1 // Copyright (c) 2020-2022 The Decred developers
2 // Use of this source code is governed by an ISC
3 // license that can be found in the LICENSE file.
4 5 /*
6 Package schnorr provides custom Schnorr signing and verification via secp256k1.
7 8 This package provides data structures and functions necessary to produce and
9 verify deterministic canonical Schnorr signatures using a custom scheme named
10 EC-Schnorr-DCRv0 that is described herein. The signatures and implementation
11 are optimized specifically for the secp256k1 curve. See
12 https://www.secg.org/sec2-v2.pdf for details on the secp256k1 standard.
13 14 It also provides functions to parse and serialize the Schnorr signatures
15 according to the specification described herein.
16 17 A comprehensive suite of tests is provided to ensure proper functionality.
18 19 # Overview
20 21 A Schnorr signature is a digital signature scheme that is known for its
22 simplicity, provable security and efficient generation of short signatures.
23 24 It provides many advantages over ECDSA signatures that make them ideal for use
25 with the only real downside being that they are not well standardized at the
26 time of this writing.
27 28 Some of the advantages over ECDSA include:
29 30 - They are linear which makes them easier to aggregate and use in protocols that
31 build on them such as multi-party signatures, threshold signatures, adaptor
32 signatures, and blind signatures
33 - They are provably secure with weaker assumptions than the best known security
34 proofs for ECDSA
35 - Specifically Schnorr signatures are provably secure under SUF-CMA (Strong
36 Existential Unforgeability under Chosen Message Attack) in the ROM (Random
37 Oracle Model) which guarantees that as long as the hash function behaves
38 ideally, the only way to break Schnorr signatures is by solving the ECDLP
39 (Elliptic Curve Discrete Logarithm Problem).
40 - Their relatively straightforward and efficient aggregation properties make
41 them excellent for scalability and allow them to provide some nice privacy
42 characteristics
43 - They support faster batch verification unlike the standardized version of
44 ECDSA signatures
45 46 # Custom Schnorr-based Signature Scheme
47 48 As mentioned in the overview, the primary downside of Schnorr signatures for
49 elliptic curves is that they are not standardized as well as ECDSA signatures
50 which means there are a number of variations that are not compatible with each
51 other.
52 53 In addition, many of the standardization attempts have various disadvantages
54 that make them unsuitable for use in Decred. Some of these details and some
55 insight into the design decisions made are discussed further in the README.md
56 file.
57 58 Consequently, this package implements a custom Schnorr-based signature scheme
59 named EC-Schnorr-DCRv0 suitable for use in Decred.
60 61 The following provides a high-level overview of the key design features of the
62 scheme:
63 64 - Uses signatures of the form (R, s)
65 - Produces 64-byte signatures by only encoding the x coordinate of R
66 - Enforces even y coordinates for R to support efficient verification by
67 disambiguating the two possible y coordinates
68 - Canonically encodes by both components of the signature with 32-bytes each
69 - Uses BLAKE-256 with 14 rounds for the hash function to calculate challenge e
70 - Uses RFC6979 to obviate the need for an entropy source at signing time
71 - Produces deterministic signatures for a given message and private key pair
72 73 # EC-Schnorr-DCRv0 Specification
74 75 See the README.md file for the specific details of the signing and verification
76 algorithm as well as the signature serialization format.
77 78 # Future Design Considerations
79 80 It is worth noting that there are some additional optimizations and
81 modifications that have been identified since the introduction of
82 EC-Schnorr-DCRv0 that can be made to further harden security for multi-party and
83 threshold signature use cases as well provide the opportunity for faster
84 signature verification with a sufficiently optimized implementation.
85 86 However, the v0 scheme is used in the existing consensus rules and any changes
87 to the signature scheme would invalidate existing uses. Therefore changes in
88 this regard will need to come in the form of a v1 signature scheme and be
89 accompanied by the necessary consensus updates.
90 91 # Schnorr use in Decred
92 93 At the time of this writing, Schnorr signatures are not yet in widespread use on
94 the Decred network, largely due to the current lack of support in wallets and
95 infrastructure for secure multi-party and threshold signatures.
96 97 However, the consensus rules and scripting engine supports the necessary
98 primitives and given many of the beneficial properties of Schnorr signatures, a
99 good goal is to work towards providing the additional infrastructure to increase
100 their usage.
101 */
102 package schnorr
103