When used as a non-interactive zero-knowledge (NIZK) proof of knowledge in a setting where the same hash function is used to prove different statements, one must include the statement (verification eq) in the hash, so that forking guarantees two proofs for the *same* statement.
-
-
Replying to @gregoryneven @kcalvinalvinn and
When used as a signature scheme, there has been some back-and-forth about the effect of key prefixing on reduction tightness in the multi-user setting. Latest conclusion is that there is no effect: https://eprint.iacr.org/2016/191.pdf by
@crypto_theory et al.1 reply 0 retweets 3 likes -
Replying to @gregoryneven @pwuille and
So for signature schemes, the inclusion of pubkey is just to be safe? Could we technically remove it and still have the same security?
1 reply 0 retweets 1 like -
Replying to @kcalvinalvinn @pwuille and
Short answer: no need for pubkey inclusion in Schnorr sigs, even to be safe. It was thought to have effect on tightness in multi-user security (https://ed25519.cr.yp.to/multischnorr-20151012.pdf …), but https://eprint.iacr.org/2016/191 proved that it is unnecessary.
3 replies 0 retweets 3 likes -
Replying to @gregoryneven @kcalvinalvinn and
Not true. https://eprint.iacr.org/2016/191 makes assumptions that are stronger and that have been less studied by cryptanalysts. Including the public key in the hash gives a multi-user security proof from _standard_ assumptions. (Side benefits: simpler, and quantitatively a bit stronger.)
1 reply 0 retweets 4 likes -
Replying to @hashbreaker @kcalvinalvinn and
Which assumptions do you mean, exactly? They prove Schnorr without key prefixing secure under DL in the ROM, with tightness loss of Qh. That's pretty much as good as one could hope for, right? Or am I missing something?
1 reply 0 retweets 5 likes -
Replying to @gregoryneven @kcalvinalvinn and
The chance of breaking 1 of N signature users with key prefixing is at most the chance of breaking a targeted user in the original system. Simple; tight; real H, not ROM; eliminates concerns about multi-user attacks. Theorems without key prefixing have questionable assumptions.
1 reply 0 retweets 3 likes -
Replying to @hashbreaker @kcalvinalvinn and
Sure, with key prefixing, multi-user security is implied tightly by single-user security. But single-user security for Schnorr is still under DL in ROM with Qh loss. So final security statement remains the same, with or without key prefixing.
1 reply 0 retweets 3 likes -
Replying to @gregoryneven @kcalvinalvinn and
No. The ROM proofs for Schnorr signatures are too weak to be useful. The _real_ argument for security is that some cryptanalysts have tried and failed to break the system. But how many cryptanalysts have tried attacking multiple Schnorr users? Key prefixing answers this question.
3 replies 0 retweets 1 like -
Replying to @hashbreaker @kcalvinalvinn and
I agree that a tight non-ROM proof for Schnorr would be much better than a non-tight ROM proof. But in absence of that, a non-tight ROM proof is still strongly preferable (and useful) over no proof at all.
1 reply 0 retweets 1 like
The question at hand isn't whether the non-tight ROM proof is useless. The question is whether it's so strong that it justifies skipping key prefixing. The answer is no: key prefixing _eliminates_ multi-target attacks as a concern for auditors, while the non-tight proof doesn't.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.