http://en.zaoniao.it/index.php?action=history&feed=atom&title=SchnorrSchnorr - Revision history2026-05-15T09:37:33ZRevision history for this page on the wikiMediaWiki 1.32.0http://en.zaoniao.it/index.php?title=Schnorr&diff=6731&oldid=prevAdmin: Created page with "'''Schnorr''' signatures are a proposed future extension that give a new way to generate signatures r, s on a hash h. Given a hash value h, hash function f(), private key x,..."2019-07-10T06:04:21Z<p>Created page with "'''Schnorr''' signatures are a proposed future extension that give a new way to generate signatures r, s on a hash h. Given a hash value h, hash function f(), private key x,..."</p>
<p><b>New page</b></p><div>'''Schnorr''' signatures are a proposed future extension that give a new way to generate signatures r, s on a hash h.<br />
<br />
Given a hash value h, hash function f(), private key x, group generator G, and public key P=xG, we can generate a Schnorr signature on h as follows:<br />
<br />
Choose a random nonce k. Let R=Gk, and let s = k - f(h . R . P)x. The Schnorr signature is the pair (R, s). Note that R is a public key, so would require 33 bytes to represent (32 bytes + 1 bit indicating "even" vs "odd").<br />
<br />
To check the validity of a signature (R, s) against a public key P, do the following:<br />
<br />
Note that sG = (k- f(h . R . P))G = kG - f(h . R . P)xG = R - f(h . R . P)P. So we simply compare sG + f(h . R . P)P to R to check the signature.<br />
<br />
An advantage of this method is that, if parties cooperate, we can generate a single signature that validates two or more separate transactions.<br />
<br />
Choose h1, h2, x1, x2, G, P1=Gx1, P2=Gx2. Each party chooses a nonce yielding k1 and k2, and publicly shares R1=Gk1, R2=Gk2.<br />
<br />
Let R = R1+R2. Each signer generates an s, s1 = k1 - f(h . R . P)x1, s2 = k2 - f(h . R . P)x2. The signature (R, s) where s = s1 + s2 proves both transactions are signed.<br />
<br />
Note that sG = (s1 + s2)G = s1G + s2G = (k1 - f(h . R . P)x1)G + (k2 - f(h . R . P)x2)G = k1G - f(h . R . P)x1G + k2G - f(h . R . P)x2G = R1 + R2 - f(h . R . P)(P1 + P2) = R - f(h . R . P)(P1 + P2)<br />
<br />
To verify, check that sG +f(h . R . P)(P1+P2) is R.<br />
<br />
This can be easily generalized from 2 to N.<br />
<br />
==Source==<br />
<br />
[http://bitcoin.it/ http://bitcoin.it/]<br />
<br />
[[Category:Cryptography]]<br />
[[Category:Technology]]<br />
==See Also on BitcoinWiki==<br />
* [[AITrading]]<br />
* [[ACA Network]]<br />
* [[Photochain]]<br />
* [[Habibicoin]]<br />
* [[IOTW]]</div>Admin