Simple Schnorr Signature with Pedersen Commitment as Key

Abstract

In a transaction-output-based blockchain system, where each transaction spends UTXOs (the previously unspent transaction outputs), a user must provide a signature, or more precisely a $\textit{scriptSig}$ for Bitcoin, to spend an UTXO, which proves the ownership of the spending output. When Pedersen commitment $g^xh^a$ or ElGamal commitment $(g^xh^a,h^x)$ introduced into blockchain as transaction output, for supporting confidential transaction feature, where the input and output amounts in a transaction are hidden, the prior signature schemes such as Schnorr signature scheme and its variants does not directly work here if using the commitment as the public key, since nobody including the committer knows the private key of a $g^xh^a$ when $a$ is not zero, meaning no one knows the $c$ such that $(g^c=g^xh^a)$. This is a signature scheme which is able to use the $C=g^xh^a$ as the signature public key for any value of $a$. The signer, proceeding from a random Pedersen commitment $R=g^{k_1}h^{k_2}$, generates a random bit sequence $e$, by multiplication of a stored private key $x$ with the bit sequence $e$ and by addition of the random number $k_1$ to get the $u$, by multiplication of the committed value $a$ with the bit sequence $e$ and by addition of the random number $k_2$ to get the $v$, finally constructs $\sigma=(R,u,v)$ as the signature, with the corresponding public key $C$. In turn, the verifier calculates a Pedersen commitment $S=g^uh^v$, and accepts the signature if $S=RC^e$. For an electronic signature, a hash value $e$ is calculated from a random Pedersen commitment $R$, the Pedersen commitment $C$, and from the message $m$ to be signed. This signature scheme will be very helpful in the design of a non-interactive transaction in Mimblewimble