Schnorr Signatures … How To Sign and Merge Public Keys (with Multiple Signers)

In Feb 1989, Claus Schnorr submitted a patent which was assigned to no one. It has 11 claims, and allowed digital signatures to be merged for multiple signers [here]:

This method has the great advantage that we can have multiple signers to a message or a transaction, and end up with a single signature for all the signers. It is now being used in Bitcoin transactions so that we have an efficient signature for a transaction that involves multiple entities.

The signature

With the Schnorr signature, we create a signature (R,s) for a hash of the message (m). Initially, Peggy (the prover) has a private key r, and her public key will then be:

U=r×G

and where G is the base point on the curve. She then generates random nonce (r_t) for the signing of a message and defines a commitment to this value:

U_t=r_t×G

Next, with a message (m), she computes a challenge (c) with a hash function of:

c=H(m,U_t)