A Literature Review of the Schnorr Identification Protocol
Description
One of the first things I like to do when learning a new subfield is to get a rough overview of its history and development, for a multitude of reasons - it can be informative to see what applications motivated people in the past, the form that ideas take are often contingent on the path they were developed in, and sometimes there are useful older results that get forgetten or glossed over. And of course, it it doesn’t need to be said why a summary of more recent research can be useful.
The past month I’ve been playing around with the idea of doing comprehensive literature reviews of different areas of cryptography, going over each paper published on a specific protocol or topic and summarizing its results and significance, adding interesting historical details or implementations as appropriate. I’m hoping to build this out on my site over the next few years to create a really incredible resource for researchers and engineers to draw from, by creating a comprehensive indexing of everything in the field of cryptography of significance, and probably a few things of insignificance as well. This is very ambitious, and I might not finish it! But the idea seemed too fun and useful not to try.
So far I’ve only done this one post on the Schnorr identification protocol, which of course extends to include the Schnorr signature scheme. I’ve compiled every noteworthy paper here I could find. Over time I am planning to fill in the details of each paper and add other little notes that might be useful or interesting.
Note this is still a work in progress! If I missed anything, my DMs are open on X - feel free to send me a message.
Papers
Preceding Work
A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms (1985)
In 1986, Fiat and Shamir published How To Prove Yourself: Practical Solutions to Identification and Signature Problems.
In their 1988 paper An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations, Chaum, Evertse and Graaf describe a novel protocol for proving knowledge of a discrete log value.
Schnorr’s original paper
In his 1990 paper Efficient Signature Generation for Smart Cards, C.P. Schnorr invented the Schnorr signature scheme, described above, in order to “minimize the message dependent amount of computation the smart card has to perform to generate a signature”. Critically, relative to the previous state of the art in RSA signatures, the main portion of the work in computing a Schnorr signature is not dependent on the message size, making it more ideal for environments limited in computational power.
Directly related work
Provably secure and practical identification schemes and corresponding signature schemes (1993) - Blind schnorr signatures, apparently
Security Proofs for Signature Schemes (1996) - security analysis of Schnorr under discrete logarithm
Provably Secure Blind Signature Schemes (1996) - security of blind schnorr
Security Arguments for Digital Signatures and Blind Signature (2000) - security analysis of schnorr blind sigs
Proxy signatures, Revisited. (1997)
Strengthened Security for Blind Signatures (1998)
Security of Discrete Log Cryptosystems in theRandom Oracle and the Generic Model (2000) - uses RO + generic group model to prove schnorr is secure against one more forgery and blind schnorr
Securely Combining Public-Key Cryptosystems (2001)
Strong Proxy Signature and its Applications (2002)
Fully Distributed Proxy Signature Schemes (2002)
Forking Lemmas in the Ring Signatures’ Scenario (2003)
Efficient Extension of Standard Schnorr/RSA signatures into Universal Designated-Verifier Signatures (2003)
Adaptively Secure Feldman VSS and Applications to Universally-Composable Threshold Cryptography (2004) - develops a UC secure Schnorr threshold signature scheme
Another Look at “Provable Security” (2004) - discussion of Schnorr vs. DSA security
Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log (2005) - security analysis
Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware (2005)
Revisiting Oblivious Signature-Based Envelopes (2005)
Deterministic Identity-Based Signatures for Partial Aggregation (2006)
Efficient ID-based Threshold Signature Schemes without Pairings (2006) - ID threshold sig without pairings
Two-Tier Signatures, Strongly Unforgeable Signatures, and Fiat-Shamir without Random Oracles (2007) - schnorr two tier signatures, and one time signatures
