As you may know, Bitcoin enforces ownership rights with something called the Elliptic Curve Digital Signature Algorithm (or ECDSA). The algorithm allows you to take one number (i.e., a private key) and derive a public key from it.
The magic of this is that, while it’s easy for you to get the public key from the private key, the reverse is impossible. Your private key is your passport to the Bitcoin network. It’s what allows you to generate an address for receiving coins, and what later allows you to spend them.
In this article, we’ll take a look at the Schnorr signature algorithm, an alternative to ECDSA that could bring some exciting changes in Bitcoin.
Digital signatures work just like their pen-and-paper predecessors, but they’re a lot more secure. Anyone can forge a pen-and-paper signature with a bit of time and effort. You can’t do the same with a robust digital signature scheme, even if you had hundreds of thousands of years at your disposal.
There are several use cases for digital signatures. A popular one involves proving to the world that you wrote a particular message. As mentioned, you can create a public key from a private key (a massive number that you should keep secret). You do this by performing some fancy mathematics over the secp256k1 curve. From there, you can also generate a public address from your public key.
Note that it’s completely safe to show your public key to anyone. You can add it to your website or Twitter bio so that others can verify your identity. Likewise, you can share your public addresses with others so that they can send you cryptocurrencies.
Your private key allows you to create a digital signature. By writing a message and performing an operation on it using your private key, you create a signed message. Anyone can take that and compare it with your public key to check that it was indeed signed by you.
How does this tie into Bitcoin? Well, anytime you make a Bitcoin transaction, you’re digitally signing a message that says I am sending these coins that have been previously sent to me. Then, when it’s sent to other nodes on the network, they can check that the ECDSA signature matches the message. If it doesn’t, they’ll just reject it.
Schnorr signatures are a different kind of scheme. It operates similarly to the Elliptic Curve Digital Signature Algorithm which we use currently, but boasts a number of advantages over it. Schnorr signatures actually predate ECDSA, leading many to wonder why they weren’t integrated into Bitcoin from the start.
One possible explanation is that Claus P. Schnorr – the scheme’s creator – patented them. The patents expired in early 2008, months before the Bitcoin white paper’s release, but the scheme still had no standardization across the board. As such, Satoshi Nakamoto opted for the more widely-accepted (and open-source) ECDSA.
Schnorr signatures are quite simple compared to other schemes. As a result, they’re more provably secure than their alternatives. It might not mean much to you at first glance, but they have another powerful property: linearity.
To put it in lay terms, this makes the scheme particularly attractive for certain activities – most notably, multisignature transactions. You may know that Bitcoin already supports multisig, but it doesn’t do so in the prettiest of ways.
When you create a multisignature address, whoever sends you funds doesn’t need to know what conditions you’ve set for spending the inputs. They might not even know that they’re sending funds to a multisig setup – the only peculiarity about the address is that it begins with a “3.”
However, you reveal its nature when you want to move the funds. Say you’ve used a 3-of-3 setup along with Alice and Bob. To spend, say, 5 BTC, the three of you must provide the public keys and valid signatures. When you move the funds out of the address, the entire network can learn what’s happened by looking at the blockchain.
From a privacy standpoint, this isn’t great. To add to this, if we create a bigger multisig (e.g., 8-of-10), then we’re taking up quite a bit of space on the blockchain. That can be expensive, as it will result in a lengthy transaction – remember that the more bytes in your transaction, the more you need to pay.
Schnorr signatures have been touted as a solution to these privacy and scalability issues. You see, they allow for things like signature aggregation, which combine the signatures of multiple signers into a single signature. The resulting “master signature” would still be the same length as a regular, one-person signature, leading to significant space savings.
In addition, the combined signatures make it a lot more difficult for an observer to determine who signed (or didn’t sign) a transaction. In m-of-m schemes (where all participants must sign to spend funds), you wouldn’t even be able to distinguish between single-party transactions and multisig ones.
We’re not sure. As with most upgrades to the Bitcoin protocol, it could take time for the broader community of Bitcoin users to agree on the Schnorr signature inclusion. Bitcoin Core contributors Pieter Wuille, Jonas Nick, and Tim Ruffing have submitted a draft Bitcoin Improvement Proposal (BIP), but there’s still a bit of work to be done.
Blockstream has already released an implementation – MuSig. Allowing for signature and key aggregation, it may well serve as the foundation for Bitcoin’s own Schnorr signature scheme.
Schnorr signatures could be merged into the code as a soft fork, meaning that a change would not split the network. Instead, it would be an “opt-in” upgrade. Nonetheless, it would be optimistic to assume that we’ll see them integrated in the near future – it could still take a couple of years before consensus is reached.
Schnorr signatures are one of the most highly-anticipated milestones on the current Bitcoin roadmap. With just a single upgrade, they can provide significant privacy and scalability benefits. Perhaps more interestingly, they also set the scene for further developments in Bitcoin smart contracts and more advanced constructs like Taproot.