crypto-snippets/schnorr
Schnorr Signature
\(\gdef\system{\mathsf{Sig}}\) \(\gdef\systemprefix{}\) \(\gdef\keygen{\mathsf{\systemprefix{}KGen}}\) \(\gdef\sign{\mathsf{\systemprefix{}Sign}}\) \(\gdef\verify{\mathsf{\systemprefix{}Verify}}\) \(\gdef\msgspace{\mathcal{M}}\) \(\gdef\group{\mathbb{G}}\) \(\gdef\gen{g}\)
\(\gdef\order{q}\) \(\gdef\hash{\mathsf{H}}\)
Given a cyclic group \(\group\) of prime order \(\order\), generator \(\gen \in \group\), and a hash function \(H\), the schnorr signature algorithm instantiates a digital signature scheme as follows:
\(\keygen(1^n) \to (pk, sk)\)
- Sample random \(x \stackrel{\$}{\gets} \mathbb{Z}_\order\)
- \(X := \gen^x\)
- Output \((pk := X, sk := x)\)
\(\sign(sk, m) \to \sigma\)
- Sample random \(r \stackrel{\$}{\gets} \mathbb{Z}_\order\)
- \(R := \gen^r\)
- \(c \gets \hash(X \| R \| m)\)
- \(s := r + cx\)
- Output \(\sigma := (R, s)\)
\(\verify(pk, m, \sigma) \to \{0,1\}\)
- Parse \((R, s) := \sigma\)
- Output \(g^s \stackrel{?}{=} RX^c\)
Correctness
This works because:
- \(g^s \stackrel{?}{=} RX^c\)
- \(g^{r + cx} \stackrel{?}{=} g^r (g^x) ^c\)
- \(g^{r + cx} \stackrel{?}{=} g^r g^{xc}\)
- \(g^{r + cx} = g^{r + xc}\)
Last modified June 16, 2025, 3:16 p.m.