Introduction to Schnorr Signature
The digital signature algorithm was proposed by American cryptographers Whitfield Diffie and Martin Hellman (both Turing Award winners in 2015). In the early period of public key cryptography, the RSA algorithm was used to implement signatures, but in the late, the development of discrete logarithm and elliptic curves led to the emergence of signature algorithms such as ElGamal and ECDSA. Compared with RSA under the same security, ECDSA has the advantages of short key and high signature performance. Therefore, in the early stage of cryptocurrency, Bitcoin, Ethereum, EOS, Bitshares all use the secp256k1 curve of ECDSA algorithm.
The Schnorr signature algorithm was proposed by the German cryptographer Claus Schnorr in 1991. It was patent protected before 2008, so it is not popular, but it is more secure than the ECDSA signature (side channel attack resistant is more powerful), the form is simpler (simplified batch verification), slightly higher performance (slightly faster signature), non-interactive key exchange (NIKE) and so on.
Another feature that is more suitable for the cryptocurrency field is that the Schnorr algorithm natively supports multiple signatures and has high privacy. Only the parties involved in the signature know the identity of the signer, but the third party cannot distinguish (similar to group signature or ring signature).
ECDSA needs to implement multi-signature through threshold cryptography, which is difficult, requires very skillful construction, and is extremely complex.
Of course, Schnorr also has its shortcomings. For example, multiple signatures require more interactions. As the number of participating signatures increases, the number of interactions increases rapidly.
In recent years, the multi-signature modification has a Polycheck scheme, which maps multi-signature conditions into mathematical formulas and then simplifies multi-signatures through equation simplification methods; Pieter Wuille proposes tree signatures scheme, transform it In the Merkle tree mode, a more complex combined multi-signature scheme can be implemented. For example, an authorization requires two people to agree at the same time, or two of the other three people can agree to take effect. However, the above solutions are not ideal, and more exploration is needed.
Due to patent issues, etc., there are currently few hardware chips supporting the Schnorr algorithm.
However, the Schnorr algorithm supports the BIP32 derivative algorithm, the corresponding sacrifice is that an additional 32 bytes of public key is required, because the public key cannot be directly recovered from the signature, and another competing scheme of ECDSA — — Ed25519 does not support (or no standard BIP32 derivative), and due to the simpler native multi-signature algorithm mentioned
above, Schnorr algorithm is now becoming popular in the cryptocurrency field. Currently, Polkadot officially uses the curve25519 curve in the Schnorr algorithm for most of the signatures (there are still a small number of secp256k1 curves needed to maintain compatibility), which was proposed by Daniel J. Bernstein in 2006, and the secp256k1 curve for Schnorr The performance of the algorithm is not much different, the security is at least the same (currently there is some controversy about the possible future attacks of secp256k1, but curve25519 has no similar problem).
by Kolidat Min
