On the security of the schnorr scheme using preprocessing

Abstract

In this paper, it is shown that the Schnorr scheme with preprocessing as proposed in [4] leaks too much information. An attack based on this information leakage is presented that retrieves the secret key. The complexity of this attack is upper bounded by 2k • k3(d - 2) steps, and the expected required number of signatures is lew than 2k • (k/2)d-2, where k is a security parameter. This complexity is significantly lower than the kk(d - 2)steps, conjectured in [4]. For example, for the security parameters that are proposed in [4], the secret key can on average be found in 237, 5 steps, instead of in 272 steps. This shows that it is inevitable to either modify the preprocessing algorithm, or choose the values of the security parameters larger than proposed in [4]. Finally, we briefly discuss the possibility of averting the proposed attack by modifying the preprocessing algorithm.