Cryptography
Digital Signatures
Every Bitcoin Taproot transaction uses Schnorr signatures via MuSig2. Every Privacy Pass token issued by Cloudflare uses blind RSA signatures. Digital signatures are not just RSA and ECDSA - the landscape includes schemes with unique properties: aggregation, threshold, anonymity, and provable security.
- **Bitcoin Taproot (2021)**: Schnorr BIP340 enables MuSig2 multi-signatures compressed to one 64-byte signature, reducing transaction fees for multi-sig wallets.
- **Privacy Pass**: RFC 9576 blind RSA signatures for anonymous tokens. Cloudflare issues to Tor users to replace CAPTCHAs.
- **FIDO2/WebAuthn**: ECDSA P-256 and Ed25519 for hardware security key attestation. Passkeys use these signatures.
- **Ethereum**: ECDSA secp256k1 for transaction signing. EIP-2537 adds BLS12-381 for Schnorr-based aggregation in ETH 2.0 validators.
DSA: NIST Digital Signature Algorithm
DSA (FIPS 186, 1994) is a variant of ElGamal signatures over a subgroup of prime order q in Z_p. Key parameters: prime p (1024-3072 bits), subgroup prime q (160-256 bits), generator g of order q. Signatures are (r,s) pairs; verification checks a bilinear condition.
DSA has the same nonce reuse catastrophe as ECDSA: reusing k reveals the private key. NIST deprecated 1024-bit DSA in 2013; 2048-bit parameters are current minimum. DSA was gradually replaced by ECDSA and Ed25519.
What is the minimum current NIST recommendation for DSA key size?
Schnorr Signatures: Minimal Construction
Schnorr signatures (1989) are simpler and more efficient than DSA with a clean security proof in the random oracle model. The interactive Schnorr identification protocol converts to a signature scheme via the Fiat-Shamir transform.
Schnorr signatures are the foundation of Bitcoin Taproot (BIP340, activated 2021), MuSig2 for key aggregation, and the Fiat-Shamir transform for ZK proofs. The linearity of Schnorr enables efficient multi-party protocols.
What key property of Schnorr signatures enables efficient multi-signatures?
Multi-Signatures and Aggregation
Multi-signatures let n parties jointly sign a message such that the combined signature is indistinguishable from a single-party signature. This is critical for blockchain scalability: a Bitcoin transaction with 100 signers needs one 64-byte Schnorr signature, not 100 ECDSA signatures.
Bitcoin Taproot (BIP340/341, November 2021): all spending conditions can be compressed to a single Schnorr signature using MAST. A multisig wallet with 3-of-5 keys looks identical to a single-key wallet on-chain.
What blockchain scalability benefit do Schnorr multi-signatures provide?
Blind Signatures: Privacy Without Trust
Blind signatures (Chaum, 1982) let a signer sign a message without learning its content. The requester blinds the message, obtains a blind signature, then unblinds it. The resulting signature is valid but the signer cannot link it to the signing request.
Privacy Pass (RFC 9576) uses blind RSA signatures for anonymous rate limiting: a client obtains tokens without the server learning which requests they will authenticate later. Cloudflare uses Privacy Pass to avoid requiring CAPTCHAs from Tor users.
Zcash uses cryptography similar to blind signatures for shielded transactions. Signal uses blind signatures for Private Contact Discovery. Apple Pay uses tokenization - a related idea, though implemented via HSM rather than cryptographic blind signatures.
What privacy property do blind signatures provide?
Summary
- **DSA**: NIST standard, 2048/256-bit parameters. Same nonce reuse catastrophe as ECDSA. Replaced by ECDSA and Ed25519.
- **Schnorr**: linear structure enables multi-signatures (MuSig2), batch verification, Fiat-Shamir ZK proofs. Bitcoin Taproot default.
- **Multi-signatures**: n-of-n Schnorr produces one constant-size signature via MuSig2. Critical for blockchain scalability.
- **Blind signatures**: signer-unlinkable credentials. Used in Privacy Pass for anonymous rate-limiting tokens.
Related Topics
Digital signatures span from basic authentication to advanced privacy-preserving protocols:
- ECC in Practice — ECDSA and Ed25519 are the dominant signature schemes in deployed systems.
- ZK-SNARKs — Fiat-Shamir transform converts interactive Schnorr proofs to non-interactive signatures and proofs.
- Blockchain Cryptography — Merkle trees, Schnorr/BLS signatures, and ring signatures in Bitcoin and Monero.
Вопросы для размышления
- MuSig2 requires two rounds of interaction. Why can a single-round variant be attacked via Wagner algorithm?
- Privacy Pass uses blind RSA with e=65537. Could blind Schnorr signatures be used instead, and what advantage would that provide?
- DSA and ECDSA both catastrophically fail on nonce reuse. Why did Ed25519 choose to fix this with determinism rather than requiring a CSPRNG?