Introduction to Schnorr Signatures

Overview

Private-public key pairs are the cornerstone of much of the cryptographic security underlying everything from secure web browsing to banking to cryptocurrencies. Private-public key pairs are asymmetric. This means that given one of the numbers (the private key), it’s possible to derive the other one (the public key). However, doing the reverse is not feasible. It’s this asymmetry that allows one to share the public key, uh, publicly and be confident that no one can figure out our private key (which we keep very secret and secure).

Asymmetric key pairs are employed in two main applications:

in authentication, where you prove that you have knowledge of the private key; and
in encryption, where messages can be encoded and only the person possessing the private key can decrypt and read the message.

In this introduction to digital signatures, we’ll be talking about a particular class of keys: those derived from elliptic curves. There are other asymmetric schemes, not least of which are those based on products of prime numbers, including RSA keys [1].

We’re going to assume you know the basics of elliptic curve cryptography (ECC). If not, don’t stress, there’s a gentle introduction in a previous chapter.

Let’s get Started

This is an interactive introduction to digital signatures. It uses Rust code to demonstrate some of the ideas presented here, so you can see them at work. The code for this introduction uses the tari_crypto library.

Tari makes use of the Ristretto elliptic curve in its cryptography ([Why Risretto?]).

This particular implementation has some nice features. We’ve overridden the + (addition) and * (multiplication) operators so that the Rust code looks a lot more like mathematical formulae. This makes it much easier to play with the ideas we’ll be exploring.

Basics of Schnorr Signatures

Public and Private Keys

The first thing we’ll do is create a public and private key from an elliptic curve.

On Ristretto, a private key is simply a scalar integer value between 0 and ~$2^{256}$. That’s roughly how many atoms there are in the universe, so we have a big sandbox to play in.

<aside> 📘 ECC 概念 https://t.me/laiskynotes/168

</aside>

We have a special point on the Ristretto curve called G, which acts as the “origin”. A public key is calculated by adding G on the curve to itself, $k_a$ times. This is the definition of multiplication by a scalar, and is written as:

$$ P_a=k_aG $$