BIP Proposal for 64-byte Elliptic Curve Schnorr Signatures

One of the core components of Bitcoin is the Digital signature algorithms, it is used in making public keys out of private keys, signing transactions and in multisig transactions. Bitcoin so far has been using Elliptic Curve Digital Signature Algorithm ECDSA, for the past few months developers in the Bitcoin community have been talking about changing this algorithm into another one called Schnorr Signatures.

Schnorr is another signing algorithm that bring multiple benefits to the table. A new BIP was recently submitted by Peter Wuille about the changes that should happen in the future to Bitcoin’s signing algorithm with all the bells and whistles it should bring. The security of Schnorr is easily provable given a certain assumption, this is not the case for ECDSA.

Schnorr is Linear, meaning multiple parties have the option to collaborate to produce a signature that represents the sum of their public keys, this is a building block in a lot of high level applications, most notably one called MuSig. MuSig allows several participants to produce a single public key that they all signed for, allowing for much more private and efficient Multisig payments that appear to other nodes as they are an ordinary transaction.

Thanks to Schnorr, this can be used for both n-of-n and k-of-n multisig transactions. Schnorr is also used for batch validation, ECSDA is made in a way that batching transactions provides no extra efficiency than individually processing them while on the other hand Schnorr provides a logarithmic increase in ratio which gives a time complexity of O(N/log(N)) instead of the O(N) complexity provided by ECDSA.

Some of the other applications enabled by Schnorr is Blind and Adaptor Signatures. Blind signatures are a way to request a signature from a party without the party knowing what they are signing. This is used in something called Partially Blind Atomic Swaps in which an untrusted escrow can be used to facilitate a transaction between two parties without knowing which output is going to which party.

Adaptor Signatures can be produced by a signer by offsetting his public nonce with a point T = tG but leaving his private nonce untouched, this means a correct signature can be obtained by getting the Adaptor Signature and then offsetting it by t, meaning that t is now a learned parameter, which can be used to make atomic swaps or general payment channels that is guaranteed by the signature itself, rather than the Bitcoin Script. Adaptor signatures have multiple benefits like improved privacy and efficiency, allowing long transaction chains to become atomic and re purposing outputs for different applications without blockchain recourse.

Providing some major benefits in privacy and efficiency, Schnorr can be a major upgrade for Bitcoin, specially in the MultiSig and Atomic swaps department, we’ll be watching the BIP for more news!


Support us and the authors of this article by donating to the following address:


Comments powered by Talkyard.