Schnorr Signatures¶
links: AC2 TOC - GNU Taler - AC2 TOC - Digital Signatures - Index
Way nicer and simpler than DSA/ECDSA.
Hint: For elliptic curves we use additive notation for groups
- \(G\) : base point of the elliptic curve
- \(q\) : order of the elliptic curve
- \(\mathbb{Z_q}\) : Set of integers modulo \(q\)
- \(d\) : private key (scalar)
- \(P\) : public key (point)
- \(m\) : message
Key Generation¶
- Generate private key: \(d \leftarrow \mathbb{Z_q}\)
- Calculate public key: \(P = dG\)
Signature Generation¶
Sign message \(m\)
- Generate random nonce: \(r \leftarrow \mathbb{Z_q}\)
- Compute point: \(R = rG\)
- Hash nonce (x-coordinate) and message: \(e = H(Rx\;||\;m)\)
- Compute \(s = r - ed \mod q\)
- The signature is: \((s, e)\)
Signature Verification¶
Verify a signature \((s,e)\) on a message \(m\) with the public key \(P\)
- Compute: \(R' = sG + eP\)
- Compute: \(e' = H(R'x\;||\;m)\)
- Signature is valid if \(e' = e\)
Schnorr signatures have several appealing properties, including:
- Provable Security: Schnorr signatures have a strong security proof in the random oracle model.
- Efficiency: Schnorr signatures involve relatively efficient computational operations.
- Non-malleability: It's computationally infeasible to modify a Schnorr signature into a valid signature for a different message or a different signer.
- Linearity: Schnorr signatures have a linear structure, which allows for multi-signature (group of signers signs a message) and threshold signature schemes.
links: AC2 TOC - GNU Taler - AC2 TOC - Digital Signatures - Index