来源

一、ECC public key & private key

On secp256k1, a private key is simply a scalar integer value between 0 and ~2256. That’s roughly how many atoms there are in the universe, so we have a big sandbox to play in.
We have a special point on the secp256k1 curve called G, which acts as the “origin”. A public key is calculated by adding G on the curve to itself, k a k_a ka​ times. This is the definition of multiplication by a scalar, and is written as:
P a = k a G P_a=k_aG Pa​=ka​G

二、Schnorr 签名

A valid digital signature is evidence that the person providing the signature knows the private key corresponding to the public key with which the message is associated, or that they have solved the Discrete Log Problem.

创建签名的流程通常为:

  1. Generate a secret once-off number (called a nonce),r.
  2. Create a public key, R from r (where R=r.G).
  3. Send the following to Bob, your recipient - your message (m), R, and your public key (P=k.G).

The actual signature is created by hashing the combination of all the public information above to create a challenge, e:

e=H(R||P||m)

The hashing function is chosen so that e has the same range as your private keys. In our case, we want something that returns a 256-bit number, so SHA256 is a good choice.

Now the signature is constructed using your private information:

s=r+ke

Bob can now also calculate e(e值Bob也可以计算,因为m,R,P值Bob均已知,且H hash函数Bob也已知), since he already knows m,R,P. But he doesn’t know your private key k, or nonce r.
推理如下:
sG=(r+ke)G
Multiply out the right-hand side:
sG=rG+(kG)e​
Substitute R=rG and P=kG and we have:
sG=R+Pe​
Bob 已知s,G,R,P,e,所以可计算sG=R+Pe验证等式是否成立。​
So Bob must just calculate the public key corresponding to the signature (s.G) and check that it equals the right-hand side of the last equation above (R+P.e), all of which Bob already knows.

三、Schnorr 签名中为何要引入随机数r

若不引入随机数r,则
Naïvely sign a message m with

e=H(P||m)

and then the signature would be

s=ek

Now as before, we can check that the signature is valid:

sG=ekG=e(kG)=eP

So far so good. But anyone can read your private key now because s is a scalar, so k=s/e is not hard to do. With the nonce you have to solve k=(s−r)/e, but r is unknown, so this is not a feasible calculation as long as r has been chosen randomly.

Leaving off the nonce is indeed highly insecure.

The Schnorr signature is considered the simplest digital signature scheme to be provably secure in a random oracle model. It is efficient and generates short signatures. It was covered by U.S. Patent 4,995,082, which expired in February 2008.

In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repeated it responds the same way every time that query is submitted.
Stated differently, a random oracle is a mathematical function chosen uniformly at random, that is, a function mapping each possible query to a (fixed) random response from its output domain.

Schnorr signature (Schnorr 签名)数学原理相关推荐

  1. Schnorr signature Schnorr multi-signature

    本文首发于 https://zhuanlan.zhihu.com/blockchain-top-paper 阅读本文前,建议先阅读下面这篇文章. https://zhuanlan.zhihu.com/ ...

  2. Blind Schnorr Signature

    1. 引言 前序博客有: 盲签名 blind signature Blind Schnorr Signature交互签名Demo见: Blind Schnorr Signature Interacti ...

  3. ECDSA VS Schnorr signature VS BLS signature

    1. ECDSA ECDSA,全称为Elliptic curve Digital Signature Algorithm,采用Elliptic curve cryptography来实现的数字签名算法 ...

  4. iOS App 签名的原理(转)

    iOS 签名机制挺复杂,各种证书,Provisioning Profile,entitlements,CertificateSigningRequest,p12,AppID,概念一堆,也很容易出错,本 ...

  5. iOS App 签名的原理 App 重签名(三)

    目录 iOS App 重签名 - 准备工作 iOS App 重签名 - 手动重签名 iOS App 重签名 - 使用脚本重签名 iOS App 重签名 - 使用 XCode 重签名 注意 iOS Ap ...

  6. 深入卷积神经网络背后的数学原理 | 技术头条

    参加「CTA 核心技术及应用峰会」,请扫码报名 ↑↑↑ 作者 | Piotr Skalski 译者 | Monanfei 编辑 | 十月Rachel.Jane 出品 | AI科技大本营(id:rgzn ...

  7. 解析深度神经网络背后的数学原理!

    作者 | Piotr Skalski 译者 | 巧克力 编辑 | Jane 出品 | AI科技大本营 [导读]为了更好地理解神经网络的运作,今天只为大家解读神经网络背后的数学原理.而作者写这篇文章的目 ...

  8. 技术干货 | 如何选择上班路线最省时间?从A/B测试数学原理说起

    作者 | 陈运文 当面对众多选择时,如何选才能最大化收益(或者说最小化我们的开销)?比如,怎么选择最优的上班的路线才能使途中花费的时间最少?假设每天上下班路线是确定的,我们便可以在账本中记下往返路线的 ...

  9. 深度学习最常用的10个激活函数!(数学原理+优缺点)

    ↑↑↑关注后"星标"Datawhale 每日干货 & 每月组队学习,不错过 Datawhale干货 作者:Sukanya Bag,来源:机器之心 激活函数是神经网络模型重要 ...

最新文章

  1. 如何一步一步用DDD设计一个电商网站(七)—— 实现售价上下文
  2. XP系统限制修改IP有新招
  3. 类库 通用变量 is和as 委托
  4. 计算质数通过分区(Partition)提高Spark的运行性能(转载+自己理解)
  5. 如何指南:Apache Drill入门
  6. 【C语言】第二章 信息编码与数据类型 题解
  7. gdc服务器故障输入信号超出范围,H1Z1信号输入超出范围 | 手游网游页游攻略大全...
  8. c语言二级考试题库及答案,c语言二级考试题库
  9. 非负矩阵分解小白入门
  10. 矩阵键盘焊接_如何更换和重新焊接机械键盘开关
  11. 【mediasoup 带宽估计】aimd算法2 : AimdRateControl
  12. 删除电脑中删不掉的文件或文件夹
  13. 什么是ICP经营许可证?
  14. 邹宇阳:仅成立8个月的个人网站如何月收入几十万美金
  15. SoClean!磁盘清理软件
  16. ery validator addMethod 方法的使用
  17. 十个会议相关的小技巧(实用!其中有的是乔布斯用过的~)
  18. Unix整理笔记——Unix基础——里程碑
  19. C语言实验——时间间隔
  20. HTML垂直对齐方式

热门文章

  1. 利用diskman来做数据恢复
  2. must,must_not,should组合关系以及OR和AND
  3. PostgreSQL扫描方法综述
  4. 个人也可以通过维瑞申请VeriSign,Thawte 代码签名证书
  5. hive常用的函数以及知识
  6. 深入浅出Yolo系列之Yolov3Yolov4核心基础知识完整讲解
  7. Unity Animator入门:使用Animator和trigger参数做简单的UI动画
  8. 书单分享:阅读应该是一种享受
  9. Apple LZF算法解析
  10. Maven安装配置详细教程