These are standardized, but have a number of downsides
compared to Schnorr signatures over the same curve:

Security proof: The security of Schnorr signatures is easily provable in the random oracle model assuming the elliptic curve discrete logarithm problem (ECDLP) is hard.
This ratio goes up logarithmically with the number of signatures, or in other words: the total time to verify n signatures grows with O(n / log n).
By reusing the same curve as Bitcoin has used for ECDSA, private and public keys remain identical for Schnorr signatures, and we avoid introducing new assumptions about elliptic curve group security.
Design

Schnorr signature variant Elliptic Curve Schnorr signatures for message m and public key P generally involve a point R, and integers e and s which satisfy e = H(R || m) and sG = R + eP.
Blind Signatures

Schnorr signatures admit a very simple blind signature construction which is a signature that a signer produces at the behest of another party without learning what he has signed.

Similar to Notcoin - Blum - Airdrops In 2024

origin »

187 +