Just published: Schnorr Basics.

* How Schnorr signatures work
* Why use a nonce?
* Why is the nonce private?
* Why is nonce reuse bad?

Thoroughly unreviewed by experts, please comment with corrections.

@kalle looking good here.

Some thoughts: (commitment, challenge, response) is the "Sigma protocol" paradigm.

I wouldn't suggest adding that, but it *might* be possible to mention why the challenge hash must include the commitment R (this is about 'Fiat shamir transform' to change the schnorr identity protocol into a signature scheme, but you could explain it from security POV). Also explaining the use of 'key-prefixing' (including P) is a bit too far for sure.

Thank you! I should definitely add something about why the challenge is crested as it is, not just "why R", but even "why R||P||m". Good point.

Sign in to participate in the conversation
Bitcoin Mastodon

Bitcoin Maston Instance