Why schnorr signatures uses H(R||m) instead of H(m)?

Alexander Vidaurre Arroyo

7/4/24, 10:03 PM

The Schnorr signature scheme was defined originally as $(c, s)$ such that $sG = R + cX$, and the verification process consisted of computing $R = sG - cX$ and then verifying that $c = H(R||m)$ so using only $H(m)$ would not have worked for verification. However, in the verification process of the Schnorr signature variant $(R, s)$, we first compute $c = H(R||m)$ and then verify that $R = sG - cX$, if we change $c = H(R||m)$ by $c = H(m)$ the verification process is not affected. I guess that using $c = H(m)$ is not secure for the Schnorr scheme, but I wonder why.

Note: For example, in the ECDSA scheme $s = k^{-1}(H(m) + dr)$ the hash consists only of $H(m)$

452

2 + 0

schnorr-signature

Score:4

Crypto

knaccc

7/4/24, 11:08 PM

In your second scheme, the signature $(R,s)$ is verified as $R\overset{?}{=} sG-cX$.

If $c$ does not involve $R$, then you could forge a signature by picking a random $s$ value and calculating $R=sG+cX$, where $c=H(m)$. Therefore, it does matter that $c$ is calculated as $c=H(R\mathbin\| m)$.

With ECDSA, the x-coordinate of a point performs the same function as a hash in the Schnorr signature. This is because the x-coordinate is unpredictable. If I give you a random x-coordinate value, you won't be able to efficiently find a scalar value $a$ such that the point $aG$ has that x-coordinate.

You can therefore think of an ECDSA signature as:

$(c,s) = \biggl(H_2(R),\ \frac{H(m)\ +\ H_2(R)x}{r}\biggr)$, where $H_2(P)$ means to extract the x-coordinate of the point P.

It is verified as $c \overset{?}{=} H_2\biggl(\frac{H(m)G\ +\ cX}{s}\biggr)$

As you can see, ECDSA does have a cryptographically secure one-way function that involves $R$.

+ 0

Score:2

Crypto

Marc Ilunga

7/4/24, 10:49 PM

The scheme is completely insecure: $c = H(m)$ does not constrain $R, m, X$ in a way that only the owner of the secret key can satisfy.

To forge a signature $(R, s)$, choose an arbitrary $s$, the set $R = sG- cX$. This passes verification for $c = H(m)$ even when we dint know the secret key.

+ 2

poncho

7/4/24, 10:51 PM

You might want to answer the obvious followup question: "why then is ECDSA secure??"

Marc Ilunga

7/6/24, 9:59 AM

@poncho Oops, I forgot that part of the questions. But the other answer does a good job at answering that part.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why schnorr signatures uses H(R||m) instead of H(m)?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.