Hacker News new | ask | show | jobs
by gwillen 1083 days ago
As I understand it, Schnorr signatures are the "natural" (and simplest) construction for a digital signature in elliptic curve cryptography. The reason ECDSA exists is simply https://patents.google.com/patent/US4995082 (now expired), which made Schnorr illegal to use, so something worse had to be invented.
1 comments
KirillPanov 1083 days ago
> The reason ECDSA exists is simply https://patents.google.com/patent/US4995082 (now expired),

Sort of.

Schnorr signatures have a "linearity" property -- if you add together two signatures you get a valid signature of the same text using the sum of the keys.

Sometimes you don't want people to be able to obtain signatures-with-the-sum-of-the-keys, or you don't want to enable bulk key-cracking via the same techniques that allow bulk validation.

Also, confusingly, "EdDSA" signatures (aka ed25519 signatures) are Schnorr signatures:

https://datatracker.ietf.org/doc/html/rfc8032#section-1

... however EdDSA:

1. Uses hashing instead of either multiplicative inverse (slow) or a source of randomness (footgun) for the nonce.

2. Hashes the public key into the signature in order to deliberately break linearity. Signatures with different keys will use different hashes, and hashing isn't linear, so adding the signatures no longer yields anything useful. The signature verifier checks this (they can, since they have your public key), so a defective implementation can't skip this step without producing bogus signatures.

link
somezero 1081 days ago
EdDSA signatures are not Schnorr signatures. A Schnorr signature is dlog proof made non interactive with fiat Shamir binded with the message, and that is equivalent/verifiable as an EdDSA signature, up to one time signing per message (as Schnorr is not deterministic)

EdDSA being deterministic, means it’s not Schnorr by definition.

The other difference of EdDSA is having a different keygen process: SHA512 then clamp the first 32 bytes (and this process breaks down all additive key derivation that’s nice to have) clamping is not the problem and you have to clear cofactors for Schnorr over that curve anyway, but it’s the hashing at the beginning that’s different and has nothing to do with cofactor clearing.

The other difference of EdDSA is not having a standardized verifier (keywords are “cofactored” and “cofactorless” verifier) and this breaks down another nice property of Schnorr signatures which is signature aggregation.

Overall the standards for EdDSA -unfortunately- still leave a lot to be desired.

link