Schnorr Zero Knowledge Proofs With Elliptic Curves
In Feb 1989, Claus Peter Schnorr submitted a patent that was assigned to no one. It had 11 claims and allowed digital signatures to be merged for multiple signers [here]:
This method has the great advantage that we can have multiple signers to a message or a transaction and end up with a single signature for all the signers. It is now being used in Bitcoin transactions so that we have an efficient signature for a transaction that involves multiple entities.
With the Schnorr signature, we create a signature (R,s) for a hash of the message (m). Initially, Peggy (the prover) has a private key x, and her public key will then be:
and where G is the base point on the curve. She then generates random nonce (r_t) for the signing of a message and defines a commitment to this value:
Next, with a message (m), she computes a challenge (e) with a hash function of:
Next, Peggy computes:
Peggy then sends e,s to Victor (the verifier). Victor then determines if:
These should equal each other. This works because: