# 0.4 Cryptographic Signatures

Now that we understand how elliptic curve cryptography works, we can see how **cryptographic signatures** allow users to securely authenticate transactions on a decentralized ledger.

A cryptographic signature is a mathematical proof that a specific message was signed by the owner of a private key. Unlike a traditional signature, a cryptographic signature cannot be forged, and anyone can verify its authenticity.

Let’s revisit our transaction example:

`A sends 3 coins to B`

Instead of sending a password or relying on a central authority, A generates a **digital signature** using their private key. The signed transaction might look like this:

`m = "A sends 3 coins to B"; Signature of m by A`

Anyone can verify this signature using A’s **public key**. If the signature is valid, it proves that A authorized the transaction. If the signature is invalid, the transaction is rejected.

### Schnorr Signature

One of the most widely used applications of ECC in cryptocurrency is **Schnorr Signature**, which allows users to sign transactions securely. Here’s how it works:

1. &#x20;$$A$$ user generates a private key $$a$$ and computes the corresponding public key $$A=a\cdot G$$.
2. When signing a message $$m$$ (such as a transaction), the user creates a unique digital signature $$(R,s)$$ using his private key $$a$$.
   1. $$A$$ generates a random scalar $$r \in \[1, q-1]$$. It should be new and never be used again.
   2. $$A$$ computes $$R = r\cdot G$$.
   3. $$A$$ gets $$e=h(A|R|m)$$, with $$(A|R|m)$$ the concatenation of bit representation of those elements.
   4. $$A$$ can then compute $$s=r+ea$$.
   5. The final signature is $$(R, s)$$.
3. Anyone can verify the signature $$(R, s)$$ of message $$m$$ using the public key $$A$$:
   1. The verifier computes $$e=h(A|R|m)$$,
   2. This enables the verifier to check the message by comparing $$s\cdot G- R$$ and $$e\cdot A$$ . If they are equal, the signature is valid, else it's invalid. Because if $$A$$ chosed $$s=r+ea$$ at step 2.d, then: \
      $$s\cdot G- R = (r+ea)\cdot G-R=r\cdot G+e\cdot (a\cdot G)-R=e\cdot A$$&#x20;

This enforces that only the owner of the private key could have authorized the transaction, making Schnorr signature the key component of decentralized authentication. Of course a lot of extra security consideration are to be taken care of, but this gives a good general idea of how signing works.

In next chapter, we'll explain how to compute a field element from the message in a secured manner, by explaining how hash functions work.