Asymmetric signatures
References
- A nice overview of the three main schemes, ElGamal, Schnorr and DSA.
- Overview of paper "Unifying Zero-Knowledge Proofs of Knowledge”, by Ueli Maurer.
- Very nice explanations on the schnorr signature, and its generalisation (sigma protocols, Maurer proofs, Pedersen commitments)
Summary
These are the main asymmetric signature schemes:
- ElGamal
- Schnorr
- DSA
Schnorr signature
- Key generation
- Private key: choose $$k \in \Z_q$$,
- Public key: $$K \gets G^k$$.
- Sign
- Input: message $$m \in \{0,1\}^*$$
- Choose $$r \in \Z_q$$, and compute $$R \gets G^r$$
- Let $$c \gets H(m || R)$$
- Let $$s \gets r + c \cdot k$$
- Ouput $$\sigma \gets (c,s)$$
- Note: here, it is important that $$c$$ be computed as a one-way of $$R$$. Otherwise, one could generate a valid signature without knowing the private key $$k$$.
- Verify
- Let $$R' \gets G^sK^{-c}$$
- Let $$c' \gets H(m || R')$$
- If $$c' = c$$, return 1, otherwise return 0.
Same, but using scalar multiplication instead of exponentiation, and returning R instead of h:
- Sign
- Input: message $$m \in \{0,1\}^*$$
- Choose $$r \in \Z_q$$, and compute $$R \gets r \cdot G$$
- Let $$c \gets H(m || R)$$
- Let $$s \gets r + ck$$
- Ouput $$\sigma \gets (R,s)$$
- Verify
- Let $$c' \gets H(m || R)$$
- Let $$R' \gets s \cdot G - c' \cdot K$$
- If $$R' = R$$, return 1, otherwise return 0.
Schnorr Proof
Schnorr proof is an interactive zero-knowledge proof, where prover has a secret $$x$$ and a public value $$X \in \mathbb G$$. The proof allows the prover to demonstrate to a verifier V that she/he knows $$x$$ without revealing it.
- Prereq: P knows $$x \in \mathbb F_q$$, V knows $$X \in \mathbb G$$
- P chooses at random $$k \in \mathbb F_q$$.
- P computes $$K \gets k \cdot G$$
- P sends $$K$$ to V
- V chooses at random $$c \in \mathbb F_q$$
- V sends $$c$$ to P
- P computes $$s \gets k + c \cdot x$$
- P sends $$s$$ to V
- V verifies that $$s \cdot G = K + c \cdot X$$
It is important here that $$c$$ is sent after the commitment $$K$$, otherwise one can build a simulator that returns $$(K,s)$$ from value $$(X,c)$$, without knowing $$x$$ (first pick $$s$$ at random, then compute the corresponding $$K \gets s \cdot G - c \cdot X$$).
The scheme can be non-interactive using Fiat-Shamir transform, using a hash function H (eg. $$c \gets H(K)$$). Thanks to one-wayness, this prevents the prover to compute both $$K$$ and $$c$$.