{"id":38011,"date":"2024-06-18T13:01:00","date_gmt":"2024-06-18T10:01:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=38011"},"modified":"2025-08-30T00:31:21","modified_gmt":"2025-08-29T21:31:21","slug":"what-are-schnorr-signatures-and-how-are-they-used-in-bitcoin","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/what-are-schnorr-signatures-and-how-are-they-used-in-bitcoin\/","title":{"rendered":"What are Schnorr signatures and how are they used in Bitcoin?"},"content":{"rendered":"<div class=\"wp-block-text-wrappers-cards single_card\">\n<h2 class=\"card_label\">What are Schnorr signatures?<\/h2>\n<p>Schnorr signatures are a digital-signature scheme <a class=\"tracking_link\" href=\"https:\/\/publikationen.ub.uni-frankfurt.de\/opus4\/frontdoor\/deliver\/index\/docId\/4280\/file\/schnorr.pdf\" target=\"_blank\" rel=\"noopener\">proposed<\/a> in 1991 by the German cryptographer Claus Peter Schnorr. <\/p>\n<p>In 2020 it was included in <a class=\"tracking_link\" href=\"https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0340.mediawiki\" target=\"_blank\" rel=\"noopener\">BIP-340<\/a> as an alternative to the Elliptic Curves Digital Signature Algorithm (<a href=\"https:\/\/forklog.com\/en\/news\/what-is-ecdsa-in-bitcoin\">ECDSA<\/a>). The proposal was implemented on the Bitcoin network in November 2021.<\/p>\n<\/div>\n<div class=\"wp-block-text-wrappers-cards single_card\">\n<h2 class=\"card_label\">What is a digital signature?<\/h2>\n<p>A digital signature is a mathematical scheme to verify two key characteristics of a digital message: authenticity (sent by a specific user) and integrity (not altered in transit).<\/p>\n<p>Using digital signatures, the Bitcoin protocol confirms the binding of a private key to a specific public address. Satoshi Nakamoto stressed their importance in the <a class=\"tracking_link\" href=\"https:\/\/bitcoin.org\/files\/bitcoin-paper\/bitcoin_ru.pdf\" target=\"_blank\" rel=\"noopener\">white paper<\/a> of the first cryptocurrency:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite><em>&#8220;We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.&#8221;<\/em><\/cite><\/p><\/blockquote>\n<\/div>\n<div class=\"wp-block-text-wrappers-cards single_card\">\n<h2 class=\"card_label\">Which digital signatures does Bitcoin use?<\/h2>\n<p>Originally the first cryptocurrency used only ECDSA \u2014 an open-source algorithm widely applied in 2008. Satoshi Nakamoto\u2019s choice is linked to the fact that, by the time the Bitcoin white paper was published, Schnorr signatures had not been standardised.<\/p>\n<p>In 2014 a discussion <a class=\"tracking_link\" href=\"https:\/\/bitcointalk.org\/index.php?topic=511074.0\" target=\"_blank\" rel=\"noopener\">began<\/a> on Bitcointalk about introducing Schnorr signatures into Bitcoin\u2019s protocol, and six years later Pieter Wuille, Jonas Nick and Tim Ruffing standardised them in <a class=\"tracking_link\" href=\"https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0340.mediawiki\" target=\"_blank\" rel=\"noopener\">BIP-340<\/a>. <\/p>\n<p>Schnorr signatures were implemented on 14 November 2021 as part of the Taproot upgrade at block height #709,632. Since then they have been used alongside ECDSA.<\/p>\n<\/div>\n<div class=\"wp-block-text-wrappers-cards single_card\">\n<h2 class=\"card_label\">How do Schnorr signatures improve on ECDSA?<\/h2>\n<p>The authors of BIP-340 highlight three main advantages of Schnorr signatures:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Provable security<\/strong>. Schnorr signatures are unforgeable under a chosen-message attack (<span data-descr=\"Strong Existential Unforgeability under Chosen Message Attack\" class=\"old_tooltip\">SUF-CMA<\/span>) in the random-oracle model, assuming a sufficiently hard <span data-descr=\"Elliptic Curve Discrete Logarithm Problem, the discrete logarithm problem in the group of points on an elliptic curve\" class=\"old_tooltip\">ECDLP<\/span>. ECDSA\u2019s security <a class=\"tracking_link\" href=\"https:\/\/hss-opus.ub.ruhr-uni-bochum.de\/opus4\/frontdoor\/index\/index\/docId\/6080\" target=\"_blank\" rel=\"noopener\">relies<\/a> on stronger assumptions. <\/li>\n<li><strong>Non-malleability<\/strong>. Schnorr signatures are provably non-malleable. ECDSA\u2019s malleability means an attacker can create a valid signature for a public key and message without access to the secret key. <\/li>\n<li><strong>Linearity<\/strong>. With Schnorr signatures, multiple interacting parties can create a valid signature for the sum of their public keys.