Score:1

Necessary Schnorr signature non-interactive challenge bindings

es flag

Some implementations of a Schnorr signature will determine the challenge as follows:

$c=H(kG \mathbin\| X \mathbin\| m)==H(rG+cX \mathbin\| X \mathbin\| m)$, where:

$c$ is the challenge
$m$ is the message being signed
$X$ is the public key of the signer such that $X=xG$
$G$ is a well-known base point
$x$ is the private key of the signer
$r$ is the response to the challenge, calculated as $r=k-cx$
$k$ is a uniformly random nonce

However, some Schnorr signatures do not bind the public key $X$ of the signer into the challenge hash. Thus, $c=H(kG \mathbin\| m)$.

What possible attacks are prevented by including $X$ in the challenge hash?

Note that the signature could either be communicated as the pair $(c,r)$, or as the pair $(K,r)$ where $K=kG$.

Score:1
ru flag

It's a rather contrived scenario, but suppose that there are two verification keys $X_1=x_1G$ and $X_2=x_2G$ belonging to two distinct signers and suppose that the attacker does not know either $x_1$ nor $x_2$ but does know the difference between them, say $x_1=x_2+b$. They could then use a signature from signer 1 to forge a signature from signer 2 on the same piece of data (and vice-versa) with the unbound scheme.

To do this they'd take the $r_1$ from signer 1's signature and replace it with $r_2=r_1+bc$.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.