن کاملMulti-user Schnorr security, revisited
Three recent proposals for standardization of next-generation ECC signatures have included “key prefixing” modifications to Schnorr’s signature system. Bernstein, Duif, Lange, Schwabe, and Yang stated in 2011 that key prefixing is “an inexpensive way to alleviate concerns that several public keys could be attacked simultaneously”. However, a 2002 theorem by Galbraith, Malone-Lee, and Smart stat...
متن کاملGeneric Constructions for Secure and Efficient Confirmer Signature Schemes
In contrast to ordinary digital signatures, the verification of undeniable signatures and of confirmer signatures requires the cooperation of the signer or of a designated confirmer, respectively. Various schemes have been proposed so far, from practical solutions based on specific number-theoretic assumptions to theoretical constructions using basic cryptographic primitives. To motivate the ne...
متن کاملEnhancing the security of perfect blind DL-signatures
We enhance the security of Schnorr blind signatures against the novel one-more-forgery of Schnorr [Sc01] and Wagner [W02] which is possible even if the discrete logarithm is hard to compute. We show two limitations of this attack. Firstly, replacing the group G by the s-fold direct product G×s increases the work of the attack, for a given number of signer interactions, to the s-power while incr...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2015 شماره
صفحات -
تاریخ انتشار 2015