<\/li>\n<\/ul>\n<p>The latter enables a <span data-descr=\"compared with ECDSA\" class=\"old_tooltip\">simpler<\/span> <a href=\"https:\/\/forklog.com\/en\/news\/singlesig-or-multisig-what-should-bitcoin-holders-choose\">multisig<\/a> scheme such as <a href=\"https:\/\/forklog.com\/en\/news\/blockstream-developers-unveil-new-multisignature-scheme\">MuSig2<\/a> through <span data-descr=\"several signatures are combined into one\" class=\"old_tooltip\">signature aggregation<\/span>.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"497\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/image1-589-1024x497.png\" alt=\"image1-589\" class=\"wp-image-235061\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/image1-589-1024x497.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/image1-589-300x146.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/image1-589-768x373.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/image1-589-1536x745.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/image1-589.png 1999w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Differences between ECDSA and the Schnorr scheme. Data: ForkLog.<\/figcaption><\/figure>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite>&#8220;When using a Schnorr signature, a multisig transaction looks like a single-signature transaction, which enhances senders\u2019 privacy and makes life harder for on-chain analysts. The latter cannot immediately tie transactions to one person or a group of people,&#8221; comment representatives of the bitcoin mixer <a class=\"tracking_link\" href=\"https:\/\/mixer.money\/ru\/\" target=\"_blank\" rel=\"noopener\">Mixer.Money<\/a>.<\/cite><\/p><\/blockquote>\n<p>They note that Schnorr signatures are not enough to ensure anonymity:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\n<cite><em>&#8220;Weak privacy remains a problem for Bitcoin. The community perceived Taproot as an upgrade to enhance confidentiality, but the only change was the impossibility of detecting a multisignature by means of blockchain analytics. The Schnorr scheme will not hide the sender and recipient of coins. To do this you still need to use bitcoin mixers or CoinJoin solutions.&#8221;<\/em><\/cite><\/p><\/blockquote>\n<p>In 2024 the latter\u2019s developers <a href=\"https:\/\/forklog.com\/en\/news\/samourai-wallet-founders-arrested-for-alleged-100-million-money-laundering\">faced<\/a> unprecedented pressure from regulators. According to Mixer.Money, this could lead to fewer users and harm the technology.<\/p>\n<p>Representatives of the service recommend looking at solutions capable of hiding the very fact of mixing coins. For example, in the <a class=\"tracking_link\" href=\"https:\/\/mixer.money\/ru\/how-it-works\/#2\" target=\"_blank\" rel=\"noopener\">\u201cFull anonymity\u201d<\/a> mode, Mixer.Money sends the user \u201cclean\u201d coins from large exchanges to eliminate the risk of receiving their own assets back or bitcoins of dubious origin.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>We explain Schnorr signatures, their use in Bitcoin and their advantages over ECDSA.<\/p>\n","protected":false},"author":1,"featured_media":38012,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"2","news_style_id":"1","cryptorium_level":"2","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[2113],"tags":[18],"class_list":["post-38011","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptorium","tag-bitcoin"],"aioseo_notices":[],"amp_enabled":true,"views":"194","promo_type":"2","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/38011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=38011"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/38011\/revisions"}],"predecessor-version":[{"id":38013,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/38011\/revisions\/38013"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/38012"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=38011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=38011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=38011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}