Paper 2015/509

A flaw in a theorem about Schnorr signatures

Daniel R. L. Brown

Abstract

An alleged theorem of Neven, Smart and Warinschi (NSW) about the security of Schnorr signatures seems to have a flaw described in this report. Schnorr signatures require representation of an element in a discrete logarithm group as a hashable bit string. This report describes a defective bit string representation of elliptic curve points. Schnorr signatures are insecure when used with this defective representation. Nevertheless, the defective representation meets all the conditions of the NSW theorem. Of course, a natural representation of an elliptic curve group element would not suffer from this major defect. So, the NSW theorem can probably be fixed.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Schnorr signaturesprovable security
Contact author(s)
dbrown @ certicom com
History
2015-05-27: received
Short URL
https://ia.cr/2015/509
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/509,
      author = {Daniel R.  L.  Brown},
      title = {A flaw in a theorem about Schnorr signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2015/509},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/509}},
      url = {https://eprint.iacr.org/2015/509}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.