What do Schnorr Signatures Mean for Bitcoin?
Domov
Články
What do Schnorr Signatures Mean for Bitcoin?

What do Schnorr Signatures Mean for Bitcoin?

Advanced
Zverejnené Jul 8, 2020Aktualizované Dec 28, 2022
6m

Introduction

As you may know, Bitcoin enforces ownership rights with something called the Elliptic Curve Digital Signature Algorithm (or ECDSA). The algorithm allows you to take one number (i.e., a private key) and derive a public key from it.

The magic of this is that, while it’s easy for you to get the public key from the private key, the reverse is impossible. Your private key is your passport to the Bitcoin network. It’s what allows you to generate an address for receiving coins, and what later allows you to spend them. 

In this article, we’ll take a look at the Schnorr signature algorithm, an alternative to ECDSA that could bring some exciting changes in Bitcoin.


A brief recap on digital signatures

Digital signatures work just like their pen-and-paper predecessors, but they’re a lot more secure. Anyone can forge a pen-and-paper signature with a bit of time and effort. You can’t do the same with a robust digital signature scheme, even if you had hundreds of thousands of years at your disposal.

There are several use cases for digital signatures. A popular one involves proving to the world that you wrote a particular message. As mentioned, you can create a public key from a private key (a massive number that you should keep secret). You do this by performing some fancy mathematics over the secp256k1 curve. From there, you can also generate a public address from your public key.

Note that it’s completely safe to show your public key to anyone. You can add it to your website or Twitter bio so that others can verify your identity. Likewise, you can share your public addresses with others so that they can send you cryptocurrencies.

Your private key allows you to create a digital signature. By writing a message and performing an operation on it using your private key, you create a signed message. Anyone can take that and compare it with your public key to check that it was indeed signed by you.

How does this tie into Bitcoin? Well, anytime you make a Bitcoin transaction, you’re digitally signing a message that says I am sending these coins that have been previously sent to me. Then, when it’s sent to other nodes on the network, they can check that the ECDSA signature matches the message. If it doesn’t, they’ll just reject it.


What are Schnorr signatures?

Schnorr signatures are a different kind of scheme. It operates similarly to the Elliptic Curve Digital Signature Algorithm which we use currently, but boasts a number of advantages over it. Schnorr signatures actually predate ECDSA, leading many to wonder why they weren’t integrated into Bitcoin from the start. 

One possible explanation is that Claus P. Schnorr – the scheme’s creator – patented them. The patents expired in early 2008, months before the Bitcoin white paper’s release, but the scheme still had no standardization across the board. As such, Satoshi Nakamoto opted for the more widely-accepted (and open-source) ECDSA.


Why are Schnorr signatures advantageous?

Schnorr signatures are quite simple compared to other schemes. As a result, they’re more provably secure than their alternatives. It might not mean much to you at first glance, but they have another powerful property: linearity

To put it in lay terms, this makes the scheme particularly attractive for certain activities – most notably, multisignature transactions. You may know that Bitcoin already supports multisig, but it doesn’t do so in the prettiest of ways.

When you create a multisignature address, whoever sends you funds doesn’t need to know what conditions you’ve set for spending the inputs. They might not even know that they’re sending funds to a multisig setup – the only peculiarity about the address is that it begins with a “3.” 

However, you reveal its nature when you want to move the funds. Say you’ve used a 3-of-3 setup along with Alice and Bob. To spend, say, 5 BTC, the three of you must provide the public keys and valid signatures. When you move the funds out of the address, the entire network can learn what’s happened by looking at the blockchain

From a privacy standpoint, this isn’t great. To add to this, if we create a bigger multisig  (e.g., 8-of-10), then we’re taking up quite a bit of space on the blockchain. That can be expensive, as it will result in a lengthy transaction – remember that the more bytes in your transaction, the more you need to pay.

Schnorr signatures have been touted as a solution to these privacy and scalability issues. You see, they allow for things like signature aggregation, which combine the signatures of multiple signers into a single signature. The resulting “master signature” would still be the same length as a regular, one-person signature, leading to significant space savings. 

In addition, the combined signatures make it a lot more difficult for an observer to determine who signed (or didn’t sign) a transaction. In m-of-m schemes (where all participants must sign to spend funds), you wouldn’t even be able to distinguish between single-party transactions and multisig ones.

Crucially, Schnorr signatures are a building block for further advancements. Once implemented, they can be leveraged to improve technologies in crypto such as atomic swaps and the Lightning Network.


➠ Looking to get started with cryptocurrency? Buy Bitcoin on Binance!


When will Schnorr signatures be implemented into Bitcoin?

We’re not sure. As with most upgrades to the Bitcoin protocol, it could take time for the broader community of Bitcoin users to agree on the Schnorr signature inclusion. Bitcoin Core contributors Pieter Wuille, Jonas Nick, and Tim Ruffing have submitted a draft Bitcoin Improvement Proposal (BIP), but there’s still a bit of work to be done.

Blockstream has already released an implementation – MuSig. Allowing for signature and key aggregation, it may well serve as the foundation for Bitcoin’s own Schnorr signature scheme.

Schnorr signatures could be merged into the code as a soft fork, meaning that a change would not split the network. Instead, it would be an “opt-in” upgrade. Nonetheless, it would be optimistic to assume that we’ll see them integrated in the near future – it could still take a couple of years before consensus is reached.


Closing thoughts

Schnorr signatures are one of the most highly-anticipated milestones on the current Bitcoin roadmap. With just a single upgrade, they can provide significant privacy and scalability benefits. Perhaps more interestingly, they also set the scene for further developments in Bitcoin smart contracts and more advanced constructs like Taproot.