Next lesson →

Digital Signatures: ECDSA, Schnorr & EdDSA

How all blockchain signatures descend from Schnorr, why ECDSA names the spender, and how Monero generalizes one signature into a privacy-preserving ring.

A signature is how a blockchain answers one question: "did the owner of these coins authorize this spend?" The math that answers it is shared across chains — all of it is a proof that you know the private scalar behind a public point, bound to a message. But the style of signature differs, and that difference is the hinge on which transparency versus privacy turns. By the end of this lesson you'll see why an ordinary signature inevitably reveals the spender, and what Monero does about it.

The Common Goal: Prove Knowledge Without Revealing It

Every elliptic-curve signature is a descendant of the Schnorr identification protocol. The shape is always the same: the signer picks a random nonce k, publishes a commitment R = k·G, derives a challenge e by hashing R together with the message, and answers with s = k + e·x (mod ), where x is the private key. A verifier checks an equation that can only balance if the signer truly knew x — yet x never appears. This "commit, challenge, respond" pattern, made non-interactive by using a hash as the challenge (the Fiat–Shamir transform), is the universal grammar of blockchain signatures.

ECDSA: Bitcoin and Ethereum

Bitcoin and Ethereum sign with ECDSA over secp256k1. It reaches the same goal as Schnorr but by a more convoluted route involving a modular inverse of the nonce. Two consequences matter:

  • It is fragile around the nonce. Reuse the nonce k across two signatures, or generate it with any bias, and the private key can be solved for algebraically. This has drained real wallets and even leaked console signing keys historically. EdDSA fixes this by deriving the nonce deterministically from the message and key.
  • It is inherently linkable. A valid ECDSA signature is checked against one specific public key. So a verifier — and therefore the whole network — learns precisely which key authorized the spend. On a transparent chain that's a feature; for privacy it's fatal.

Ethereum leans into the linkability: it doesn't even store the public key, it recovers it from the signature (the ecrecover operation) and uses the Keccak hash of that key as your account address. Identity and signature are welded together by design.

EdDSA: Monero's Starting Point

Monero's curve, Ed25519, comes with EdDSA, a clean Schnorr-style signature. It's deterministic (no catastrophic nonce-reuse risk), fast, and constant-time. But a plain EdDSA signature has the same privacy problem as ECDSA: it proves "the holder of public key P signed," naming P. If Monero stopped here, it would be as transparent as Bitcoin. The whole privacy project is about generalizing this one-key signature into something that hides which key signed.

The Leap: From One Key to a Ring

Here is the pivotal idea of the entire course. A ring signature takes the Schnorr structure and proves a disjunction: "I know the private key for one of these n public keys, but I won't tell you which." The signer weaves the real key in with n−1 decoy keys pulled from the blockchain, and the verification equation closes for the whole ring without singling anyone out. The math is still commit-challenge-respond; it's just arranged in a loop across all ring members so exactly one "gap" is filled by the genuine secret. Monero's production version is CLSAG, which compactly proves both key ownership and amount-commitment ownership in a single ring.

The Double-Spend Problem a Ring Creates

Hiding which key signed introduces a fresh danger: if nobody knows which output you spent, what stops you from spending it again in another ring? Transparent chains prevent double-spends trivially — the spent output is named and marked used. Monero needs a way to mark an output as spent without revealing which one it was. The answer is the key image: a deterministic point I = x·Hp(P) derived from your private key and your output. It is unique to that output, unforgeable, and unlinkable to P. The network keeps a set of seen key images and rejects any repeat. One signature, two superpowers: anonymity from the ring, double-spend protection from the key image. We build the full construction in Monero's Math I: Hiding Sender & Receiver.

Same Primitive, Opposite Outcome

Step back and the symmetry is striking. Bitcoin, Ethereum and Monero all sign with the same Schnorr-derived math over an elliptic curve. Bitcoin and Ethereum use it to name the spender so the ledger is auditable; Monero uses it to hide the spender among decoys while still proving the spend is legitimate. The cryptography didn't change — the question it answers did. Next we make that contrast concrete by looking at exactly what a transparent ledger exposes that a private one does not.

Comments

Log in or create a free account to comment.

No comments yet — be the first.

🎓 Graduate from Monero Academy

Create a free account, ace every quiz across all courses, and earn your place on the Graduates wall — with your own Monero address for donations. An account also tracks your progress through the courses, and graduating is the prize for finishing.