Schnorr/EdDSA Signing

Implementing Schnorr/EdDSA in a Two-Party Method

The two-party protocol for Schnorr/EdDSA signing is designed for enhanced security in elliptic-curve cryptography. Here's how it functions:

Schnorr Signing Algorithm:
1. A random $k$ is chosen, and $R=k⋅G$ is computed.
2. The hash $e=H(m∥R)$ is calculated.
3. The signature component $s=k+e⋅xmodq$ is computed.
4. The signature is output as a pair $(e,s)$ .
Two-Party Computation of Schnorr:
- Key Generation: As in ECDSA, parties hold random $1x1$ and $2x2$ , with the public key $Q=(x1+x2)⋅G$ .
- Signature Process: Each party selects random $2k1,k2$ and exchanges $R1=k1⋅G$ and $R2=k2⋅G$ . They then define $R=R1+R2$ and locally compute $e=H(m∥R)$ .
- Final Signature Calculation:
  - $1P1$ calculates $s1=k1+e⋅x1$ .
  - $2P2$ calculates $s2=k2+e⋅x2$ .
  - The final signature $s$ is $2s1+s2$ , satisfying the Schnorr equation.
EdDSA Key Generation Challenges:
- In EdDSA, the key $x$ is derived by hashing it with SHA-512, and the result is split into two parts: one for the secret key and the other for a Pseudorandom Function (PRF).
- For compatibility with EdDSA keys, a secure computation protocol for SHA-512 can be used.
- However, for simplicity and security, $x$ is currently generated directly in MPC.

Considerations and Security Implications

Security in Two-Party Computation: The protocol ensures that neither party knows the full private key or the nonce $k$ , maintaining robust security.
Implementation Subtleties: While the core ideas are straightforward, careful implementation is required to ensure security and compatibility.

Last updated 2 years ago

Was this helpful?