By Prof Bill Buchanan OBE FRSE
I appreciate this is rather belated, but I am so sorry to hear about the death of Claus Peter Schnorr, and who passed away on 8 June 2025. Since 1986, he has been a professor in the Department of Computer Science at the University of Frankfurt. In 2011, after 40 years of working at the university, he was awarded an emeritus professorship. Overall, Claus can be seen as one of the greatest cryptographers ever, and certainly the greatest German cryptographer. As recently as 2021, he produced research work that proposed a groundbreaking method for breaking the RSA method [here]:
The classic paper — the Schnorr signature and identity scheme
Over a long career, he wrote many classic papers, including [here][1]:
With this paper, he defined the classic Schnorr authentication and signature methods. For authentication, we have:
And then for a Schnorr signature:
With Schnorr identification, Peggy (the prover) has a proving public key of (N,g,X) and a proving secret key of (N,x). N is a prime number for the modulus operation, and x is the secret, and where:
On the registration of the secret, Peggy generates a random value (y), and then computes Y:
This value is sent to Victor (who is the verifier). Victor then generates a random value (c) and sends this to Peggy. This is a challenge to Peggy to produce the correct result. Peggy then computes:
He then sends this to Victor in order to prove that he knows x. Victor then computes two values:
If the values are the same (val1≡val2), Peggy has proven that she knows x.
This works because:
In a formal definition (taken from this paper) [2], the method is [here]:
The signature version of this is now known as the Schnorr signature, and is a core part of the EdDSA signature method.
The Schnorr patent
In Feb 1989, Claus Schnorr submitted a patent which was assigned to no one. It has 11 claims and allows digital signatures to be merged for multiple signers [here]:
This method has the great advantage that we can have multiple signers to a message or a transaction and end up with a single signature for all the signers. It is now being used in Bitcoin transactions so that we have an efficient signature for a transaction that involves multiple entities.
With the Schnorr signature, we create a signature (R,s) for a hash of the message (m). Initially, Peggy (the prover) has a private key x, and her public key will then be:
and where G is the base point on the curve. She then generates a random nonce (r_t) for the signing of a message and defines a commitment to this value:
Next, with a message (m), she computes a challenge (e) with a hash function of:
Next, Peggy computes:
Peggy then sends e,s to Victor (the verifier). Victor then determines if:
These should equal each other. This works because:
The Schnorr method — using elliptic curve methods — is implemented here:
Golang Schnorr
The Schnorr signature is used in Bitcoin, and allows an entity to sign for a message with their private key, but then…
DSA
The other competing signature method, at the time, was defined DSA patent (No 5,231,668) was created by David W. Kravitz (an ex-NSA employee) and assigned to the USA in a royalty-free way:
David spent 11 years at the NSA and is currently a Senior Director of Research at Spring Labs [here]:
DSA was first outlined by NIST in 1991, within the Digital Signature Standard (DSS). This was then standardised within FIPS (Federal Information Processing Standard) 186 in 1994, and by FIPS 186–4 in 2013. Within FIPS 186–5, though, it is defined that DSA should not be used for the generation of signatures but can be used for signature verification. Most methods now use either RSA or ECDSA signing.
The ECDSA method is basically an extension of DSA, but implemented with elliptic curve (EC) methods. Overall, ECSDA is much more efficient in its computation and in its key sizes.
As with most public key signing methods, in DSA, we take a hash of a message — H(M) — and then apply a private key to create a signature (r,s). This is done by creating a random value (k) to produce the signature. The signature is then verified using the associated public key. This then verifies the creator of the signature and that the message has not been changed.
Initially, Bob creates two prime numbers (p and q) and generates a generator value of g. Next, he generates his secret key (x) and then computes his public key:
To create a signature for a message (M), he creates a random value (k) and then computes two values for the signature:
When Alice receives this signature, she takes Bob’s public key (p,q,g,Y) and the message and computes:
She then checks that v is equal to r . If so, the signature checks out. This works because:
DSA method using discrete logarithms is implemented here:
Claus disputes the patent
There has been a long-running debate about whether DSA is based on the Schnorr patent. It seems that NIST just changed DSA enough to allow it to become a royalty-free patent. Schnorr actually sold his patent rights to Siemens and RSADSI, and who did not take forward patent breaches between DSA and the Schnorr signature method. The Schnorr patent has now timed out, and is now being implemented within ZKPs (Zero Knowledge Proofs) and in distributed and scalable signatures.
If NIST hadn’t been able to supply DSA in a patent-free form, it is unlikely that ECDSA would have ever been adopted. The patent-free usage of ECDSA probably allowed Satoshi Nakamoto to adopt ECDSA, and the rest is history.
Conclusions
It is so sad that we have lost such a great mind, but his legacy lives on in his methods:
Zero knowledge proofs
A zero-knowledge proof allows for a proof of something without revealing the source data. Elliptic curve based zero…
and:
EdDSA, Ed25519 and Ed448
Ed25519 signing with JavaScript. Ed25519 signing with JavaScript. Curve 25519 is one of the most widely used ECC…
References
[1] . C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991. [paper]
[2] Bellare, M., & Palacio, A. (2002, August). GQ and Schnorr identification schemes: Proofs of security against impersonation under active and concurrent attacks. In Annual International Cryptology Conference (pp. 162–177). Springer, Berlin, Heidelberg. [paper]
