Schnorr signatures represent a different type of scheme. They function in a way that’s quite similar to the Elliptic Curve Digital Signature Algorithm that we currently use, but they come with several benefits. Interestingly, Schnorr signatures were around before ECDSA, which raises the question of why they weren’t included in Bitcoin from the beginning. One theory is that Claus P. Schnorr, the inventor of the scheme, had them patented. Those patents lapsed in early 2008, just a few months before the Bitcoin white paper was published, yet the scheme still lacked a universal standard. Because of this, Satoshi Nakamoto chose to go with the more commonly accepted (and open-source) ECDSA.
The Pros
Schnorr signatures are pretty straightforward when you compare them to other methods. Because of this, they offer a higher level of provable security than their counterparts. At first glance, this might not seem significant, but they also have a cool feature: linearity.
In simple terms, this makes the scheme especially appealing for certain tasks – particularly multisignature transactions. You might be aware that Bitcoin has multisig support, but it’s not the most user-friendly.
When you set up a multisignature address, the person sending you money doesn’t need to know the conditions you’ve established for spending the inputs. They might not even realize they’re sending money to a multisig address – the only thing that stands out is that it starts with a “3.”
However, the true nature of the address comes to light when you want to access the funds. For instance, if you’ve set up a 3-of-3 arrangement with Alice and Bob, to spend, let’s say, 5 BTC, all three of you need to provide the public keys and valid signatures. Once you move the funds from the address, the entire network can see what’s going on by checking the blockchain.
From a privacy perspective, this isn’t ideal. Plus, if we create a larger multisig (like an 8-of-10), we end up using a lot of space on the blockchain. This can get pricey, as longer transactions mean higher fees – keep in mind that the more bytes your transaction has, the more you’ll need to pay.
Schnorr signatures have been promoted as a fix for these privacy and scalability challenges. They enable features like signature aggregation, which merges the signatures of multiple signers into one single signature. The resulting “master signature” would still be the same size as a regular signature from one person, leading to considerable space savings.
Moreover, the combined signatures make it much harder for someone watching to figure out who signed (or didn’t sign) a transaction. In m-of-m setups (where every participant must sign to access funds), you wouldn’t even be able to tell who was involved.
Schnorr signatures be implemented into Bitcoin
We’re not really sure. Like with most upgrades to the Bitcoin protocol, it might take a while for the wider Bitcoin community to come to a consensus on including Schnorr signatures. Bitcoin Core contributors Pieter Wuille, Jonas Nick, and Tim Ruffing have put together a draft Bitcoin Improvement Proposal (BIP), but there’s still some work left to do.
Blockstream has already rolled out an implementation called MuSig. This allows for signature and key aggregation, and it could potentially lay the groundwork for Bitcoin’s own Schnorr signature scheme.
Schnorr signatures might be integrated into the code as a soft fork, which means the change wouldn’t split the network. Instead, it would be an “opt-in” upgrade. However, it would be a bit too optimistic to think we’ll see them integrated anytime soon – it might still take a couple of years before everyone is on the same page.
Conclusion
Schnorr signatures are among the most eagerly awaited milestones on the current Bitcoin roadmap. With just one upgrade, they can offer major privacy and scalability advantages. Even more intriguingly, they pave the way for future advancements in Bitcoin smart contracts and more sophisticated features like Taproot.