Paper 2020/061
Simple Schnorr Signature with Pedersen Commitment as Key
Gary Yu
Abstract
In a transactionoutputbased blockchain system, where each transaction spends UTXOs (the previously unspent transaction outputs), a user must provide a signature, or more precisely a \(\textit{scriptSig}\) for Bitcoin, to spend an UTXO, which proves the ownership of the spending output. When Pedersen commitment \(g^xh^a\) or ElGamal commitment \((g^xh^a,h^x)\) introduced into blockchain as transaction output, for supporting confidential transaction feature, where the input and output amounts in a transaction are hidden, the prior signature schemes such as Schnorr signature scheme and its variants does not directly work here if using the commitment as the public key, since nobody including the committer knows the private key of a \(g^xh^a\) when $a$ is not zero, meaning no one knows the $c$ such that \((g^c=g^xh^a)\). This is a signature scheme which is able to use the \(C=g^xh^a\) as the signature public key for any value of $a$. The signer, proceeding from a random Pedersen commitment \(R=g^{k_1}h^{k_2}\), generates a random bit sequence $e$, by multiplication of a stored private key $x$ with the bit sequence $e$ and by addition of the random number $k_1$ to get the $u$, by multiplication of the committed value $a$ with the bit sequence $e$ and by addition of the random number $k_2$ to get the $v$, finally constructs \(\sigma=(R,u,v)\) as the signature, with the corresponding public key $C$. In turn, the verifier calculates a Pedersen commitment \(S=g^uh^v\), and accepts the signature if \(S=RC^e\). For an electronic signature, a hash value $e$ is calculated from a random Pedersen commitment $R$, the Pedersen commitment $C$, and from the message $m$ to be signed. This signature scheme will be very helpful in the design of a noninteractive transaction in Mimblewimble.
Note: Add 2 more paragraphs: 3.2 Roguekey attack on multisignatures scheme; 3.3 Optimization for Multiple Inputs Single Signer. A little bit more optimization.
Metadata
 Available format(s)
 Category
 Publickey cryptography
 Publication info
 Preprint. MINOR revision.
 Keywords
 Schnorr signaturesBitcoinMimblewimblePedersen commitmentGrinGotts
 Contact author(s)
 gary yu @ gotts tech
 History
 20200223: last of 2 revisions
 20200121: received
 See all versions
 Short URL
 https://ia.cr/2020/061
 License

CC BY
BibTeX
@misc{cryptoeprint:2020/061, author = {Gary Yu}, title = {Simple Schnorr Signature with Pedersen Commitment as Key}, howpublished = {Cryptology ePrint Archive, Paper 2020/061}, year = {2020}, note = {\url{https://eprint.iacr.org/2020/061}}, url = {https://eprint.iacr.org/2020/061} }