Score:7

Security Proof of Short Schnorr Signature

st flag

I know that this is a very specific question, but I still hope that someone can help me. I'm trying to understand the security of the short schnorr signature a little bit better. The security parameter is $k$. The Schnorr Signature $\sigma = (s,e)$ with $s,e \in \mathbb{Z}_q$ has a signature length of $4k$ bits ($s$ and $e$ have $2k$ bits, $e$ is a hash output). The Short Schnorr Signature uses a shorter hash output of $k$ bit length so that the resulting signature has a length of $3k$ bits. Apparently, the Short Schnorr Signature has the same security level as the "normal" Schnorr Signature. As stated in the security proofs on the last page of the paper 'Security of Signed ElGamal Encryption', Schnorr, Jakobsson (page 85). I'm just going to cite the part that I don't understand and hope that someone can explain it to me without me having to give more context.

... a CCA-attacker does not succeed better than with probability $\frac{1}{2}+t^2/q+l(2^{-k}-\frac{1}{q})$, where $l$ is the number of decryptor interactions. This shows that random hash values can securely range over a set of $\sqrt q$ values.

( $q \approx 2^{2k}$ )

Thanks a lot in advance!

fgrieu avatar
ng flag
What's surprising in the quote is that the result invoked (from Theorem 1), the "CCA-attacker", and the "decryptor", are for encryption, not signature. I admit I fail to make sense out of that. I do get that $k$ is supposed to be the width of the hash in short Schnorr signature.
fgrieu avatar
ng flag
Is the question about this specific paper? Is it restricted to theoretical (s)EUF-CMA, or do other security aspects count? Short Schnorr signature has a number of borderline pratical issues that normal Schnorr, EdDSA, (EC)DSA do not have, including: vulnerability to second pre-image attack of the hash with effort $2^k$ hashes (meaning the symmetric hash, not the asymmetric crypto, is the practical weak spot); and that the private key holder can make pairs of meaningful messages with the same signature at cost about $2^{k/2}$ hashes (which can be perceived as a repudiation/FUD risk).
us flag
Well, security of short Schnorr sigs is proven in completely another paper - neven.org/papers/schnorr.html . Please look into this first
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.