What are Bitcoin Schnorr Signatures?

If you like what you read, feel free to share it:

Developers are always coming up with innovative features for the blockchain family. Final testing has begun for the Segregated Witness that increases capacity. That allows more transactions on the network, simultaneously solving transaction malleability. It introduces script versioning, a Bitcoin protocol extension, paving a way for a new category of innovations. One such innovation, eagerly awaited by many Bitcoin developers, is the Schnorr signatures. With the forthcoming release of Segregated Witness, application of the Schnorr cryptographic signature algorithm could follow soon after. It could potentially improve privacy, efficiency, and scalability of Bitcoin.

How this is possible?

Bitcoin is built around a mathematical concept called public key cryptography, a system that uses two kinds of number strings, private and public keys. They are both linking mathematically, and while it is easy to produce a public key from a private one, it is near impossible to do it vice versa. If someone wants to access a particular Bitcoin address, he must first prove the ownership of the private key linked to that address. One way of doing this, without revealing the whole private key, is using a cryptographic signature. You can create it in a calculation using the private key and the transaction data. Thus anyone knowing the public key can verify the private key without actually owning it. The owner can sign a transaction without fear of revealing the private key.

This is where the Schnorr signatures come in.

Named after its inventor Claus-Peter Schnorr, it encompasses series of mathematical rules that link together the signature with private and public keys. Many experts consider Schnorr signatures to be the best in the field. They are relatively fast to verify, offer a high level of correctness, do not suffer from malleability and support multisignature. Meaning that several signatures aggregate into a new single signature.

Why not implement it?

Schnorr has not been implemented yet because Bitcoin uses Elliptic Curve Digital Signature Algorithm (ECDSA) signature scheme. Also, it would be impossible to change it without a hard fork. That is why SegWit is so important in this context. Moreover, it is a separate part of the transaction and includes all signature data, so the old Bitcoin protocol doesn’t need adjustments. However, script versioning allows implementing changes, in our case, the signature scheme, to the witness through a soft fork.

Advantages of the Schnorr update

Arguably, the most beneficent property of Schnorr, is multisignature aggregation, allowing users to send coins from multiple addresses simultaneously. Each of these inputs requires its own unique signature to be included in the transaction and sent over the network, making multisig slow and cumbersome. Schnorr allows using just one combined signature for all the participating parties, offering an obvious advantage and freeing up more room for transactions. The exact numbers would depend on the specific transaction types included in the block. A rough estimate would be around 40 percent (on top of the 60- 100 percent already gained by the SegWit). This would also allow for much more complex smart contract constructions (two-of-three, three-of-fifteen, hundred-of-hundred etc.) using the same amount of data as for a single signature.

But wait, there is more!

Another interesting benefit Schnorr signatures can offer is incentivized privacy. A trick to improve privacy, CoinJoin, allows combining multiple transactions by different users into a single transaction. This transaction would include multiple inputs from different sources and send money to multiple outputs. Done correctly, CoinJoin would drastically improve privacy, because nobody could track which inputs paid for which outputs, making it impossible to track each individual person in the given transaction.

CoinJoin is not a new invention but up until now it was quite unpractical as those using it would automatically become suspicious. However, with Schnorr signatures, users could not only combine the transactions but signatures as well. With the added benefit of a reduced size of a transaction. Therefore, using the Schnorr algorithm would not only increase privacy, but also lower the cost for everyone involved, actually the most private option would be also the cheapest one, meaning most users will opt for it, making Bitcoin more private in the long run.

Source:

Laura Savu “SIGNCRYPTION SCHEME BASED ON SCHNORR DIGITAL SIGNATURE” University of Bucharest, Romania
Hiraku Morita, Jacob C.N. Schuldt, Takahiro Matsuda, Goichiro Hanaoka, and Tetsu Iwata “On the Security of the Schnorr Signature Scheme and DSA against Related-Key Attacks” Nagoya University, Nagoya, Japan
C.P. Schnorr “EFFICIENT IDENTIFICATION AND SIGNATURES FOR SMART CARDS” Frankfurt University
https://en.wikipedia.org/wiki/Schnorr_signature
https://en.wikipedia.org/wiki/Proof_of_knowledge
https://en.wikipedia.org/wiki/Claus_P._Schnorr
https://en.wikipedia.org/wiki/SegWit
https://en.wikipedia.org/wiki/Bitcoin_scalability_problem#Soft_fork
https://docs.decred.org/research/schnorr-signatures/
https://bitcoincore.org/en/2017/03/23/schnorr-signature-aggregation/
https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki

Photo by Markus Spiske temporausch.com from Pexels