Bitcoin Development: Schnorr Signatures

'

“We define an electronic coin as a chain of digital signatures.”

Satoshi Nakamoto

Digital signatures are a foundational technology of Bitcoin and other digital networks billions of people use every day. On digitally native networks like Bitcoin, digital signatures serve the functions of authorization and proof much like a hand-written signature on a check implies authorization to move funds or a finger-print on a door handle might serve as proof in a court of law. 

The Bitcoin protocol currently uses a particular signature algorithm called the Elliptic Curve Digital Signature Algorithm or ECDSA. But in the not too distant future a new signature algorithm called Schnorr signatures is expected to be a valid signature type on the Bitcoin network.

Schnorr signatures aid with two sensitive problems in the Bitcoin network: scaling and privacy. 

Scaling

There is only so much capacity on the Bitcoin network at any given moment in time to process transactions. Each block in the Bitcoin blockchain contains the relevant data needed to update the state of the network based on the intentions and activity of the network’s participants. Included in these blocks of data are digital signatures which act as the proof needed to move funds throughout the network. Currently, digital signatures make up 20-40% of each block’s capacity. 

ECDSA signatures are typically around 72 bytes per signature, where as Schnorr signatures are a maximum length of 64 bytes. This gives us about a 12% reduction in signature size. The use of Schnorr signatures in single signature transactions would help clear up a little more space for more transactions, but only slightly. Schnorr helps in this respect, but this isn’t what excites the Bitcoin development community. 

The big scaling gains come from Schnorr’s use in multi-signature transactions. The Schnorr signature algorithm contains a mathematical property that allows for something called “aggregation”, which is key to unlocking Schnorr’s scaling benefits.

Multi-Sig

Like the name implies, multi-signature (multi-sig) transactions require multiple signatures to move certain units of Bitcoin. 

For example, I could set up a multi-signature wallet that requires 2 unique digital signatures out of a possible set of 3 public keys that are authorized to move funds. Currently, the Bitcoin network will have to know each of the 3 public keys associated with the units of Bitcoin. In addition, the participants in the multi-sig will have to produce at least 2 valid ECDSA signatures to move the funds associated with the 3 public keys. In contrast, the Schnorr signature algorithm allows the 3 public keys to be aggregated into a single public key which enables the group to produce only 1 digital signature that represents multiple independent signatures. Instead of having to produce and include 3 different public keys and a few different signatures, Schnorr based signatures remove the requirement of multiple keys and signatures. Under a Schnorr signature regime, the Bitcoin network only has to know about and record 1 public key and 1 digital signature which mathematically represent the entire multi-signature scheme. 

The benefits of Schnorr signatures increase with the number of keys and signatures needed to move funds. Schnorr makes large multi-sig setups much more attractive to users and the network alike. It’ll reduce the costs of moving funds for users as well as reduce the scaling issues associated with heavier use of multi-sig transactions. 

A 2 of 3 multi-sig set up, leveraging Schnorr signatures, can reduce the number of public keys the Bitcoin network needs to know by 67% and reduces the number of signatures needed by 50%. If we expand the multi-sig scheme to a 10 of 15 set up we can reduce the number of public keys the Bitcoin protocol needs to know about by 93% and the number of signatures by 90%! That’s a huge potential reduction in data that the Bitcoin network has to keep track of and keep a history of. 

Keep in mind, digital signatures are just one part of a total transaction’s size or weight.  The numbers presented above are meant to illuminate the dramatic cut in information needed to transact out of a Schnorr based multi-sign wallet compared to an ECDSA based multi-sig wallet.  A 90% reduction in the number of signatures won’t reduce the total transaction size by 90%as signatures and keys are parts of the entire data set associated with a specific transaction. 

Privacy

Key aggregation not only improves scalability by dramatically cutting the amount of data needed to move funds in a multi-sig wallet, it also dramatically improves privacy for these types of transactions. 

To the Bitcoin network, multi-sig setups powered by the Schnorr signature algorithm look like one public key with one digital signature, even though the public key and digital signature are aggregations of multiple keys and multiple signatures. 

In the current regime all public keys included in a multi-signature scheme need to be known by the Bitcoin network. By aggregating those keys into one key, we’ve removed the network’s need to know those other keys. This increases the privacy of each person or organization in the multi-sig setup. The network will have no knowledge of the public keys needed to produce the aggregated public key and will have no idea which of the parties signed the transaction. 

MuSig

It’s unclear when Schnorr signatures will be included as a valid signature type in the Bitcoin protocol. A formal proposal named “MuSig” has already been offered up as a possible standardization of the Schnorr algorithm for the Bitcoin network’s purposes. 

The MuSig proposal was created early in 2018 by the teamwork of Yannick Seurin, Greg Maxwell, and Andrew Poelstra, 3 veteran Bitcoin developers. About a year later the team turned a theoretical paper into usable code that is currently undergoing extensive testing by the Bitcoin development community. The hope of MuSig’s creators is for the code to eventually be merged into Bitcoin Core, the dominant reference implementation of the Bitcoin protocol. When that will happen is up for speculation. 

Conclusion

There are always many ideas floating around in the Bitcoin development community, but Schnorr signatures seem to be one of the more popular proposed solutions that has excited many.  Schnorr not only improves the scalability and privacy of multi-signature use as we described above, but Schnorr also enables other proposals floating around in the Bitcoin development community like MAST and TapRoot. These proposals are beyond the scope of this post, but could be topics in later posts.

We look forward to the continued development of the Bitcoin protocol and Edge will be there every step of the way helping users get the most out of new updates to the Bitcoin network.

Leave a Reply

Your email address will not be published. Required fields are marked *