Reusing Nonces in Schnorr Signatures

(and Keeping It Secure...)
  • Marc Beunardeau
  • Aisling Connolly
  • Houda Ferradi
  • Rémi Géraud
  • David Naccache
  • Damien Vergnaud
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


The provably secure Schnorr signature scheme is popular and efficient. However, each signature requires a fresh modular exponentiation, which is typically a costly operation. As the increased uptake in connected devices revives the interest in resource-constrained signature algorithms, we introduce a variant of Schnorr signatures that mutualises exponentiation efforts.

Combined with precomputation techniques (which would not yield as interesting results for the original Schnorr algorithm), we can amortise the cost of exponentiation over several signatures: these signatures share the same nonce. Sharing a nonce is a deadly blow to Schnorr signatures, but is not a security concern for our variant.

Our Scheme is provably secure, asymptotically-faster than Schnorr when combined with efficient precomputation techniques, and experimentally 2 to 6 times faster than Schnorr for the same number of signatures when using 1 MB of static storage.


  1. 1.
    Agnew, G.B., Mullin, R.C., Onyszchuk, I.M., Vanstone, S.A.: An implementation for a fast public-key cryptosystem. J. Crypto. 3(2), 63–79 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Aranha, D.F., Fouque, P.-A., Gérard, B., Kammerer, J.-G., Tibouchi, M., Zapalowicz, J.-C.: GLV/GLS decomposition, power analysis, and attacks on ECDSA signatures with single-bit nonce bias. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 262–281. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45611-8_14 Google Scholar
  3. 3.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., Vimercati, S. (eds.) ACM CCS 2006, 30 October–3 November, pp. 390–399. ACM Press, Alexandria (2006)Google Scholar
  4. 4.
    Boyko, V., Peinado, M., Venkatesan, R.: Speeding up discrete log and factoring based schemes via precomputations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 221–235. Springer, Heidelberg (1998). doi: 10.1007/BFb0054129 CrossRefGoogle Scholar
  5. 5.
    Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast exponentiation with precomputation. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 200–207. Springer, Heidelberg (1993). doi: 10.1007/3-540-47555-9_18 CrossRefGoogle Scholar
  6. 6.
    Cheon, J.H., Kim, H.: Analysis of low hamming weight products. Disc. Appl. Math. 156(12), 2264–2269 (2008),
  7. 7.
    Coron, J.-S., M’Raïhi, D., Tymen, C.: Fast generation of pairs (k, [k]P) for koblitz elliptic curves. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 151–164. Springer, Heidelberg (2001). doi: 10.1007/3-540-45537-X_12 CrossRefGoogle Scholar
  8. 8.
    Rooij, P.: Efficient exponentiation using precomputation and vector addition chains. In: Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 389–399. Springer, Heidelberg (1995). doi: 10.1007/BFb0053453 Google Scholar
  9. 9.
    de Rooij, P.: On Schnorr’s preprocessing for digital signature schemes. J. Crypto. 10(1), 1–16 (1997)CrossRefzbMATHGoogle Scholar
  10. 10.
    ElGamal, T.: On computing logarithms over finite fields. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 396–402. Springer, Heidelberg (1986). doi: 10.1007/3-540-39799-X_28 CrossRefGoogle Scholar
  11. 11.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi: 10.1007/3-540-47721-7_12 CrossRefGoogle Scholar
  12. 12.
    Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press (2012),
  13. 13.
    Hoffstein, J., Silverman, J.H.: Random small hamming weight products with applications to cryptography. Disc. Appl. Math. 130(1), 37–49 (2003),
  14. 14.
    Hohenberger, S., Lysyanskaya, A.: How to securely outsource cryptographic computations. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 264–282. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30576-7_15 CrossRefGoogle Scholar
  15. 15.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman and Hall/CRC Press (2007)Google Scholar
  16. 16.
    Kiraz, M.S., Uzunkol, O.: Efficient and verifiable algorithms for secure outsourcing of cryptographic computations. Int. J. Inf. Sec. 15(5), 519–537 (2016),
  17. 17.
    Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 95–107. Springer, Heidelberg (1994). doi: 10.1007/3-540-48658-5_11 Google Scholar
  18. 18.
    M’Raïhi, D., Naccache, D.: Batch exponentiation: a fast DLP-based signature generation strategy. In: Gong, L., Stearn, J. (eds.) CCS 1996, Proceedings of the 3rd ACM Conference on Computer and Communications Security, New Delhi, India, March 14–16, pp. 58–61. ACM (1996),
  19. 19.
    Nguyen, P.Q., Shparlinski, I.E., Stern, J.: Distribution of modular sums and the security of the server aided exponentiation. In: Cryptography and Computational Number Theory, pp. 331–342. Springer (2001)Google Scholar
  20. 20.
    Nguyen, P., Stern, J.: The hardness of the hidden subset sum problem and its cryptographic implications. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 31–46. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_3 CrossRefGoogle Scholar
  21. 21.
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_33 Google Scholar
  22. 22.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Crypto. 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
  23. 23.
    Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). doi: 10.1007/0-387-34805-0_22 CrossRefGoogle Scholar
  24. 24.
    Schroeppel, R., Orman, H., O’Malley, S., Spatscheck, O.: Fast key exchange with elliptic curve systems. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 43–56. Springer, Heidelberg (1995). doi: 10.1007/3-540-44750-4_4 Google Scholar
  25. 25.
    Shanks, D.: Class number, a theory of factorization and genera. Proc. Symp. Pure Math. 20, 415–440 (1970)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Marc Beunardeau
    • 1
  • Aisling Connolly
    • 1
  • Houda Ferradi
    • 2
  • Rémi Géraud
    • 1
  • David Naccache
    • 1
  • Damien Vergnaud
    • 1
  1. 1.Département d’informatique de l’ENS, École Normale Supérieure, CNRSPSL Research UniversityParisFrance
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations