But first, let me tell you a story.

Once upon a time, there was this guy named Claus Schnorr who came up with an idea that would change the world of cryptography forever. He wanted to create a way to sign messages digitally without having to use those ***** long and complicated keys like RSA or ECDSA. And he did just that!

Schnorr’s signature scheme is based on the discrete logarithm problem, which is much easier to solve than factoring large numbers (like in RSA). But here’s where it gets interesting: Schnorr signatures don’t require a collision-resistant hash function like ECDSA does. Instead, they use a simple modular exponentiation and some math magic to create a signature that can be verified by anyone with the public key.

Now, you might think that this is great news for storage space, but there’s more! Schnorr signatures only require 3n bits of output instead of 4n bits like ECDSA or RSA. That means half the size and twice the speed (or so they say). And if that wasn’t enough, you can even use a shorter key length than with other signature schemes because the security is based on the discrete logarithm problem rather than factoring large numbers.

Schnorr signatures also have some cool properties like forward secrecy and rekeying (which means you don’t need to change your keys every time someone signs a message). And if that wasn’t enough, they can be used for group signatures too.

So why isn’t everyone using Schnorr signatures instead of ECDSA or RSA? Well, there are some downsides. For one thing, the security proof is not as strong as with other signature schemes (although it’s still pretty good). And there have been some attacks on Schnorr signatures in the past that were later fixed by adding some extra math magic to make them more secure.

But overall, Schnorr signatures are a great choice for anyone who needs a fast and efficient digital signature scheme without having to worry about storage space or key management. And if you’re feeling adventurous, you can even try implementing your own version using the HMAC-based hash function (H) instead of a collision-resistant one.

Schnorr signatures and half-size H output: The future of digital signature schemes. Who needs RSA or ECDSA when you’ve got this?