1
In the Schnorr identity protocol, we can transform the interactive ZKP into a non-interactive one by replacing the role of the verifier (i.e. providing a random challenge value) with a hash function that uses the prover's encrypted nonce as input.
s = r + e*x
where:
e = H(r*G)
Validation works by ensuring:
sG== R + e*P
where:
R = r*G
Assume that in this non-interactive model, the prover picks an r value in advance, and runs R through the hash function to determine its corresponding e digest. Assume the prover is malicious, and is looking to trick a verifier into accepting a Schnorr signature without knowing the private key x. If the prover resuses this e value when constructing the signature, while also selecting an arbitrary s value,they could back out sG = rG-eP. Since the prover knows R, e and P, it seems as if they could convince a verifier that the signature is valid, without needing knowledge of the private key. What prevents this from happening?
Two comments: in a Schnorr signature (rather than just an identification attempt), a message is also included in the hash (so
e = H(rG||msg)). Second, the uppercase letters in your protocol represent group elements in which the discrete logarithm problem is hard, so you can't solvesG = rG-ePfors(as that would require "dividing" by G, which is computationally infeasible). – Pieter Wuille – 2019-04-29T18:09:34.253So basically it would be impossible to find an
svalue that balances, b/csG=rG-eP ---> sG=rG-e*xG. Dividing out G leaves us withs=r+e*xwhich requires knowledge ofx? – Jayyy777 – 2019-04-29T19:09:41.357Exactly. You can write it as
s = r - e*(P/G), but theP/Gpart can't be computed. – Pieter Wuille – 2019-04-29T19:28:22.300