Join Log in
Score:2
Pat Niemeyer avatar Crypto

Question about alternative formulation of the Schnorr signature…

kn flag
Pat Niemeyer

Using the notation from the Wikipedia article: https://en.wikipedia.org/wiki/Schnorr_signature, the Schnorr signature mixes the random value $k$ and the hash $e$ like this:

$$s = k - xe$$

(Where $x$ is the private key scalar)

My question is: What would be the problem with reversing the two scalars like this:

$$s = e - xk$$

And the recovering the hash in the point domain directly like this:

$$e_v = sG + ky$$

(Where $G$ is the generator, $y$ is the signer’s public key point, and the signature is valid if: $e_v == eG$)

I’m sure that there is a reason it’s done the other way, but I’d be curious if there is an obvious problem with the above. It seems more direct to me but perhaps that is the issue somehow.

EDIT: As Daniel S. immediately pointed out, I was neglecting that the random scalar k must be secret and therefore cannot be used in verification. Embarrassing mistake... I knew there was one :)

87
2 + 3
Maarten Bodewes avatar
in flag
Maarten Bodewes
I've converted your formulas to MathJAX / $\LaTeX$, please have a look if everything is still correct. If you want you can use `\cdot` for (point) multiplication (use the [edit] button to change your question $\cdot$ ).
1
Reply
Daniel S avatar
ru flag
Daniel S
Your verification process requires the verifier to know $k$ which is supposed to be secret. If you reveal $e$, $s$ and $k$, then anyone can calculate the $x$ by $x=(k-s)/e\pmod\ell$ where $\ell$ is the group order.
2
Reply
Pat Niemeyer avatar
kn flag
Pat Niemeyer
Ah, of course! Thank you! This is one case where the capital letter notation for points would have saved me from making a dumb mistake :)
0
Reply
Score:1
kodlu avatar Crypto
sa flag
kodlu

Since $e$ is known, an attacker could try various random values $k_i$ and via $$ e_i-e_j=(s-x k_i)-(s-x k_j)=s(k_i-k_j) :=s \delta_{ij} $$ obtain a number of relations that $s$ satisfies since they can choose the exact $\delta_{ij}.$ These relations could then be utilized to obtain nontrivial information on the secret $s,$ or even be used to solve for $s.$

+ 1
Pat Niemeyer avatar
kn flag
Pat Niemeyer
Thanks. Even though my mistake was actually more fundamental, I see your more general point about how information about $k$ over several iterations could weaken the secret $x$.
0
Reply
Score:-1
Vadym Fedyukovych avatar Crypto
in flag
Vadym Fedyukovych

Welcome to the community.

Signature is not about mixing a random with a challenge. Signature means security proven first, implemented after. How would you prove your scheme? Prof Schnorr did his homework for his scheme.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.