BIP 340: Schnorr Signatures for secp256k1
Authors: Pieter Wuille, Jonas Nick, Tim Ruffing Status: Final Type: Standards Track Created: 2020-01-19 Activated: 2021-11-14 (with Taproot, Block 709,632)
Abstract
BIP 340 defines Schnorr signature verification for the secp256k1 elliptic curve used by Bitcoin. Schnorr signatures offer several advantages over the ECDSA scheme originally used in Bitcoin.
Why Schnorr?
Satoshi Nakamoto chose ECDSA over Schnorr for Bitcoin’s original design likely because the Schnorr patent (US Patent 4,995,082) did not expire until 2008, creating uncertainty about its free use. By 2020, the patent had long expired.
Advantages Over ECDSA
Provable Security: Schnorr signatures have a mathematical proof of security (under the random oracle model), while ECDSA’s security is only assumed.
Non-Malleability: Unlike ECDSA, Schnorr signatures have a unique valid representation, eliminating third-party malleability.
Linearity: The key property. Schnorr signatures are linear, meaning multiple signatures can be combined algebraically:
- Key aggregation — Multiple public keys can be aggregated into a single key
- Signature aggregation — Multiple parties can produce a single signature
- A multisig transaction looks identical to a single-sig transaction on-chain
Batch Verification: Multiple Schnorr signatures can be verified simultaneously, faster than verifying each independently.
Specification Choices
- Uses x-only public keys (32 bytes instead of 33) for efficiency
- Implicit Y-coordinate selection (even Y)
- Tagged hash functions for domain separation
- Non-deterministic nonce generation to protect against fault attacks
Significance
BIP 340 laid the cryptographic foundation for the Taproot upgrade (BIP 341). Together, they represent the most significant Bitcoin privacy and efficiency improvement since SegWit. The key aggregation property means that multisig wallets, Lightning Network channels, and complex smart contracts can all appear as simple single-signature payments on the blockchain.