What's the reason why your pubkey is included in the commitment in Schnorr? s = r + H(X,R,m)x but wouldn't it be just as secure if it was s = r + H(R,m)x?
Answers would be greatly appreciated
@pwuille @gregoryneven @oleganza
-
-
Which assumptions do you mean, exactly? They prove Schnorr without key prefixing secure under DL in the ROM, with tightness loss of Qh. That's pretty much as good as one could hope for, right? Or am I missing something?
-
The chance of breaking 1 of N signature users with key prefixing is at most the chance of breaking a targeted user in the original system. Simple; tight; real H, not ROM; eliminates concerns about multi-user attacks. Theorems without key prefixing have questionable assumptions.
-
Sure, with key prefixing, multi-user security is implied tightly by single-user security. But single-user security for Schnorr is still under DL in ROM with Qh loss. So final security statement remains the same, with or without key prefixing.
-
No. The ROM proofs for Schnorr signatures are too weak to be useful. The _real_ argument for security is that some cryptanalysts have tried and failed to break the system. But how many cryptanalysts have tried attacking multiple Schnorr users? Key prefixing answers this question.
-
Interesting viewpoint. Ultimately, the security of every scheme relies on people having tried to break it and failed. But in this instance, isn't the ROM proof really telling us that a break in the signature scheme must be due to a hash function break or DL break?
-
Even if we assume that the best DL algorithms cost 2^128, a cost-2^64 generic-hash attack against the Schnorr signature system would not contradict any of the ROM theorems that I've seen supposedly proving security of the system. It's important to read what the theorems say.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.