diff --git a/Claus-Peter_Schnorr.jpg b/Claus-Peter_Schnorr.jpg new file mode 100644 index 0000000..de7ea8a Binary files /dev/null and b/Claus-Peter_Schnorr.jpg differ diff --git a/dlc.md b/dlc.md index 3839a45..798bba3 100644 --- a/dlc.md +++ b/dlc.md @@ -4,7 +4,7 @@ is a wordplay on the "discrete logarithm problem" and the fact that contracts ar ### Refresher -s = k - h * d +s = k - hash(message || R || P) * d R = k*G @@ -15,7 +15,9 @@ Alice and Bob want to bet against each other, Olivia is the oracle Olivia just publishes one R for that particular bet (she commits to a R value). All possible outcomes need to be known in advance! Now anyone can calculate -si * G. Let's say the bet is "heads" vs. "tails". +si * G. + +Let's say the bet is "heads" vs. "tails". so - sHEADS * G = R - hash("heads" || R)*O diff --git a/schnorr.md b/schnorr.md index ac08034..3b29b4a 100644 --- a/schnorr.md +++ b/schnorr.md @@ -1,10 +1,12 @@ ## Schnorr Signature Scheme -It was invented by german mathematician Claus-Peter Schnorr. Unfortunately he patented the scheme in 1988 (it expired in February 2008). So during the creation of Bitcoin it was "free", unfortunately the space lacked good libraries. Therefore ECDSA scheme was used. +It was invented by german mathematician Claus-Peter Schnorr ![Claus-Peter Schnorr](./Claus-Peter_Schnorr.jpg). + +Unfortunately he patented the scheme in 1988 (patent expired in February 2008). So during the creation of Bitcoin it was "free", unfortunately the space lacked good libraries. Therefore ECDSA scheme was used (which is more complicated on purpose to not violate the patent). ### Signature -Signature is the pair (R, s) that must be in a certain relation. +Signature is the pair (R, s) that must be in a certain relation (very similar to ECDSA just that s is calculated differently) We choose a random integer k and calculate @@ -33,6 +35,7 @@ s * G = k * G - (h * d)*G s * G = k * G - d*G * h s * G = R - P * h + h = hash(message || R || P) which we can verify since we have all that public data: @@ -60,16 +63,15 @@ If it isn't you can factor out d - which is your private key! ### MuSig (n/n) -Unlike ECDSA Schnorr signatures are linear and can be combined. -It is possible to "compress" multiple public keys into one and then -also signers can cooperate and produce master private key for spending the funds. +Unlike ECDSA Schnorr signatures are linear and can be combined. It is possible to "compress" multiple public keys into one and then also signers can cooperate and produce "master" private key corresponding to the master public key for spending the funds. ### Ring signatures -[Abe, Okhubo, Suzuki](https://cryptoservices.github.io/cryptography/2017/07/21/Sigs.html) usage of Schnorr signatures +[Abe, Okhubo, Suzuki](https://cryptoservices.github.io/cryptography/2017/07/21/Sigs.html) usage of Schnorr signatures. -Idea is that you have participants P1, P2 ... Pn -Anyone can sign but you can't know which of them was it. +Idea is that you have participants with public keys P1, P2 ... Pn. + +Anyone can sign but you can't know which of them did it. Something similar is used in Monero. [Previous - ECC](./ecc101.md)