Skip to main content

Schnorr Signature | Bitcoin Glossary | Mapping Bitcoin

Schnorr Signature

Criptografia

Also known as: BIP340, Schnorr

A digital signature scheme activated on Bitcoin through the Taproot upgrade (BIP340). Schnorr signatures are mathematically simpler and more efficient than ECDSA, and their key property of linearity enables signature aggregation (MuSig), improving privacy and scalability.

Overview

Schnorr signatures, activated on Bitcoin through the Taproot soft fork in November 2021 (specified in BIP340), are a digital signature scheme that offers significant advantages over Bitcoin's original ECDSA signatures. Originally invented by Claus-Peter Schnorr in 1989, the scheme was under patent until 2008 — ironically, just before Bitcoin was created. The key mathematical property that makes Schnorr signatures valuable for Bitcoin is linearity, which enables multiple signatures to be combined into a single aggregate signature.

Schnorr vs. ECDSA

ECDSA Signature:                  Schnorr Signature:
┌────────────────────────┐        ┌────────────────────────┐
│ Components: (r, s)     │        │ Components: (R, s)     │
│ Size: 71-73 bytes      │        │ Size: 64 bytes (fixed) │
│ Verification: Complex  │        │ Verification: Simple   │
│ Aggregation: No        │        │ Aggregation: Yes       │
│ Batch verify: Limited  │        │ Batch verify: Yes      │
└────────────────────────┘        └────────────────────────┘

Signature Equation:
  ECDSA:   s = k⁻¹(z + r·d) mod n    (non-linear)
  Schnorr: s = k + e·d mod n          (linear!)
                    ▲
                    └── This linearity enables aggregation

Key Aggregation (MuSig)

The linearity of Schnorr signatures means that multiple parties can combine their individual public keys into a single aggregate public key and collaboratively produce a single aggregate signature. On-chain, this looks identical to a single-key spend:

3-of-3 Multisig Comparison:

With ECDSA (P2SH multisig):
  On-chain: 3 public keys + 3 signatures
  Size: ~297 bytes of witness data

With Schnorr + MuSig:
  On-chain: 1 aggregate key + 1 aggregate signature
  Size: ~64 bytes of witness data

  Indistinguishable from a single-signer transaction!

This has profound implications for privacy — a MuSig cooperative spend on a P2TR output looks exactly like a simple single-key payment to any outside observer.

Batch Verification

Schnorr signatures support efficient batch verification, where multiple signatures can be verified together faster than verifying each one individually. This is particularly valuable for nodes processing entire blocks of transactions, as it can significantly reduce the computational cost of block validation.

Why Bitcoin Initially Used ECDSA

When Satoshi Nakamoto created Bitcoin in 2008, the Schnorr signature patent had only recently expired, and ECDSA was the established, well-tested standard with broad library support. The Bitcoin community spent years designing and testing the Taproot upgrade to introduce Schnorr signatures safely and with full backward compatibility.

Common Misconception

Schnorr signatures do not replace ECDSA on Bitcoin. Both signature schemes coexist. ECDSA is still used for legacy, P2PKH, and SegWit v0 (P2WPKH) outputs. Schnorr is used exclusively in Taproot (P2TR) outputs. Existing addresses and transactions continue to work exactly as before.

Termos Relacionados

TaprootProtocolo

A major Bitcoin soft fork activated in November 2021 (BIPs 340-342) that introduces Schnorr signatures and Merkelized Alternative Script Trees (MAST). Taproot improves privacy by making complex transactions (multisig, timelocks) look identical to simple payments on-chain.

MuSigCriptografia

A Schnorr-based multi-signature scheme that allows multiple signers to produce a single aggregate signature that looks identical to a regular single-key signature on-chain. MuSig improves privacy and reduces transaction size compared to traditional multisig.

Digital SignatureCriptografia

A cryptographic proof that the holder of a private key has authorized a transaction without revealing the key itself. Bitcoin uses ECDSA and Schnorr signature schemes to verify that transaction inputs are being spent by their rightful owner.

P2TRProtocolo

Pay-to-Taproot, the output type introduced by the Taproot upgrade (BIP341). P2TR addresses start with 'bc1p' and combine Schnorr signatures with MAST (Merkelized Alternative Script Trees) to enable more private and efficient complex spending conditions.