On the security of the Schnorr scheme using preprocessing

Authors:
Peter De Rooij
Affiliations:
PTT Research, Leidschendam, The Netherlands
Venue:
EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
Year:
1991

Citing 3
Cited 6

Zero knowledge proofs of identity

STOC '87 Proceedings of the nineteenth annual ACM symposium on Theory of computing
A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory

Lecture Notes in Computer Science on Advances in Cryptology-EUROCRYPT'88
Efficient Identification and Signatures for Smart Cards

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology

On Schnorr's preprocessing for digital signature schemes

EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
Fast Generation of Pairs (k, [k]P) for Koblitz Elliptic Curves

SAC '01 Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography
The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications

CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Provably Unforgeable Signatures

CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Security and Performance of Server-Aided RSA Computation Protocols

CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
How to securely outsource cryptographic computations

TCC'05 Proceedings of the Second international conference on Theory of Cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, it is shown that the Schnorr scheme with preprocessing as proposed in [4] leaks too much information. An attack based on this information leakage is presented that retrieves the secret key. The complexity of this attack is upper bounded by 2k ċ k3(d-2) steps, and the expected required number of signatures is less than 2k ċ (k/2)(d-2), where k is a security parameter. This complexity is significantly lower than the kk(d-2) steps, conjectured in [4]. For example, for the security parameters that are proposed in [4], the secret key can on average be found in 237.5 steps, instead of in 272 steps, This shows that it is inevitable to either modify the preprocessing algorithm, or choose the values of the security paremeters larger than proposed in [4]. Finally, we briefly discuar the possibility of averting the proposed attack by modifying the preprocessing algorithm.