Ethereum: k selection for Schnorr signatures

February 13, 2025 CRYPTOCURRENCY

Ethereum: Why Schnorr Signatures Use SHA-256 Nonce Generation

The Schnorr signature scheme is one of the most widely used and effective digital signatures on Ethereum. However, when it comes to nonce generation for these signatures, there seems to be some debate among developers and researchers as to why the simple RFC6979 variant was not chosen over another popular option.

At first glance, it may seem counterintuitive that Schnorr signatures use nonce generation via SHA-256 instead of a more commonly used method like HMAC or AES. But let’s dig deeper into the reasoning behind this decision.

The Nonce Problem

One of the main challenges of digital signature schemes is generating a unique nonce value for each signing operation. In other words, we need to make sure that no two signatures are identical and that they can be easily verified using the same key. One way to solve this problem is to use a parameterized nonce with the signature parameters.

However, when it comes to Schnorr signatures, using nonces generated via SHA-256 presents a few problems:

  • SHA-256 is not suitable for cryptographic purposes: Although SHA-256 is widely used in many applications, its key size and security requirements make it unsuitable for cryptographic purposes such as digital signatures.
  • Nonces cannot be generated consistently: In Ethereum, the network blockchain is constantly updated with new blocks, which means that nonce generation is a dynamic process. This introduces unpredictability into the signature scheme, making it vulnerable to attacks.

Why the RFC6979 variant was chosen

Despite these challenges, the Schnorr signature scheme was chosen as the default for several reasons:

  • Efficient and fast: The simple RFC6979 variant uses an optimized algorithm that generates a nonce value in O(log n) time complexity, making it much faster than other methods.
  • Small key sizes

    : By using SHA-256 to generate nonces, we can reduce the size of the keys used for digital signatures, making them more efficient and cost-effective.

Conclusion

Ethereum: k selection for Schnorr signatures

In conclusion, the choice of the nonce generation method for Schnorr signatures on Ethereum is based on a combination of efficiency, security, and practical considerations. While it may seem counterintuitive at first glance, using SHA-256 to generate nonces offers a unique set of advantages that outweigh the disadvantages. The simple RFC6979 variant remains an effective solution for digital signature schemes on Ethereum.

1inch Cosmos

Tags: