In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature algorithm.
Unlike most blockchains, Bitcoin has remained relatively unchanged since its early days—most upgrades have been limited and were designed to enhance the network’s efficiency rather than its functionality. Updates to the Bitcoin protocol are rare, methodical, and generally reserved for technical enhancements to ensure the stability and security of the network.
One important Bitcoin upgrade was Taproot, which introduced several enhancements, among them Schnorr signatures. Schnorr signatures offer several benefits over the preceding mechanism (ECDSA) used for key generation and verification.
In this article, we’ll explain what Schnorr signatures are and how they make digital signatures on Bitcoin faster and more efficient.
Digital signatures are mathematical schemes used to verify the authenticity and integrity of digital messages. They provide a way to prove that a message was sent by a particular sender (authenticity) and has not been altered during transmission (integrity). In other words, a digital signature is not too dissimilar from a physical signature, whereby the sender is authenticating themselves through their unique handwriting with a particular intent.
Digital signatures are commonly utilized in software distribution, financial transactions, contract management software, and in many other cases where it is important to detect forgery or tampering.
The importance of digital signatures in Bitcoin is described by Satoshi Nakamoto in the Bitcoin whitepaper:
“We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.”
In the case of Bitcoin, a digital signature is used to validate the owner of the private key associated with an address without having to reveal the private key to the network. When a transaction is submitted to be included in a block, nodes on the Bitcoin network check if the signature matches the message and accept the transaction if it does.
What is a Schnorr Signature?
A Schnorr signature is a type of digital signature scheme that allows for the efficient and secure signing of transactions and messages. It was first described by Claus Schnorr in a 1991 paper.
An algorithm leveraging elliptic curve cryptography known for its simplicity, Schnorr was proposed to be included in Bitcoin’s technology roadmap as an upgrade from Elliptic Curve Digital Signature Algorithm (ECDSA). Schnorr is often touted for its simplicity, provable security, and linearity. As Schnorr requires fewer computations than ECDSA, it’s considered suitable for cryptocurrency transactions.
Benefits of Schnorr Signatures
Schnorr signatures offer several benefits, including high efficiency and increased privacy, while preserving all of ECDSA’s features and security assumptions. Schnorr allows for smaller signature sizes, faster verification times, and improved resistance against certain types of attacks.
The most significant benefit of Schnorr signatures is key aggregation—the ability to aggregate multiple signatures into one signature that is valid for the sum of its keys. In other words, Schnorr enables multiple collaborating parties to produce a signature that is valid for the sum of their public keys.
Key aggregation can reduce transaction fees and improve base-layer scalability as signatures coming from a multisignature setup take up the same amount of space in a block as signatures coming from a single-party transaction. This feature of Schnorr can be used to reduce the size of multisig payments and other multisig-related transactions, such as Lightning Network channel transactions.
Another important property of Schnorr signatures is non-malleability. In the context of digital signatures, malleability refers to the ability of an attacker to modify a valid signature in such a way that the modified signature is still valid and authenticates a different message than the original signature. This can cause serious issues for cryptocurrency applications, where a malicious attacker could modify a transaction signature to increase the amount of funds transferred or change the recipient of the funds.
Schnorr also offers notable privacy benefits. By allowing a multisignature scheme to be obscured and indistinguishable from a conventional single public key, Schnorr makes it significantly more difficult for an observer to differentiate between multisig spends and single-signature spends by observing on-chain activity. In addition, in n-of-m multisig setups, Schnorr makes it more difficult for observers to determine which participants did and didn’t sign a transaction.
Schnorr Signatures in Bitcoin
Schnorr signatures were implemented in BIP-340 within the Taproot soft fork upgrade, which was activated at block 709,632 on November 14, 2021. Like other Bitcoin upgrade proposals, Taproot was voted on by Bitcoin miners. Taproot was a collection of protocol improvements that introduced several new features altering the way transactions are processed on the blockchain and unlocking new scripting capabilities. Taproot is often considered the most important update to Bitcoin since the adoption of SegWit (Segregated Witness) in 2017.
Schnorr makes Bitcoin digital signatures faster, more secure, and easier to process. Notably, Schnorr signatures are backward-compatible with Bitcoin’s cryptography algorithm, allowing for them to be introduced via a soft fork upgrade.
Schnorr Signature vs. ECDSA
As mentioned, Schnorr signatures offer several advantages over ECDSA, including smaller signature sizes, faster verification times, and improved resistance against certain types of attacks. Schnorr signatures also allow for signature aggregation, which can reduce transaction fees and improve scalability.
It’s worth noting that while Schnorr signatures may be considered a better fit for Bitcoin, ECDSA is still widely used and is considered to be a secure signature scheme. The choice between Schnorr signatures and ECDSA may depend on the specific use case and security requirements.