3

Wikipidia says Schnorr signature generation is defined like this:

Y = x * G //this is the key we are trying to provide a signature for
k = random scalar
r = k * G
e = Hash_to_scalar(r || message)
s = k - xe
signature = (s, e)

This seems correct, but then to verify it's defined as:

r = s * G * e * Y
e = Hash_to_scalar(r || message)

Shouldn't it be:

r = s * G + e * Y
e = Hash_to_scalar(r || message)

because:

r = k - xe * G + ex * G == k * G; //this works
r = k - xe * G * ex * G != k * G; //this doesnt work

Or have I made a silly mistake somewhere?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
cookiekid
  • 131
  • 4

1 Answers1

3

The equation in Wikipedia is r = s*G + e*Y, and not r = s*G * e*Y

Thus, r = s*G + e*Y = (k - xe)*G + e*(x*G) = k*G - xe*G + xe*G = k*G

Conrado
  • 6,414
  • 1
  • 29
  • 44
  • In fact, the Wikipedia page is also completely wrong since it keeps mixing additive and multiplicative notations. – Thomas Pornin Nov 16 '18 at 13:00
  • 4
    I have fixed the Wikipedia page. – Thomas Pornin Nov 16 '18 at 13:02
  • @Conrado yes that was an edit made by me. Previously it said r = s * G * e * Y but i edited it to see if a moderator would remove correct me in case i was wrong :) – cookiekid Nov 16 '18 at 13:02
  • 3
    @Thomas Pornin: useful fix! But the signature scheme as originally described differs slightly: the signature is $\left(H\left(g^k\mathbin|M\right), k+x,H\left(g^k\mathbin|M\right)\right)$ with the hash much shorter than $q$; also notice the $+$ (Claus-Peter Schnorr described both as features). Detailed description of the original scheme and bibliography there. Practice often differs, especially for Elliptic Curve variants, taxonomy there. – fgrieu Nov 16 '18 at 13:33
  • @ fgrieu Thank you for documenting Schnorr signature scheme and further development. – Vadym Fedyukovych Nov 16 '18 at 22:07