The Schnorr signature is an extension of protocol, and it is considered to solve the space problem of . currently uses the ECDSA algorithm to generate cryptographic signatures for a given message and secp256k1 keypair. Schnorr is an alternative algorithm with several advantages. The main reason that did not originally use Schnorr signatures is that Schnorr was not standardized, and was not available in common crypto libraries.
The Schnorr signature is based on the same security assumptions as ECDSA and is compatible with the elliptic curve that has used, i.e. secp256k1. Which means that Schnorr signatures can be created with the same private key and is compatible with the key derivation scheme currently in use. But the Schnorr signatures are not yet available in unless hard forked.
This paper will introduces the Schnorr signature algorithm and its principles.
Advantages
The Schnorr signature is a multi-signature aggregation algorithm, it has several advantages:
• First, reduce the size of the m-n multi-signature. No matter how many users and how many inputs, you can use a single signature to verify, thus reducing the size of the block.
• Second, reduce the time for signature verification. In the case of multi-signatures, you only need to verify one signature.
- Third, the anonymity is optimized to some extent. The information of a single user is hidden in the multi-signature.
How to work
The Schnorr signatures give a new way to generate signatures pair (r, s) on a hash h.
Generate a Schnorr signature on h as follows:
• Choose message m ,H() is hash function , x is private key , G is group generator , P = xG is public key.
• Choose a private random nonce k, compute R = kG, let c = H(R||m), compute s = k — cx. The Schnorr signature is the pair (R, s).
• sG = (k — cx)G = kG — cxG = R — cP
• Verify: sG + cP =? R
We can generate a single signature that validates n transactions as follows:
• Choose h1, h2, …, hn; x1, x2, …,xn; G; P1=Gx1, P2=Gx2, …, Pn=Gxn , P = P1+P2+…+Pn.
• Each party chooses a private nonce k, k1, k2, …, kn, and publicly shares R1 = k1 G, R2 = k2G, …,Rn = knG.
• Let R = R1 + R2+…+ Rn; c = H(( R1 + R2+…+ Rn) || m) = H(R || m). Each party compute s, s1 = k1 — cx1, s2 = k2 — cx2, …, sn = kn — cxn. The signature pair (R, s) where s = s1 + s2 +…+ sn proves every transaction is signed.
To check the validity of a signature (R, s) against a public key P, do the following:
• sG = (s1 + s2+…+ sn)G = s1 G + s2G +…+ snG = (k1 — cx1)G + (k2 — cx2)G +…+ (kn — cxn)G = k1 G — cx1G + k2 G — cx2G +…+ kn G — cxnG = R1 + R2 +…+ Rn — c(P1 + P2 +…+ Pn) = R — c(P1 + P2 +…+ Pn) = R — cP
• Verify: sG + cP =? R
by Lichuan Deng
Published at Mon, 15 Apr 2019 01:45:11 +0000
