Schnorr

Schnorr, together with ECDSA, were two new signature algorithms introduced in Plutus during Cardano's Valentine upgrade. MuSig2 is a two-round multi-signature scheme will be integrated to Hydra.

Generalised specification

This section presents the generalized signature system ECDSA and MuSig2. In the [parameter] (#parameters-of-instantiation) section, we present the specific parameters used in Cardano and MuSig2 C implementation.

A Schnorr signature consists of the following three algorithms:

$KeyGen (1^{λ})$ takes as input the security parameter $λ$ and returns a key-pair $(x, v k)$ . First, it chooses $x \leftarrow Z_{q}$ . Finally, compute $v k \leftarrow x \cdot G$ , and return $(x, v k)$ .
$Sign (x, v k, m)$ takes as input a keypair $(x, v k)$ and a message $m$ , and returns a signature $σ$ . Let $r \leftarrow Z_{q}$ . Compute $R = r \cdot G$ , then compute $c \leftarrow H (R, v k, m)$ , and finally compute $s = r + c \cdot x$ . The signature is $σ \leftarrow (R, s)$ .
$Verify (m, v k, σ)$ takes as input a message $m$ , a verification key $v k$ and a signature $σ$ , and returns $result \in {true, false}$ depending on whether the signature is valid or not. The algorithm returns $true$ if $s \cdot G = R + c \cdot v k$

Let $N$ be the number of signers and $V$ be the number of nonces. A two-round multi-signature scheme MuSig2 that outputs an ordinary Schnorr signature includes the following steps:

$KeyGen (1^{λ})$ takes as input the security parameter $λ$ and returns a key-pair $(x, v k)$ . First, it chooses $x \leftarrow Z_{q}$ . Finally, compute $v k \leftarrow x \cdot G$ , and return $(x, v k)$ .
$BatchComm (1^{λ})$ takes as input the security parameter $λ$ and returns $V$ key-pairs ${(r_{1}, R_{1}), \dots, (r_{V}, R_{V})}$ . First, it chooses the nonces $r_{j} \leftarrow Z_{q}$ . Finally, computes the commitments $R_{j} \leftarrow r_{j} \cdot G$ , and returns the list including $V$ tuples of nonces and commitments.
$AggrPubKey ({v k_{1}, \dots, v k_{N}}, v k_{s})$ takes the list of public keys and the signer's public key, returns the aggregate public key $X$ and $a_{s}$ . First creates $L = (v k_{1} ∣∣ v k_{2} ∣∣ \dots ∣∣ v k_{N})$ . Computes $a_{i} = H_{a gg} (L ∣∣ v k_{i})$ for $i = 1 \dots N$ . Finally, generates the aggregate public key by $X = Σ_{i = 1}^{N} (a_{i} \cdot v k_{i})$ and the signer keeps her own $a_{s}$ .
$AggrComm ({R_{11}, R_{12}, \dots, R_{1 V}, \dots, R_{N 1}, \dots, R_{N V}})$ takes the list of all signers' commitment lists, returns the list of aggregate commitments. ${R_{j} = Σ_{i = 1}^{N} (R_{ij})}_{j = 1.. V}$ .
$Sign (x_{s}, v k_{s}, m, X, (R_{1}, \dots, R_{V}), (r_{s 1}, \dots, r_{s V}))$ takes as input the keypair of the signer, a message $m$ , aggregate public key, the list of commitments and the list of nonces of the signer. Returns a signature $σ$ . First, creates $b = H_{n o n} (X ∣∣ (R_{1}, \dots, R_{V}) ∣∣ m) \in Z_{q}$ . Computes $R = Σ_{j = 1}^{V} (R_{j}^{r^{j - 1}})$ and $c = H_{s i g} (X ∣∣ R ∣∣ m)$ . The single signature is calculated as $σ_{s} = c a_{s} x_{s} + Σ_{i = 1}^{V} (r_{s j} b^{j - 1})$ .
$AggrSig ({σ_{1}, \dots, σ_{N}}, R)$ takes the list of all signers' single signatures and aggregate commitment, returns the aggregate signature $(R, σ)$ where $σ = Σ_{i = 1}^{N} (σ_{i})$ .
$Verify (m, X, σ, R)$ takes as input a message, aggregate verification key, aggregate signature, and aggregate commitment. Computes $c = H_{s i g} (X ∣∣ R ∣∣ m)$ and accepts the signature if $σ \cdot G = R + c \cdot X$ .

Parameters of instantiation

The above is the standard definition, and in cardano we instantiate it over curve SECP256k1. Moreover, we follow BIP-0340. The following are the two specifications of the above algorithm required for compatibility. Citing literally BIP-0340:

We use implicit Y coordinates. We encode an elliptic curve point with 32 bytes, and we implicitly choose the Y coordinate that is even[6].
We use tagged hashed of SHA256 for the challenge computation. More precisely, in order to compute H(R, vk, m), one computes SHA256(SHA256("BIP0340/challenge")||SHA256("BIP0340/challenge") || R || vk || m).

More precisely, the following is what is the specification used in the plutus built-in functions:

The verification key must correspond to the (x, y) coordinates of a point on the SECP256k1 curve, where x, y are unsigned integers in big-endian form.
The verification key must correspond to a result produced by secp256k1_xonly_pubkey_serialize. This implies all of the following:
- The verification key is 32 bytes long.
- The bytes of the signature correspond to the x coordinate.
The input to verify is the message to be checked; this can be of any length, and can contain any bytes in any position.
The signature must correspond to a point R on the SECP256k1 curve, and an unsigned integer s in big-endian form.

The signature must follow the BIP-340 standard for encoding. This implies all the following:

The signature is 64 bytes long.
The first 32 bytes are the bytes of the x coordinate of R, as a big-endian unsigned integer.
The last 32 bytes are the bytes of s.

    ┏━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━┓
    ┃ R <32 bytes> │ s <32 bytes>  ┃
    ┗━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━┛
    <--------- signature ---------->

IOG Cryptography Handbook

Schnorr

Generalised specification

Parameters of instantiation