Asymmetric signatures: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 39: | Line 39: | ||
* P computes $$K \gets k \cdot G$$ |
* P computes $$K \gets k \cdot G$$ |
||
* P sends $$K$$ to V |
* P sends $$K$$ to V |
||
* V chooses at random $$c \in |
* V chooses at random $$c \in F_q$$ |
||
* V sends $$c$$ to P |
* V sends $$c$$ to P |
||
* P computes $$s \gets k + c \cdot x$$ |
* P computes $$s \gets k + c \cdot x$$ |
||
| Line 45: | Line 45: | ||
* V verifies that $$s \cdot G = K + c \cdot X$$ |
* V verifies that $$s \cdot G = K + c \cdot X$$ |
||
It is important here that $$c$$ is sent after the commitment $$K$$, otherwise one can build a simulator that returns $$(K,s)$$ from value $$(X,c)$$, without knowing $$x$$ (first pick $$s$$ at random, then compute the corresponding $$K \ |
It is important here that $$c$$ is sent after the commitment $$K$$, otherwise one can build a simulator that returns $$(K,s)$$ from value $$(X,c)$$, without knowing $$x$$ (first pick $$s$$ at random, then compute the corresponding $$K \gets s \cdot G - c \cdot X$$). |
||
The scheme can be non-interactive using [https://www.wikiwand.com/en/Fiat%E2%80%93Shamir_heuristic Fiat-Shamir transform], using a hash function H (eg. $$c \gets H(K)$$). Thanks to one-wayness, this prevents the prover to compute both $$K$$ and $$c$$. |
The scheme can be non-interactive using [https://www.wikiwand.com/en/Fiat%E2%80%93Shamir_heuristic Fiat-Shamir transform], using a hash function H (eg. $$c \gets H(K)$$). Thanks to one-wayness, this prevents the prover to compute both $$K$$ and $$c$$. |
||
Revision as of 07:43, 31 October 2022
References
- A nice overview of the three main schemes, ElGamal, Schnorr and DSA.
- Overview of paper "Unifying Zero-Knowledge Proofs of Knowledge”, by Ueli Maurer.
- Very nice explanations on the schnorr signature, and its generalisation (sigma protocols, Maurer proofs, Pedersen commitments)
Summary
These are the main asymmetric signature schemes:
- ElGamal
- Schnorr
- DSA
Schnorr signature
- Key generation
- Private key: choose $$k \in \Z_q$$,
- Public key: $$K \gets G^k$$.
- Sign
- Input: message $$m \in \{0,1\}^*$$
- Choose $$r \in \Z_q$$, and compute $$R \gets G^r$$
- Let $$h \gets H(m || R)$$
- Let $$s \gets r + k \cdot h$$
- Ouput $$\sigma \gets (h,s)$$
- Note: here, it is important that $$h$$ be computed as a one-way of $$R$$. Otherwise, one could generate a valid signature without knowing the private key $$k$$.
- Verify
- Let $$R' \gets G^sY^{-h}$$
- Let $$h' \gets H(m || R')$$
- If $$h' = h$$, return 1, otherwise return 0.
Schnorr Proof
Schnorr proof is an interactive zero-knowledge proof, where prover has a secret $$x$$ and a public value $$X \in G$$. The proof allows the prover to demonstrate to a verifier V that she/he knows $$x$$ without revealing it.
- Prereq: P knows $$x$$, V knows $$X$$
- P chooses at random $$k \in F_q$$.
- P computes $$K \gets k \cdot G$$
- P sends $$K$$ to V
- V chooses at random $$c \in F_q$$
- V sends $$c$$ to P
- P computes $$s \gets k + c \cdot x$$
- P sends $$s$$ to V
- V verifies that $$s \cdot G = K + c \cdot X$$
It is important here that $$c$$ is sent after the commitment $$K$$, otherwise one can build a simulator that returns $$(K,s)$$ from value $$(X,c)$$, without knowing $$x$$ (first pick $$s$$ at random, then compute the corresponding $$K \gets s \cdot G - c \cdot X$$).
The scheme can be non-interactive using Fiat-Shamir transform, using a hash function H (eg. $$c \gets H(K)$$). Thanks to one-wayness, this prevents the prover to compute both $$K$$ and $$c$$.