Improved Bounds on Security Reductions for Discrete Log Based Signatures (2008) - improved security analysis
On the Portability of Generalized Schnorr Proofs (2009) - seems to provide a more composable version of Schnorr identification proofs
Hash Function Requirements for Schnorr Signatures (2009) - show properties needed for hash for Schnorr sig to be secure
A Schnorr-Like Lightweight Identity-Based Signature Scheme (2009)
A supplement to Liu et al.’s certificateless signcryption scheme in the standard model (2010) - uses one time schnorr signature for something
Attacking M&M Collective Signature Scheme (2010) - finds security flaws with a collective Schnorr signature scheme
Identity Based Partial Aggregate Signature Scheme Without Pairing (2010) - based on schnorr
Limits of Provable Security From Standard Assumptions (2011) - proves schnorr cannot be proven secure in standard model using discrete log
On the Joint Security of Encryption and Signature in EMV (2011)
How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios (2012)
Galindo-Garcia Identity-Based Signature, Improved (2012)
Digital Signatures from Challenge-Divided Σ-Protocols (2012) - new offline/online efficient variant of Schnorr signatures
On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model (2012) - proves best security bound for schnorr sigs
On the Security of One-Witness Blind Signature Schemes (2012) - proves current techniques for proving security in the RO model don’t work for schnorr blind signatures
A Non-delegatable Identity-based Designated Verifier Signature Scheme without Bilinear Pairings (2012)
Galindo-Garcia Identity-Based Signature, Revisited (2012) - new security analysis of identity schnorr
A Robust and Plaintext-Aware Variant of Signed ElGamal Encryption (2012) - adds schnorr sig to elgamal encryption
Non Observability in the Random Oracle Mode (2012) - gives security reduction when security proof can’t “observe” adversary random oracle queries
Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures (2013)
On Tight Security Proofs for Schnorr Signatures (2013)
A Secure Obfuscator for Encrypted Blind Signature Functionality (2013)
LCPR: High Performance Compression Algorithm for Lattice-Based Signatures (2014) - lossless compression for schonrr-like signatures
Short Schnorr signatures require a hash function with more than just random-prefix resistance (2015) - shows flaw with earlier hash function security result
Attribute-Based Versions of Schnorr and ElGamal (2015)
A flaw in a theorem about Schnorr signatures (2015) - flaw in “hash function requirements for schnorr signatures”
Adaptive Proofs of Knowledge in the Random Oracle Model (2015) - proves schnorr is not adaptively knowledge secure
Adaptive Proofs have Straightline Extractors (in the Random Oracle Model) (2015) - generalizes result showing schnorr not adaptively knowledge secure
Multi-user Schnorr security, revisited (2015) - flaw in proof showing single key schnorr implies multi key schnorr is secure
On the Security of the Schnorr Signature Scheme and DSA against Related-Key Attacks (2015) - schnorr insecure against related key attacks/side channels
New Approaches for Secure Outsourcing Algorithm for Modular Exponentiations (2016) - outsource secure schnorr
Optimal Security Proofs for Signatures from Identification Schemes (2016) - tighter proof for multi user schnorr
On the Security of Classic Protocols for Unique Witness Relations (2017) - witness hiding for schnorr
Unlinkable and Strongly Accountable Sanitizable Signatures from Verifiable Ring Signatures (2017) - unlinkable modified signatures for schnorr
Conditional Blind Signatures (2017)
Short Double-and N-Times-Authentication-Preventing Signatures from ECDSA and More (2017) - prevents double signing with schnorr
Simple Schnorr Multi-Signatures with Applications to Bitcoin (2018)
Reusing Nonces in Schnorr Signatures (2018) - allows nonce reuse
The Wonderful World of Global Random Oracles (2018) - unclear
New Bleichenbacher Records: Fault Attacks on qDSA Signatures (2018) - attack against nonce reuse
Aggregation of Gamma-Signatures and Applications to Bitcoin (2018)
On the Security of Two-Round Multi-Signatures (2018) - shows insecurity of schnorr based multisig schemes
Compact Multi-Signatures for Smaller Blockchains (2018)
Unifying Kleptographic Attacks (2018)
Durandal: a rank metric based signature scheme (2018) - post quantum
Minimizing Trust in Hardware Wallets with Two Factor Signatures (2018)
Minicrypt Primitives with Algebraic Structure and Applications (2019) - schnorr from homomorphic OWF
