We all know that Schnorr signature is utilized this fashion:
Key Era
- Outline curve ( E ), area ( F_q ), order ( N ), generator ( G ), and hash ( h ).
- Personal key: ( d in (0, N) ), Public key: ( P = dG ).
Signing
- Random ( okay in (1, N) ), compute ( R = kG ).
- ( c = h(R || M) ), ( s = (okay + d * c) % N ).
- Signature: ( (R, s) ).
Verification
- Compute ( c = h(R || M) ) and test ( sG = R + cP ).
- Legitimate if true.
Associated-key assault:
A Associated Key Assault targets the Schnorr signature scheme by exploiting additive modifications to public keys.
If an attacker has a sound signature ( (R, s) ) for a public key ( P ), they’ll generate one other legitimate signature ( (R, s + ac) ) for a associated public key ( P + aG ), the place ( a ) is a scalar. Thus, public keys generated through additive modifications are susceptible, because the attacker can forge legitimate signatures.
My doubt
What I do not perceive is how this assault works in an actual state of affairs. What ought to an attacker truly do?
The attacker should hope to discover a sufferer with the actual public key ( P + aG ). The attacker can’t arbitrarily select this public key. Whereas the attacker can modify the scalar ( a ), it’s depending on the unique public key ( P ), so the sufferer public key can’t be chosen freely.
So, how does this assault manifest in the actual world? Am I lacking one thing right here?