You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Schnorr signatures are a proposed future extension that give a new way to generate signatures (R, s) on a hash h.
Given a hash value h, hash function f(), private key x, group generator G, and public key P=xG, we can generate a Schnorr signature on h as follows:
Choose a random nonce k. Let R=Gk, and let s = k - f(h . R . P)x. The Schnorr signature is the pair (R, s). Note that R is a public key, so would require 33 bytes to represent (32 bytes + 1 bit indicating "even" vs "odd").
Signing:
Inputs: 32-byte message m, 32-byte scalar key x (!=0), 32-byte scalar nonce k (!=0)
Compute point R = k * G. Reject nonce if R's y coordinate is odd (or negate nonce).
Compute 32-byte r, the serialization of R's x coordinate.
Compute scalar h = Hash(r || m). Reject nonce if h == 0 or h >= order.
Compute scalar s = k - h * x.
The signature is (r, s).
Input:
- The secret key d: an integer in the range 1..n-1.
- The message m: a 32-byte array
To sign m for public key dG:
- Let k' = int(hash(bytes(d) || m)) mod n[8].
- Fail if k' = 0.
- Let R = k'G.
- Let k = k' if jacobi(y(R)) = 1, otherwise let k = n - k' .
- Let e = int(hash(bytes(x(R)) || bytes(dG) || m)) mod n.
- The signature is bytes(x(R)) || bytes(k + ed mod n).
The text was updated successfully, but these errors were encountered:
- Let k = k' if jacobi(y(R)) = 1, otherwise let k = n - k'.
- Let e = int(hash(bytes(x(R)) || bytes(dG) || m)) mod n.
- The signature is bytes(x(R)) || bytes(k + ed mod n).
[1] https://en.bitcoin.it/wiki/Schnorr
[2] https://github.com/bitcoin-core/secp256k1/blob/04c8ef36ad35e846ac27157021a78f79465f2a22/src/modules/schnorr/schnorr_impl.h
[3] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
The text was updated successfully, but these errors were encountered: