Creating a decentralized and trust-free financial system requires trust more than anything else. It may seem contradictory, but trustlessness means not needing to trust a third party (be it an individual, group or government).
To achieve such a goal, work processes must be designed in such a way that they can provide security and non-leakage of information in a provable way. In this way, we benefit from mathematics and cryptography.
The possibility of the concept of digital currencies is so closely tied to cryptography that it is not without reason that the name “cryptocurrency” is applied to this group of digital currencies.
Schnorr Signature is a type of cryptographic system that has found a new use in the field of digital currencies after the update of the Bitcoin taproot.
In the rest of this article, we will get to know more about Schnorr signature, some of its features and its applications in the Bitcoin network.
In this article we will cover:
- What is Schnorr signature?
- How does Schnorr signature work in practice?
- What are the characteristics of Schnorr signature?
What is Schnorr signature?
The idea of digital ownership originated with the emergence of the concept of public-private key cryptography by Diffie-Hellman in 1976.
This idea has remained constant over the years, although the techniques and methods of its realization have improved day by day. One of the developments that occurred in the early 90s is the brainchild of Klaus-Peter Schnorr. A professor at the University of Frankfurt, he presented in a paper the principles of a type of digital signature and identification scheme that became known by his name.
He registered his design, perhaps inadvertently causing his better technique (than Elliptic Curve Digital Signature Algorithm – ECDSA) to be long overlooked.
His patent and intellectual property certificate was valid until 2008. It is interesting to note that the predecessor of the ECDSA algorithm – the DSA algorithm – was created to circumvent Schnorr’s patent certification.
One of the important choices faced by Satoshi Nakamoto when developing the specifications of the Bitcoin protocol was the choice of encryption algorithm.
He chose ECDSA, probably because it was pre-standardized and supported by default by the OpenSSL library that Bitcoin code heavily depends on.
The first whispers of the inclusion of Schnorr signature in the Bitcoin protocol were first raised in 2014 on the Bitcoin Talk forum. Four years later, in 2018, the first draft to include this signature was prepared by Pieter Wuille.
In 2020, this proposal was formalized as BIP-340 and finally implemented in 2021 as one of the updated changes known as taproot.
But what is Schnorr signature?
Schnorr signature is a digital signature created by Schnorr’s algorithm. This signature has a simple nature and is based on the unsolvability of some discrete logarithm problems.
This algorithm creates short digital signatures. The security of this algorithm is based on the random oracle assumption and requires less security assumptions than ECDSA.
How does Schnorr signature work in practice?
In the following, we will try to check how to prove and ensure the validity of this signature scheme of the private key. For this, we use an example. Suppose there are two people A and B. Person A has announced that he has the public key and is ready to receive and send information through it. Person B thinks that Person A is lying.
Now, to prove his honesty, without revealing the private key corresponding to his public key, person A takes the following way. This is how Schnorr signature works:
Suppose the following parameters exist: p, q, a, s, v, r, x, and y
p can be any prime number. q is divisible by p-1 (its factor) and a is chosen such that a^q over p has a remainder of one (modulo a^q = 1 mod p).
The above three parameters are public and everyone can know their values. Now we have the following two values:
s which is the private key (the value of s is between zero and q) and v which is the public key with the value a^-s mod q.
v (or public key) is public, but only person A knows about s.
Now, if he wants to send the message M, he must do the following steps:
- First, he must choose a random number r so that the value of r is between zero and q.
- Then calculate the value of X in such a way that X = a^r mod p
- Now that it calculates the value of X, it appends it to the message (similar to string appending in programming).
After concatenating X with M (with the sign X || M), it sends the two as input to the hash function and stores the output as e.
e = H(M||X) where H() is the hash function.
- Now it calculates the value of y in the opposite form: y = (r + s*e) mod q
Now that all calculations are finished, person A sends the following two items to the receiver:
- M’s message
- Signatures e and y
Now let’s check what information person B has available:
- He has the public key (v) of individual A.
- knows the prime number p.
- q which is the p-1 factor.
- It also knows the value of a.
Person B now calculates the value of Z as follows:
Z = a^y * v^e mod p
On the other hand, we know that v = a^-s. Let’s plug it into the equation:
Z = a^y * a^-se = a^ (y-s*e)
We also know that y = r + se, which means that r = y-se
Now if we also insert this value, we will have:
Z = a^r
As we have seen in the upper lines, this value is equal to X. But on the other hand, person B is not aware of the value of X because he has never received it.
So this is what he does. He concatenates M and Z and sends it as input to the hash function. If the output is equal to e, it means that X and Z were the same.
So it proved that the only way that person A could reach such an output was by having the correct private key.
With this method, he can prove his agency in sending the message (or his identity) without revealing the private key.
Now, in the blockchain, the message M can be an unspent transaction encrypted with the public key.
In this way, only the owner of the private key can spend that transaction, and the nodes can ensure its authenticity without knowing the content of the private key.
What are the characteristics of Schnorr signature?
As mentioned, with the BIP-340 scheme, the Schnorr signature was standardized for use in the Bitcoin protocol. According to the plan, the features that prompted the developers—Peter Weil, Jonas Nick, and Tim Ruffing—to propose the signature are as follows:
- Provably secure: Schnorr signature is provably secure. More precisely, this signature is resistant to the SUF-CMA attack – strongly invulnerable to the chosen message attack.
- Non-hammerability: A consequence of the previous property is that Schnorr signatures are non-hammerable, while elliptic curve signatures are inherently hammerless. This means that a third party can, without accessing the private key, by manipulating a valid signature for a public key and specific message, convert it into another signature that is valid for the same message and key.
- Linearity: There is no division in the process of verifying and creating the signatures of Schnorr, whose implicit capability is to add the very important property of linearity to this signature design. Linearity allows the owners of multiple public keys to create a common key from their public keys, which is the sum of their keys. This feature is the cornerstone of higher level features such as maintaining security in multi-signature payments and smart contracts.
Also, after standardization, this signature has found other positive features. For example, its fixed and short length (64 bytes) compared to ECDSA signatures (between 70 and 72 bytes), reduces the waste of block space and increases the transaction rate (some studies report that by replacing Schnorr signature, this metric improves by 2%).
One of the unpleasant features of the ECDSA signature is that it cannot verify a set of signatures faster than a single signature, while combining Schnorr signatures can be verified faster and more efficiently. Also, public keys made from Ashnor occupy 32 bytes of space instead of 33 common bytes.
Given that the taproot upgrade (including Schnorr signature addition scheme) is a soft fork, ECDSA signatures can still be used on the Bitcoin network.
One of the most important properties of Schnorr signature is privacy protection in multi-signature payments (threshold signatures). Earlier in n-of-m signature schemes, in addition to the different form of footprint of these transactions on the network, you could see which party signed the transaction.
With Schnorr signature, all these signatures will be in the form of a single signature, and in addition to reducing the volume occupied in the block (and significantly reducing the transaction cost), the privacy of the signers is also preserved.
Also, with the same logic, transactions that open and close Lightning payment channels will have the same format as normal transactions.
The digital signature and the corresponding cryptographic scheme are the cornerstones of the security of users’ assets in blockchain networks.
It is obvious that the improvement of the used techniques to more efficient and safer ones can guarantee the security of users’ capital and a more pleasant user experience for them. The Bitcoin network also took a big step towards this goal by adding Schnorr signature to its protocol last year.
In the article you read, we learned about Schnorr signature and its history, explained how to check its authenticity with an example, and stated some of its most important features.
How much do you care about security and encryption? Please share your views with us.