This write-up formalizes a modest adaptation to the regular Schnorr and ECDSA signature scheme, using existing techniques, that allows for signature verification without requiring the message.
The regular signature scheme enables two functions:
- Proving knowledge of a secret key
- Tying that proof to a message
Signature verification requires:
- The public key
- The signature
- The message
In some situations, it may be the case that a subset of the verifiers only cares about 1 and not 2. Nonetheless, the message is always required. The Segregated Message Signature Scheme separates these two steps and makes it possible to prove knowledge of the secret key without the message. This is achieved by taking the message out of the regular signature scheme, and placing it inside of the nonce via the taproot tweak.
REGULAR SCHNORR SIGNATURE
X = k*G <- public key
R = r*G <- nonce
e = hash(X, R, message) <- challenge
s = r + e*k <- signature
Verifier: s*G == R + e*X
(message required to calculate e)
SEGREGATED MESSAGE SCHNORR SIGNATURE
X = k*G <- public key
R = r*G <- nonce
e'= hash(R, message) <- segregated message
R'= R + e'*G <- tweaked nonce
e = hash(X, R') <- challenge
s = r + e' + e*k <- signature
Verifier: s*G == R'+ e*X
(message not required to calculate e)
Message verification (requires R):
R' == R + hash(R, message)*G
Also applicable to ECDSA
The advantage of this scheme is that those who only want to verify knowledge of the secret key will no longer need to know the message (32 bytes saved), and the downside is that others will need to open the commitment inside the nonce (32 bytes added).
An example use case would be a blockchain which consists purely of signatures that everyone verifies, but for which all messages remain off-chain, and are only revealed to specific recipients (as in Peter Todd's client-side validation).