Schnorr protocol

Schnorr Identification Protocol

Identification protocol is different than signature scheme as identification protocol is used to identify that prover holds the private while signature scheme is used to verify that the holder indeed used the private key to sign the message and generate the signature.

Steps followed in schnorr identification protocol:

Let there be two parties $A l e x (P ro v er)$ and $A l i ce (V er i f i er)$ ,

Alex has private key $x$ , public key = $G x (m o d N)$
Generates random value, $Y = G y (m o d N)$
$Y$ is sent to Alice
Alice generates random challenge $c$ , and send to Alex
Alex sends back: $z = y + x c$
Alice verifies: $z . G = y . G + c . x . G = Y + c . P K$

Not feasible, requires interaction from verifier. Also not publicly verifiable as both parties have to be involved.

Non-Interactive protocols like Fiat-Shamir which transforms any interactive to non-interactive.

Schnorr Digital Signature

Used to implement “Proof of Knowledge”. Used in cryptography to prove to verifier that prover knows something $x$ . Verifier gets convinced that they are communicating with the prover without verifier’s knowledge of private key and prover is in fact, right about his private key.

Features:

faster than ECDSA as doesn’t have to calculate $1/ s$
linear

But this also proposes other disadvantages that this signature scheme can’t be used for aggregation and multi-sigs due to its linearity.

Non-interactive Schnorr identification protocol also exists using Fiat-Shamir transformation where challenge $c$ is not generated by verifier but $c = H a s h (g, q, h, u)$ where g: generator, q: prime number, h: public key, u: public key of random nonce

lonerapier.xyz

Explorer

Schnorr protocol

Schnorr Identification Protocol

Schnorr Digital Signature

Graph View

Table of Contents

Backlinks