Cryptology ePrint Archive: Report 2015/509

A flaw in a theorem about Schnorr signatures

Daniel R. L. Brown

Abstract: An alleged theorem of Neven, Smart and Warinschi (NSW) about the security of Schnorr signatures seems to have a flaw described in this report.

Schnorr signatures require representation of an element in a discrete logarithm group as a hashable bit string. This report describes a defective bit string representation of elliptic curve points. Schnorr signatures are insecure when used with this defective representation. Nevertheless, the defective representation meets all the conditions of the NSW theorem.

Of course, a natural representation of an elliptic curve group element would not suffer from this major defect. So, the NSW theorem can probably be fixed.

Category / Keywords: public-key cryptography / Schnorr signatures, provable security

Date: received 27 May 2015

Contact author: dbrown at certicom com

Available format(s): PDF | BibTeX Citation

Version: 20150527:192303 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]