Join Log in
Score:2
user212942 avatar Crypto

Elliptic Curve digital signature algorithm without "hashing to point"?

tn flag
user212942

Through " Why do we need to convert hashes to points on an elliptic curve? ", I found out why Hashing to Point is necessary.

However, using the algorithm below can sign and verify without Hasing to Point?

  • $a$ is secret key
  • $H$ is scalar hash function

Sign:

  • $k = random (mod\ r)$
  • $r = kG_2$
  • $s = a (H(m||r) + k)$ : If don't know k, won't know a. Also hashing both m and r to prevent tamper.

Verify:

  • $e(G_1, sG_2) == e(aG_1, r + H(m||r)G_2)$
  • So $e(G_1, G_2)^{a(H(m||r) + k)} == e(G_1, G_2)^{a(k + H(m||r))}$

If these methods weren't used before, why would they?

Would that be more inefficient than finding a Point with a Hash?

Or maybe it's not safe?

181
1 + 5
fgrieu avatar
ng flag
fgrieu
Many common Elliptic Curve digital signature algorithms (ECDSA, EdDSA…) do without "hashing to point". Therefore I have assumed that this question is about a variant of BLS signature, and re-tagged it accordingly, as I did for the [previous one](https://crypto.stackexchange.com/q/104182/555). This important fact about the context is worth being made explicit in the question.
3
Reply
Ievgeni avatar
cn flag
Ievgeni
What is $random(mod\ r)$?
0
Reply
user212942 avatar
tn flag
user212942
It meant to generate random within the range of field r. In fact, mod is omitted after the first line.
0
Reply
poncho avatar
my flag
poncho
I'm just curious; what advantage would this have over, say, a Schnorr signature? It's larger, slower to generate, slower to verify (given that known pairing friendly curves are larger than standard curves of the same security strength)
0
Reply
Richard Thiessen avatar
mx flag
Richard Thiessen
Pairing signatures are usually used because the signatures are smaller (1 group element). This is only possible because DDH is easy in pairing groups, which is how verification works at all. You need hash to curve so the input point discrete log is unknown (IE:random oracle chooses input point) otherwise there's no way to get a signature scheme that can sign an arbitrary number of messages. If you're willing to make the signatures larger (1 scalar or group element + 128 bits) then compact Schnorr signatures work with only "hash to scalar".
0
Reply
Score:0
Daniel S avatar Crypto
ru flag
Daniel S

This scheme feels similar to the Sakai-Kashara identity-based scheme and I can't immediately see a security issue.

The reason that BLS signatures and their hash-to-curve approach are preferred is due to the signature size. A BLS signature can be represented using a single point of $G_1$ whereas your scheme requires both a point on $G_2$ and a scalar multiple (its a simple matter to make this a point on $G_1$ and a scalar, but this would still be several hundred bits larger than a BLS signature). There are also other useful features for BLS such as aggregated verification

If one is not too worried about signature size and other bells and whistles, then it ECDSA and EdDSA signatures are generally considered a more efficient signature scheme than pairing-based schemes in terms of both signing and verification. They too do not use hash-to-point.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.