Schnorr signature with adding instead of multiplying

Vasilii Rogin

7/28/24, 7:15 PM

I am reading about Schnorr signature (for example, from BIP-340) and I thought, what if we add instead of multiplying for $s$? So, in the signing process it will be s = r + e + d mod n instead of s = r + e*d mod n. Verification will be the similar: calculate $s*G$ and compare it to $r*G + e*G + P$ instead of $r*G + e*P$.

$(r*G,s)$ is signature, $d$ is private key, $P$ is public key, $r$ is random value, $e = hash(r*G, P, message)$

Probably I am missing something obvious but I still did not get why it will be less secure. Signer shows that he knows the discrete logarithm of something for which he needs to know the private key.

1 + 0

schnorr-signature

Score:1

Crypto

poncho

7/28/24, 7:29 PM

With your modified signature scheme, you can generate forgeries with a single valid signature.

Let us assume you have a valid signature $(rG, s)$ to a message with hash $e$. That is, you have $sG = rG + eG + P$.

Then, if you have another message with hash $e'$ (with the same $r$), you can compute $s' = s - e + e'$; the new signature is $(rG, s')$

This validates, as $s'G = (s - e + e')G = sG - eG + e'G = (rG + eG + P) - eG + e'G = rG + e'G + P$

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Schnorr signature with adding instead of multiplying

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.