3

Let the subgroup $G$ of elliptic curve constructed with point $P$ with prime order $q$ by $G=\langle P\rangle $. The $h(x)$ is a hash function. We want to map the hash of arbitrary message $m$ to a point in $G$ for use in the signature algorithm (such as BLS).

Why we don't use $k=h(m) \bmod q$ and then $S=kP$, whereas it is clear that the point $S$ is in $G$? What is the flaw of this? security or efficiency?

kelalaka
  • 49,797
  • 12
  • 123
  • 211
Amirhnr
  • 87
  • 4

1 Answers1

7

That's insecure.

In BLS signatures: for private key $x$ and public key $X = xP$, the signature is computed as $T = xS$, and the verification checks if $e(T, P) = e(S, X)$, which works because:

  • $e(T, P) = e(xS, P) = e(xS, P) = e(S, P)^x$
  • $e(S,X) = e(S, xP) = e(S, P)^x$

If you know that $S = kP$, then you can forge a signature for a message with hash $k'$ from a signature of a message with hash $k$ by simply computing $T' = k'k^{-1}T$, which works because:

  • $T' = k'k^{-1}xS = k'k^{-1}xkP = xk'P = xS'$
Conrado
  • 6,614
  • 1
  • 30
  • 45