Ethereum: Why Schnorr Signatures Use Nonce Generation via SHA-256
The Schnorr signature scheme is one of the most widely used and powerful digital signatures on Ethereum. However, when it comes to nonce generation for these signatures, there seems to be a debate among developers and researchers as to why the Simple RFC6979 variant was not chosen over another popular option.
At first glance, it may seem contradictory that Schnorr signatures use nonce generation via SHA-256 instead of a more common method like HMAC or AES. But let’s dive deeper into the reasoning behind this decision.
The Nonce Problem
One of the main challenges in digital signature schemes is generating a unique nonce value for each signing operation. In other words, we need to ensure that no two signatures are identical and that they can be easily verified with the same key. One way to solve this problem is to use a nonce parameterized by the signature parameters.
However, when it comes to Schnorr signatures, there are a few problems with using nonces generated via SHA-256:
- SHA-256 is not suitable for cryptographic purposes: Although SHA-256 is widely used in many applications, its key size and security requirements make it unsuitable for cryptographic purposes such as digital signatures.
- Nonce classes cannot be generated consistently
: In Ethereum, the network blockchain is constantly updated with new blocks, which means that nonce generation is a dynamic process. This adds unpredictability to the signature system, making it vulnerable to attacks.
Why the RFC6979 version was chosen
Despite these challenges, the Schnorr signature model was chosen as the default for several reasons:
- Efficient and fast: The simple RFC6979 version uses an optimized algorithm that generates the nonce value in O(log n) time complexity, making it much faster than other methods.
- Small key sizes: By using SHA-256 to generate nonces, we can reduce the size of the keys used for digital signatures, making them more efficient and cost-effective.
Conclusion
In summary, the choice of the nonce generation method for Schnorr signatures in Ethereum is based on a combination of efficiency, security, and practical considerations. Although it may seem contradictory at first glance, using SHA-256 to generate nonces offers a unique set of advantages that outweigh the disadvantages. The simple version of RFC6979 is still an effective solution for Ethereum’s digital signature systems.
