When used as a non-interactive zero-knowledge (NIZK) proof of knowledge in a setting where the same hash function is used to prove different statements, one must include the statement (verification eq) in the hash, so that forking guarantees two proofs for the *same* statement.
-
-
Replying to @gregoryneven @kcalvinalvinn and
When used as a signature scheme, there has been some back-and-forth about the effect of key prefixing on reduction tightness in the multi-user setting. Latest conclusion is that there is no effect: https://eprint.iacr.org/2016/191.pdf by
@crypto_theory et al.1 reply 0 retweets 3 likes -
Replying to @gregoryneven @pwuille and
So for signature schemes, the inclusion of pubkey is just to be safe? Could we technically remove it and still have the same security?
1 reply 0 retweets 1 like -
Replying to @kcalvinalvinn @pwuille and
Short answer: no need for pubkey inclusion in Schnorr sigs, even to be safe. It was thought to have effect on tightness in multi-user security (https://ed25519.cr.yp.to/multischnorr-20151012.pdf …), but https://eprint.iacr.org/2016/191 proved that it is unnecessary.
3 replies 0 retweets 3 likes -
Replying to @gregoryneven @kcalvinalvinn and
Not true. https://eprint.iacr.org/2016/191 makes assumptions that are stronger and that have been less studied by cryptanalysts. Including the public key in the hash gives a multi-user security proof from _standard_ assumptions. (Side benefits: simpler, and quantitatively a bit stronger.)
1 reply 0 retweets 4 likes -
Replying to @hashbreaker @kcalvinalvinn and
Which assumptions do you mean, exactly? They prove Schnorr without key prefixing secure under DL in the ROM, with tightness loss of Qh. That's pretty much as good as one could hope for, right? Or am I missing something?
1 reply 0 retweets 5 likes -
Replying to @gregoryneven @kcalvinalvinn and
The chance of breaking 1 of N signature users with key prefixing is at most the chance of breaking a targeted user in the original system. Simple; tight; real H, not ROM; eliminates concerns about multi-user attacks. Theorems without key prefixing have questionable assumptions.
1 reply 0 retweets 3 likes -
Replying to @hashbreaker @kcalvinalvinn and
Sure, with key prefixing, multi-user security is implied tightly by single-user security. But single-user security for Schnorr is still under DL in ROM with Qh loss. So final security statement remains the same, with or without key prefixing.
1 reply 0 retweets 3 likes -
Replying to @gregoryneven @kcalvinalvinn and
No. The ROM proofs for Schnorr signatures are too weak to be useful. The _real_ argument for security is that some cryptanalysts have tried and failed to break the system. But how many cryptanalysts have tried attacking multiple Schnorr users? Key prefixing answers this question.
3 replies 0 retweets 1 like -
Replying to @hashbreaker @gregoryneven and
Interesting viewpoint. Ultimately, the security of every scheme relies on people having tried to break it and failed. But in this instance, isn't the ROM proof really telling us that a break in the signature scheme must be due to a hash function break or DL break?
2 replies 0 retweets 5 likes
Even if we assume that the best DL algorithms cost 2^128, a cost-2^64 generic-hash attack against the Schnorr signature system would not contradict any of the ROM theorems that I've seen supposedly proving security of the system. It's important to read what the theorems say.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.