What's the reason why your pubkey is included in the commitment in Schnorr? s = r + H(X,R,m)x but wouldn't it be just as secure if it was s = r + H(R,m)x?
Answers would be greatly appreciated
@pwuille @gregoryneven @oleganza
-
-
Interesting viewpoint. Ultimately, the security of every scheme relies on people having tried to break it and failed. But in this instance, isn't the ROM proof really telling us that a break in the signature scheme must be due to a hash function break or DL break?
-
Even if we assume that the best DL algorithms cost 2^128, a cost-2^64 generic-hash attack against the Schnorr signature system would not contradict any of the ROM theorems that I've seen supposedly proving security of the system. It's important to read what the theorems say.
End of conversation
New conversation -
-
-
I agree that a tight non-ROM proof for Schnorr would be much better than a non-tight ROM proof. But in absence of that, a non-tight ROM proof is still strongly preferable (and useful) over no proof at all.
-
The question at hand isn't whether the non-tight ROM proof is useless. The question is whether it's so strong that it justifies skipping key prefixing. The answer is no: key prefixing _eliminates_ multi-target attacks as a concern for auditors, while the non-tight proof doesn't.
End of conversation
New conversation -
-
-
Well, but by that reasoning, we should probably just stick to DSA: most likely, more people have tried breaking DSA than Schnorr. First, because it's more widely used, and second, because DSA doesn't have a security proof that discourages potential attackers from trying.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.