Schnorr signatures require representation of an element in a discrete logarithm group as a hashable bit string. This report describes a defective bit string representation of elliptic curve points. Schnorr signatures are insecure when used with this defective representation. Nevertheless, the defective representation meets all the conditions of the NSW theorem.
Of course, a natural representation of an elliptic curve group element would not suffer from this major defect. So, the NSW theorem can probably be fixed.
Category / Keywords: public-key cryptography / Schnorr signatures, provable security Date: received 27 May 2015 Contact author: dbrown at certicom com Available format(s): PDF | BibTeX Citation Version: 20150527:192303 (All versions of this report) Short URL: ia.cr/2015/509 Discussion forum: Show discussion | Start new discussion