Isn't this just a wasteful Schnorr? You don't have to send both X0 and X1 since given X0, X1 is uniquely determined. So if you don't send X1 you are back to binary challenge Schnorr.
Conversation
Replying to
twitter.com/CouteauGeoffro
Well, I don't know about "just", but you're right in that it certainly leads down that road
Quote Tweet
Replying to @cronokirby and @Ivan__Visconti
actually you don't even need to do that, just pick a random x0 and send only g^x0, the g^x1 part can be homomorphically computed from the public information anyway. Then it's back to being plain ol' Schnorr, but with bit challenges
1
2
P.s. the just wasn't meant to be dismissive. This is exactly the type of exploration I encourage my graduate students to do ... ok this works but why this way? Is there a different way? Is it better? Worse? Equivalent? Etc
2
10
I think too few people ask *why* these protocols work. They’re just handed to us on a platter.
(Unrelated to this, I would however be very interested in the design process that led to [EC]DSA.)
2
1
12
Specifically; did NSA have a generic group analysis for the protocol? Did they just throw things at the wall until they couldn’t break it?
1
7
DSA was designed just before we knew how to do things properly. That was the problem. Big mistake was not standardizing Schnorr earlier (first was ISO I think and very late). Result too much DSA around even now
1
9
But DSA was based on Schnorr/Elgamal, which had a clear security rationale. What was the rationale for DSA?
4
3
DSA was designed because Schnorr was patented as an alternative. (This is information from a good source.)
1
3
15
The complicated inverse and so on was specifically included so that it wouldn’t infringe on the patent. One could say that we didn’t know how to do it back then, but 30 years later it’s still not broken so I’d say that with all of its problems, it’s an impressive construction.
2
8
In 2019 I did a talk about ECDSA, Schnorr patents and how even Ed25519 managed to mess things up.
@ 1:47:34
Show more replies