Cryptanalysis of a New Code-based Signature Scheme with Shorter Public Key in PKC 2019 (2019) - post quantum schnorr broken
Schnorr-based implicit certification: improving the security and efficiency of V2X communications (2019)
Anonymous Deniable Identification in Ephemeral Setup & Leakage Scenarios (2019)
Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model (2019)
Formalising Σ-Protocols and Commitment Schemes using CryptHOL (2019) - formal security of schnorr
Refresh When You Wake Up: Proactive Threshold Wallets with Offline Devices (2019)
On Instantiating the Algebraic Group Model from Falsifiable Assumptions (2020) - proves schnorr secure in the AGM
Simple Schnorr Signature with Pedersen Commitment as Key (2020)
The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-Rewinding Proofs for Schnorr Identification and Signatures (2020) - tighter security reduction in the standard RO model
Optimized La ice Basis Reduction In Dimension 2, and Fast Schnorr and EdDSA Signature Verification (2020)
MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces (2020)
FROST: Flexible Round-Optimized Schnorr Threshold Signatures (2020)
On the (in)security of ROS (2020) - attack on concurrent execution of FROST and blind schnorr sigs
On Pairing-Free Blind Signature Schemes in the Algebraic Group Model (2020)
Two-round n-out-of-n and Multi-Signatures and Trapdoor Commitment from Lattices (2020)
Two-Round Trip Schnorr Multi-Signatures via Delinearized Witnesses (2020)
A New Code Based Signature Scheme without Trapdoors (2020)
MuSig2: Simple Two-Round Schnorr Multi-Signatures (2020)
Verifiable Timed Signatures Made Practical (2020)
One-Time Delegation of Unlinkable Signing Rights and Its Application (2020)
Cryptanalysis of a code-based signature scheme without trapdoors (2021) - breaks “A new Code Based etc”
Two-Party Adaptor Signatures From Identification Schemes (2021)
Subtractive Sets over Cyclotomic Rings Limits of Schnorr-like Arguments over Lattices (2021)
Code-based signatures without trap (2021)
Non-interactive half-aggregation of EdDSA and variants of Schnorr signatures (2021)
SSProve: A foundational framework for modular cryptographic proofs in Coq (2021)
Stacking Sigmas: A Framework to Compose Σ-Protocols for Disjunctions (2021)
Indierentiable Signatures: High Performance and Fallback Security (2021)
The One-More Discrete Logarithm Assumption in the Generic Group Model (2021)
Threshold Schnorr with Stateless Deterministic Signing from Standard Assumptions (2021)
ZKAttest: Ring and Group Signatures for existing ECDSA keys (2021)
DualRing: Generic Construction of Ring Signatures with Efficient Instantiations (2021)
How to Prove Schnorr Assuming Schnorr: Security of Multi- and Threshold Signatures (2022)
Half-Aggregation of Schnorr Signatures with Tight Reductions (2022)
Simple Three-Round Multiparty Schnorr Signing with Full Simulatability (2022)
ROAST: Robust Asynchronous Schnorr Threshold Signatures (2022)
Breaking the t < n/3 Consensus Bound: Asynchronous Dynamic Proactive Secret Sharing under Honest Majority (2022) - can be used with ROAST
MPC for Group Reconstruction Circuits (2022) - formal verification of security
MuSig-L: Lattice-Based Multi-Signature With Single-Round Online Phase (2022)
The inspection model for zero-knowledge proofs and efficient Zerocash with secp256k1 keys (2022)
On the Classic Protocol for MPC Schnorr Signatures (2022) - MPC Schnorr is UC secure
Deterministic Wallets for Adaptor Signatures (2022)
EXTENSIBLE DECENTRALIZED SECRET SHARING AND APPLICATION TO SCHNORR SIGNATURES (2022) - thereshold schnorr that does not require all parties online for key generation
Threshold Signatures with Private Accountability (2022) - threshold signatures where a specified party can see who did/did not sign
Proactive Refresh for Accountable Threshold Signature (2022)
Jolt: Recovering TLS Signing Keys via Rowhammer Faults (2022) - side channel
Concurrently Secure Blind Schnorr Signatures (2022)
On Zero-Knowledge Proofs over the Quantum Internet (2022)
Ring Signatures with User-Controlled Linkability (2022)
Key-and-Signature Compact Multi-Signatures for Blockchain: A Compiler with Realizations (2022)
A Transformation for Lifting Discrete Logarithm Based Cryptography to Post-Quantum Cryptography (2023)
Non-Interactive Blind Signatures for Random Messages (2023)
SPRINT: High-Throughput Robust Distributed Schnorr Signatures (2023)
Fully Adaptive Schnorr Threshold Signatures (2023)
