Zero knowledge proofs of identity
STOC '87 Proceedings of the nineteenth annual ACM symposium on Theory of computing
Lecture Notes in Computer Science on Advances in Cryptology-EUROCRYPT'88
Efficient Identification and Signatures for Smart Cards
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
On Schnorr's preprocessing for digital signature schemes
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
Fast Generation of Pairs (k, [k]P) for Koblitz Elliptic Curves
SAC '01 Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography
The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Provably Unforgeable Signatures
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Security and Performance of Server-Aided RSA Computation Protocols
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
How to securely outsource cryptographic computations
TCC'05 Proceedings of the Second international conference on Theory of Cryptography
Hi-index | 0.00 |
In this paper, it is shown that the Schnorr scheme with preprocessing as proposed in [4] leaks too much information. An attack based on this information leakage is presented that retrieves the secret key. The complexity of this attack is upper bounded by 2k ċ k3(d-2) steps, and the expected required number of signatures is less than 2k ċ (k/2)(d-2), where k is a security parameter. This complexity is significantly lower than the kk(d-2) steps, conjectured in [4]. For example, for the security parameters that are proposed in [4], the secret key can on average be found in 237.5 steps, instead of in 272 steps, This shows that it is inevitable to either modify the preprocessing algorithm, or choose the values of the security paremeters larger than proposed in [4]. Finally, we briefly discuar the possibility of averting the proposed attack by modifying the preprocessing algorithm.