Skip to content
By using Twitter’s services you agree to our Cookies Use. We and our partners operate globally and use cookies, including for analytics, personalisation, and ads.
  • Home Home Home, current page.
  • About

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?

    New to Twitter?
    Sign up
hashbreaker's profile
Daniel J. Bernstein
Daniel J. Bernstein
Daniel J. Bernstein
@hashbreaker

Tweets

Daniel J. Bernstein

@hashbreaker

Chicago, Illinois
cr.yp.to/djb.html
Joined July 2009

Tweets

  • © 2018 Twitter
  • About
  • Help Center
  • Terms
  • Privacy policy
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @

Promote this Tweet

Block

  • Tweet with a location

    You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more

    Your lists

    Create a new list


    Under 100 characters, optional

    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.

    Preview

    Why you're seeing this ad

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    1. Calvin Kim‏ @kcalvinalvinn Oct 9

      What's the reason why your pubkey is included in the commitment in Schnorr? s = r + H(X,R,m)x but wouldn't it be just as secure if it was s = r + H(R,m)x? Answers would be greatly appreciated @pwuille @gregoryneven @oleganza

      5 replies 2 retweets 9 likes
    2. Gregory Neven‏ @gregoryneven Oct 9
      Replying to @kcalvinalvinn @pwuille @oleganza

      When used as a non-interactive zero-knowledge (NIZK) proof of knowledge in a setting where the same hash function is used to prove different statements, one must include the statement (verification eq) in the hash, so that forking guarantees two proofs for the *same* statement.

      2 replies 1 retweet 5 likes
    3. Gregory Neven‏ @gregoryneven Oct 9
      Replying to @gregoryneven @kcalvinalvinn and

      When used as a signature scheme, there has been some back-and-forth about the effect of key prefixing on reduction tightness in the multi-user setting. Latest conclusion is that there is no effect: https://eprint.iacr.org/2016/191.pdf  by @crypto_theory et al.

      1 reply 0 retweets 3 likes
    4. Calvin Kim‏ @kcalvinalvinn Oct 9
      Replying to @gregoryneven @pwuille and

      So for signature schemes, the inclusion of pubkey is just to be safe? Could we technically remove it and still have the same security?

      1 reply 0 retweets 1 like
    5. Gregory Neven‏ @gregoryneven Oct 9
      Replying to @kcalvinalvinn @pwuille and

      Short answer: no need for pubkey inclusion in Schnorr sigs, even to be safe. It was thought to have effect on tightness in multi-user security (https://ed25519.cr.yp.to/multischnorr-20151012.pdf …), but https://eprint.iacr.org/2016/191  proved that it is unnecessary.

      3 replies 0 retweets 3 likes
    6. Daniel J. Bernstein‏ @hashbreaker Oct 10
      Replying to @gregoryneven @kcalvinalvinn and

      Not true. https://eprint.iacr.org/2016/191  makes assumptions that are stronger and that have been less studied by cryptanalysts. Including the public key in the hash gives a multi-user security proof from _standard_ assumptions. (Side benefits: simpler, and quantitatively a bit stronger.)

      1 reply 0 retweets 4 likes
    7. Gregory Neven‏ @gregoryneven Oct 10
      Replying to @hashbreaker @kcalvinalvinn and

      Which assumptions do you mean, exactly? They prove Schnorr without key prefixing secure under DL in the ROM, with tightness loss of Qh. That's pretty much as good as one could hope for, right? Or am I missing something?

      1 reply 0 retweets 5 likes
    8. Daniel J. Bernstein‏ @hashbreaker Oct 11
      Replying to @gregoryneven @kcalvinalvinn and

      The chance of breaking 1 of N signature users with key prefixing is at most the chance of breaking a targeted user in the original system. Simple; tight; real H, not ROM; eliminates concerns about multi-user attacks. Theorems without key prefixing have questionable assumptions.

      1 reply 0 retweets 3 likes
    9. Gregory Neven‏ @gregoryneven Oct 11
      Replying to @hashbreaker @kcalvinalvinn and

      Sure, with key prefixing, multi-user security is implied tightly by single-user security. But single-user security for Schnorr is still under DL in ROM with Qh loss. So final security statement remains the same, with or without key prefixing.

      1 reply 0 retweets 3 likes
      Daniel J. Bernstein‏ @hashbreaker Oct 11
      Replying to @gregoryneven @kcalvinalvinn and

      No. The ROM proofs for Schnorr signatures are too weak to be useful. The _real_ argument for security is that some cryptanalysts have tried and failed to break the system. But how many cryptanalysts have tried attacking multiple Schnorr users? Key prefixing answers this question.

      6:38 PM - 11 Oct 2018
      • 1 Like
      • cinnamon_carter
      3 replies 0 retweets 1 like
        1. New conversation
        2. Pieter Wuille‏ @pwuille Oct 11
          Replying to @hashbreaker @gregoryneven and

          Interesting viewpoint. Ultimately, the security of every scheme relies on people having tried to break it and failed. But in this instance, isn't the ROM proof really telling us that a break in the signature scheme must be due to a hash function break or DL break?

          2 replies 0 retweets 5 likes
        3. Daniel J. Bernstein‏ @hashbreaker Oct 11
          Replying to @pwuille @gregoryneven and

          Even if we assume that the best DL algorithms cost 2^128, a cost-2^64 generic-hash attack against the Schnorr signature system would not contradict any of the ROM theorems that I've seen supposedly proving security of the system. It's important to read what the theorems say.

          0 replies 0 retweets 4 likes
        4. End of conversation
        1. New conversation
        2. Gregory Neven‏ @gregoryneven Oct 12
          Replying to @hashbreaker @kcalvinalvinn and

          I agree that a tight non-ROM proof for Schnorr would be much better than a non-tight ROM proof. But in absence of that, a non-tight ROM proof is still strongly preferable (and useful) over no proof at all.

          1 reply 0 retweets 1 like
        3. Daniel J. Bernstein‏ @hashbreaker Oct 12
          Replying to @gregoryneven @kcalvinalvinn and

          The question at hand isn't whether the non-tight ROM proof is useless. The question is whether it's so strong that it justifies skipping key prefixing. The answer is no: key prefixing _eliminates_ multi-target attacks as a concern for auditors, while the non-tight proof doesn't.

          0 replies 0 retweets 0 likes
        4. End of conversation
        1. Gregory Neven‏ @gregoryneven Oct 12
          Replying to @hashbreaker @kcalvinalvinn and

          Well, but by that reasoning, we should probably just stick to DSA: most likely, more people have tried breaking DSA than Schnorr. First, because it's more widely used, and second, because DSA doesn't have a security proof that discourages potential attackers from trying.

          0 replies 0 retweets 0 likes
          Thanks. Twitter will use this to make your timeline better. Undo
          Undo

      Loading seems to be taking a while.

      Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

        Promoted Tweet

        false

        • © 2018 Twitter
        • About
        • Help Center
        • Terms
        • Privacy policy
        • Cookies
        • Ads info