On the Security of Blind Signatures in the Multi-Signer Setting (2023)
Benchmarking ZK-Circuits in Circom (2023)
Weak Fiat-Shamir Attacks on Modern Proof Systems (2023)
Schnorr protocol in Jasmin (2023)
Anonymous, Timed and Revocable Proxy Signatures (2023)
Practical Schnorr Threshold Signatures Without the Algebraic Group Model (2023)
The many faces of Schnorr (2023)
Fast batched asynchronous distributed key generation (2023)
CSI-Otter: Isogeny-based (Partially) Blind Signatures from the Class Group Action with a Twist (2023)
Sigma Protocols from Verifiable Secret Sharing and Their Applications (2023)
Rogue-Instance Security for Batch Knowledge Proofs (2023)
G+G: A Fiat-Shamir Lattice Signature Based on Convolved Gaussians (2023)
M&M’S: Mix and Match Attacks on Schnorr-type Blind Signatures with Repetition (2023)
Breaking Parallel ROS: Implication for Isogeny and Lattice-based Blind Signatures (2023)
On Sigma-Protocols and (packed) Black-Box Secret Sharing Schemes (2023)
Π: A Unified Framework for Verifiable Secret Sharing (2023)
Faster Complete Formulas for the GLS254 Binary Curve (2023)
Distributed Fiat-Shamir Transform: from Threshold Identification Protocols to Signatures (2024)
Consecutive Adaptor Signature Scheme: From Two-Party to N-Party Settings (2024)
HARTS: High-Threshold, Adaptively Secure, and Robust Threshold Schnorr Signatures (2024)
Parameter-Hiding Order-Revealing Encryption without Pairings (2024)
Arctic: Lightweight and Stateless Threshold Schnorr Signatures (2024)
Dynamic-FROST: Schnorr Threshold Signatures with a Flexible Committee (2024)
Adaptively Secure 5 Round Threshold Signatures from MLWE{MSIS and DL with Rewinding (2024)
Unforgeability of Blind Schnorr in the Limited Concurrency Setting (2024)
Concrete Analysis of Schnorr-type Signatures with Aborts (2024)
Untangling the Security of Kilian’s Protocol: Upper and Lower Bounds (2024)
Asynchronous Verifiable Secret Sharing with Elastic Thresholds and Distributed Key Generation (2024)
Functional Adaptor Signatures: Beyond All-or-Nothing Blockchain-based Payments (2024)
Schnorr Signatures are Tightly Secure in the ROM under a Non-interactive Assumption (2024)
Glacius: Threshold Schnorr Signatures from DDH with Full Adaptive Security (2024)
Foundations of Adaptor Signatures (2024)
On Concrete Security Treatment of Signatures Based on Multiple Discrete Logarithms (2024)
Applications
Strong designated verifier signature scheme: new definition and construction (2010) - HMAC with schnorr?
Analysis and Construction of Efficient RFID Authentication Protocol with Backward Privacy (2012)
A Secure Obfuscator for Encrypted Blind Signature Functionality (2013)
Stamp & Extend – Instant but Undeniable Timestamping based on Lazy Trees (2013)
DAA-related APIs in TPM2.0 Revisited (2014)
LCPR: High Performance Compression Algorithm for Lattice-Based Signatures (2014)
Stamp & Extend – Instant but Undeniable Timestamping based on Lazy Trees (2013)
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys (2015)
On the Hardness of Proving CCA-Security of Signed ElGamal (2015)
Legally Fair Contract Signing Without Keystones (2016)
The Strobe protocol framework (2017)
Proposal for Protocol on a Quorum Blockchain with Zero Knowledge (2017)
zkLedger: Privacy-Preserving Auditing for Distributed Ledgers (2018)
Aggregate Cash Systems: A Cryptographic Investigation of Mimblewimble (2018)
Efficient Non-Interactive Zero-Knowledge Proofs in Cross-Domains without Trusted Setup (2018)
Lift-and-Shift: Obtaining Simulation Extractable Subversion and Updatable SNARKs Generically (2020)
Non-Interactive Half-Aggregate Signatures Based on Module Lattices (2021)
Cryptimeleon: A Library for Fast Prototyping of Privacy-Preserving Cryptographic Schemes (2021)
Universal Atomic Swaps: Secure Exchange of Coins Across All Blockchains (2021)
Publicly verifiable anonymous tokens with private metadata bit (2022)
AuxChannel: Enabling Efficient Bi-Directional Channel for Scriptless Blockchains (2022)
Multiverse of HawkNess: A Universally-Composable MPC-based Hawk Variant (2022)
Cryptographic Oracle-Based Conditional Payments (2022)
A Privacy-preserving Central Bank Ledger for Central Bank Digital Currency (2023)
PipeSwap: Forcing the Timely Release of a Secret for Atomic Swaps Across All Blockchains (2024)
Practical Non-interactive Multi-signatures, and a Multi-to-Aggregate Signatures Compiler (2024)
Shared-Custodial Password-Authenticated Deterministic Wallets (2024)