In cryptography, a **Schnorr signature** is a digital signature produced by the Schnorr signature algorithm that was described by Claus Schnorr. It is a digital signature scheme known for its simplicity, is efficient and generates short signatures. It is one of the protocols used to implement “Proof Of Knowledge”.In cryptography, a proof of knowledge is an interactive proof in which the prover succeeds in ‘convincing’ a verifier that the prover knows something ‘X’. For a machine to know ‘X’ is defined in terms of computation. A machine knows ‘X’ if this ‘X’ can be computed. The Verifier either accepts or rejects the proof. The signature proof is supposed to convince the Verifier that they are communicating with a user who knows the private key corresponding to the public key. In other words, the Verifier should be convinced that they are communicating with the Prover without knowing the private key.

**Schnorr Digital Signature to implement Zero Knowledge Proof :**

Let’s take an example of two friends Sachin and Sanchita. Sanchita has announced to the world that she has a public key and can accept and receive information through it. Sachin thinks that Sanchita is lying. Sanchita wants to prove her honesty without showing her private keys. Here is where Schnorr’s protocol will help us.

Consider the following parameters: p, q, a, s, v, r, x, y where, "p" is any prime number "q" is factor of p-1 “a” such that a^q = 1 mod p

The above three variables are global and public which means anyone can see these three variables at a given scenario.

We will have two keys.

"s" is the secret key or the private key (0<s<q). "v" is the public key = a^-s mod q.

The public key “v” will be global and public knowledge along with p, q and a. However only Sanchita will have the knowledge of the private key "s".

Now Sanchita signs wants to sends an encrypted message "M". She will follow the following steps to use Schnorr's signature:-

- She will first choose a random number “r” such that 0<r<q.
- She will now compute a value X such that: X= a^r mod p.
- Now that she has computed the value of X, she is going concatenate this with the original message (same as string concatenation).

So, she is going to concatenate M and X to get M||X. and she is going to store the hash of this value in e.e = H(M||X) where H() is the hash function

- She is going to get a value “y” such that:
y = (r + s*e) mod q

Now that all the computations are over, she is going to send the following to Sachin.

- The message “M”.
- The signatures e and y.

Along with this, Sachin has the following public piece of information:-

- Sanchita's public key “v”.
- The prime number that Sanchita chose “p”.
- “q” which is the factor of “p-1” which Sanchita chose.
- “a” such that a^q = 1 mod p, chosen by Sanchita.

Now, Sachin will have to compute X’ such that:

X’ = a^y * v^e mod p

We know that v = a^-s, let’s substitute that in the equation above and we get:

X’ = a^y * a^-se = a ^ (y-s*e)

Now we also know that,

y = r + s*e Which means: r = y-s*e

Let’s substitute this value in the equation above:

We get: X’ = a^r

As we have already seen above:

X= a^r

So technically:

X = X’

But Sachin doesn’t know the value of “X” because he never received that value. All that he received are the following: The message M, the signatures (e and y) and the host of public variables (public key “v”, p, q, and a).

So he is going to solve for e by doing the following:

e = H ( M||X’)

Note that earlier we solved for e by doing:

H(M||X))

So, by that logic, if the two values of e come up to be the same then that means

X = X’

This follows all three Properties of Zero Knowledge Proof :

**Completeness –**

Sachin was convinced of Sanchita’s honesty because at the end X = X’.**Soundness –**

The plan was sound because Sanchita only had one way to prove her honesty and that was through her private key.**Zero Knowledge –**

Sachin never got to know about Sanchita’s private key.

Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.

## Recommended Posts:

- Schnorr Identification Scheme
- Difference between Direct and Arbitrated Digital Signature
- Types of Digital Signature Attacks
- Digital Signature Standard (DSS)
- Winternitz One Time Signature Scheme
- Lamport One Time Signature Scheme
- Digital Signatures and Certificates
- Digital Subscriber Line (DSL)
- Integrated Services Digital Network (ISDN)
- Digital Forensics in Information Security
- Digital Certificate Creation
- What is DSU(Digital Service Unit)?
- Digital Data Communications Message Protocol (DDCMP)
- IOT as a key in Digital Health Care System
- Digital Watermarking and its Types
- Recovering Deleted Digital Evidence
- Java implementation of Digital Signatures in Cryptography
- Difference between Analog Communication and Digital Communication

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.