International Association
for Cryptologic Research

An alleged theorem of Neven, Smart and Warinschi (NSW) about the

security of Schnorr signatures seems to have a flaw described in

this report.

Schnorr signatures require representation of an element in a

discrete logarithm group as a hashable bit string. This report

describes a defective bit string representation of elliptic curve

points. Schnorr signatures are insecure when used with this

defective representation. Nevertheless, the defective

representation meets all the conditions of the NSW theorem.

Of course, a natural representation of an elliptic curve group

element would not suffer from this major defect. So, the NSW

theorem can probably be fixed.