What are Schnorr signatures and how are they used in Bitcoin?

What are Schnorr signatures?

Schnorr signatures are a digital-signature scheme proposed in 1991 by the German cryptographer Claus Peter Schnorr.

In 2020 it was included in BIP-340 as an alternative to the Elliptic Curves Digital Signature Algorithm (ECDSA). The proposal was implemented on the Bitcoin network in November 2021.

What is a digital signature?

A digital signature is a mathematical scheme to verify two key characteristics of a digital message: authenticity (sent by a specific user) and integrity (not altered in transit).

Using digital signatures, the Bitcoin protocol confirms the binding of a private key to a specific public address. Satoshi Nakamoto stressed their importance in the white paper of the first cryptocurrency:

“We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.”

Which digital signatures does Bitcoin use?

Originally the first cryptocurrency used only ECDSA — an open-source algorithm widely applied in 2008. Satoshi Nakamoto’s choice is linked to the fact that, by the time the Bitcoin white paper was published, Schnorr signatures had not been standardised.

In 2014 a discussion began on Bitcointalk about introducing Schnorr signatures into Bitcoin’s protocol, and six years later Pieter Wuille, Jonas Nick and Tim Ruffing standardised them in BIP-340.

Schnorr signatures were implemented on 14 November 2021 as part of the Taproot upgrade at block height #709,632. Since then they have been used alongside ECDSA.

How do Schnorr signatures improve on ECDSA?

The authors of BIP-340 highlight three main advantages of Schnorr signatures:

• Provable security. Schnorr signatures are unforgeable under a chosen-message attack (SUF-CMA) in the random-oracle model, assuming a sufficiently hard ECDLP. ECDSA’s security relies on stronger assumptions.
• Non-malleability. Schnorr signatures are provably non-malleable. ECDSA’s malleability means an attacker can create a valid signature for a public key and message without access to the secret key.
• Linearity. With Schnorr signatures, multiple interacting parties can create a valid signature for the sum of their public keys.

The latter enables a simpler multisig scheme such as MuSig2 through signature aggregation.

“When using a Schnorr signature, a multisig transaction looks like a single-signature transaction, which enhances senders’ privacy and makes life harder for on-chain analysts. The latter cannot immediately tie transactions to one person or a group of people,” comment representatives of the bitcoin mixer Mixer.Money.

They note that Schnorr signatures are not enough to ensure anonymity:

“Weak privacy remains a problem for Bitcoin. The community perceived Taproot as an upgrade to enhance confidentiality, but the only change was the impossibility of detecting a multisignature by means of blockchain analytics. The Schnorr scheme will not hide the sender and recipient of coins. To do this you still need to use bitcoin mixers or CoinJoin solutions.”

In 2024 the latter’s developers faced unprecedented pressure from regulators. According to Mixer.Money, this could lead to fewer users and harm the technology.

Representatives of the service recommend looking at solutions capable of hiding the very fact of mixing coins. For example, in the “Full anonymity” mode, Mixer.Money sends the user “clean” coins from large exchanges to eliminate the risk of receiving their own assets back or bitcoins of dubious origin.