Can O.S.S. be repaired ? - proposal for a new practical signature scheme

Abstract

This paper describes a family of new Ong-Schnorr-Shamir-Fiat-Shamir-like [1] identification and signature protocols designed to prevent forgers from using the Pollard-Schnorr attack [2]. Our first signature scheme (and its associated identification protocol) uses x, which is secret-free, as a commitment on which k will depend later. Therefore, the original quadratic equation is replaced by x2 −k(x)y2 = m mod n where k(x) is a non-polynomial function of x and since the Pollard-Schnorr algorithm takes as input value k (to output x and y), it becomes impossible to feed à-priori k(x) which is output-dependent The second signature method takes advantage of the fact that although an attacker can generate valid OSS signatures (solutions {x,y} of x2 - k y2 = m mod n), he has no control over the internal structure of x and y and in particular, if we restrict the solution space by adding extra conditions on x and y, it becomes very difficult to produce forged solutions that satisfy the new requirements.