3
$\begingroup$

"In the third step of the Schnorr protocol, the prover's response takes the form $z=r+cx$.

Why can't this form $z=cr+x$ work?

I found these answers 2 are related to my questions

However, neither of these answers provides a specific attack method: how could a malicious prover generate a valid proof without knowing the $x$?

I understand that if we use $z=cr+x$ as the response and a malicious verifier uses $c=0$ as the challenge, then the zero-knowledge property does not hold.

I also know that, given the same commitment $R=g^r$, the knowledge extractor could extract the random number $r$ instead of the witness $x$. Therefore, it cannot be used to prove the property of soundness.

However, it remains unclear how a malicious prover could generate a valid proof without knowledge of $x$ when using the response form $z=cr+x$

Improve this question
$\endgroup$

1 Answer 1

Reset to default
4
$\begingroup$

As noted in my other answer it does work and is sound and zero knowledge. Also note that $c=0$ is not a legitimate challenge.

We note that we can map between transcripts of Schnorr protocols and transcripts of your variant protocol to show that they provide equivalent information. If $(R,c,z)$ is a valid Schnorr transcript, then $(R,1/c\mod q,z/c\mod q)$ a valid transcript for the alternative (and if $c$ is uniformly distributed $1\le c< q$ then so to is $1/c\mod q$). Likewise if $(R,c,z)$ is a valid transcript for the alternative then $(R,1/c\mod q,z/c\mod q)$ is a valid Schnorr transcript.

The Schnorr specification is marginally more misuse resistant, but both are valid.

Improve this answer
$\endgroup$

Your Answer

By clicking “Post Your Answer”, you agree to our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.