Paper 2018/069

Reusing Nonces in Schnorr Signatures

Marc Beunardeau, Aisling Connolly, Houda Ferradi, Rémi Géraud, David Naccache, and Damien Vergnaud


The provably secure Schnorr signature scheme is popular and efficient. However, each signature requires a fresh modular exponentiation, which is typically a costly operation. As the increased uptake in connected devices revives the interest in resource-constrained signature algorithms, we introduce a variant of Schnorr signatures that mutualises exponentiation efforts. Combined with precomputation techniques (which would not yield as interesting results for the original Schnorr algorithm), we can amortise the cost of exponentiation over several signatures: these signatures share the same nonce. Sharing a nonce is a deadly blow to Schnorr signatures, but is not a security concern for our variant. Our Scheme is provably secure, asymptotically-faster than Schnorr when combined with efficient precomputation techniques, and experimentally $2$ to $6$ times faster than Schnorr for the same number of signatures when using 1\,MB of static storage.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. MINOR revision.ESORICS 2017
Schnorr digital signature efficiency
Contact author(s)
marc beunardeau @ ingenico com
2018-01-18: received
Short URL
Creative Commons Attribution


      author = {Marc Beunardeau and Aisling Connolly and Houda Ferradi and Rémi Géraud and David Naccache and Damien Vergnaud},
      title = {Reusing Nonces in Schnorr Signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2018/069},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.