theory – Why is the Schnorr verification formula working and actually verifying the validity of a signature?


To prove the validity of the signature we must see that the tuple (R,s) actually came from the private key x in particular s was derived as s=r+cx. Obviously we should not possess x (which is the reason why we need this verification equation) so

  1. Looking at gs = RXc we relize that we know (R,s), X and c. (Since c = H(X,R,m) and the public key X is obiously public and known. As the generator g is also know this means we can actually compute both sides of the equation.
  2. Since s=r+cx we know that gs = gr+cx
  3. Since we do these calculations in a cyclic group of prime we can apply the following laws: ga + b = gagb and gab = (ga)b (As far as I understand this is the reason why the group needs to be cyclic and of order)
  4. Thus gs = gr+cx = grgcx
  5. Recalling R = gr and entering to the equation from 4. we get gs =R gcx
  6. Recalling the other law from 3. we have gs =R gcx = R(gx)c = RXc

This is exactly the equation that was supposed to be shown.

Note the interesting fact that as mentioned in 1. the data to verify the equation is known but producing the data can only work if x and r are known. That is why the owner of x can produce the signature and others can verify it.