Skip to content

BIP340 - Schnorr Signatures

BIP340 (Bitcoin Improvement Proposal 340) is one of the Bitcoin improvement proposals, put forward by Pieter Wuille, Jonas Nick, and Tim Ruffing in 2020. It defines the standard for using Schnorr signatures on the secp256k1 elliptic curve. This is a major technical upgrade to the Bitcoin protocol, laying the groundwork for Taproot (BIP341) and Tapscript (BIP342).

Core Concept

The Schnorr signature is a digital signature scheme proposed by German mathematician and cryptographer Claus Schnorr in 1989. Compared to ECDSA (Elliptic Curve Digital Signature Algorithm), which Bitcoin had long used, Schnorr signatures possess superior mathematical properties, including provable security, linearity, and greater efficiency.

BIP340 is the specific implementation specification for Schnorr signatures in Bitcoin. It defines: - Signing and verification algorithms - Serialization formats for public keys and signatures - Batch verification methods

Key Features

1. Signature Aggregation

The linear property of Schnorr signatures allows multiple signatures to be aggregated into one:

sig(k1 + k2, m) = sig(k1, m) + sig(k2, m)

This means: - Multisignature transactions can be combined into a single signature - Significantly reduces transaction size and verification cost - Improves privacy, as outsiders cannot distinguish single-sig from multisig

2. Key Aggregation

Multiple public keys can be aggregated into one: - Multiple parties can collaboratively generate a joint public key - Only one signature is needed to prove authorization from all parties - Secure multi-party signing is achieved using protocols like MuSig2

3. Fixed-Size Signatures

BIP340 signatures are fixed at 64 bytes: - More compact than ECDSA's 71-72 bytes - Public keys are 32 bytes (x-coordinate only) - Simplifies serialization and storage

4. Batch Verification

Supports efficient batch signature verification: - Multiple signatures can be verified simultaneously - Verification speed improvement of approximately 2-3x - Particularly useful for block verification

5. Provable Security

Schnorr signatures have provable security under the random oracle model: - Based on the discrete logarithm hardness assumption - Stronger theoretical foundation compared to ECDSA - Reduces potential security vulnerabilities

Technical Details

Public Key Format

BIP340 uses a 32-byte public key format: - Contains only the x-coordinate of the elliptic curve point - The y-coordinate is implicitly even (ensured by selection) - Significant space savings compared to the traditional 33-byte compressed public key

Signature Format

The signature consists of two parts (32 bytes each): 

signature = (R, s)
- R: x-coordinate of the random point (32 bytes) - s: signature scalar (32 bytes) - Total: 64 bytes fixed size

Signing Algorithm

  1. Generate random number k
  2. Compute R = k*G (G is the generator point)
  3. If R's y-coordinate is odd, negate k
  4. Compute the challenge value e = hash(R.x || P || m)
  5. Compute s = k + e*d (d is the private key)
  6. Return signature (R.x, s)

Verification Algorithm

  1. Parse the signature as (r, s)
  2. Compute the challenge value e = hash(r || P || m)
  3. Compute point R' = sG - eP
  4. Verify that R'.x == r and R'.y is even

Technical Advantages

Space Efficiency

  • Signature size: 64 bytes (ECDSA is 71-72 bytes)
  • Public key size: 32 bytes (compressed ECDSA is 33 bytes)
  • Multisignature: N-of-N multisig requires only 1 signature (ECDSA requires N)

Performance Advantages

  • Verification speed: Single signature verification is comparable to ECDSA
  • Batch verification: Multiple signatures can be batch-verified, 2-3x speed improvement
  • Aggregation efficiency: Signature aggregation has virtually no additional cost

Privacy Enhancement

  • Multisig privacy: Aggregated signatures make multisig indistinguishable from single-sig on-chain
  • Script privacy: Combined with Taproot, complex scripts can be hidden as simple payments
  • Delinking: Reduces possibilities for on-chain analysis

Scalability

  • Transaction capacity: Same block space can accommodate more transactions
  • Verification efficiency: Faster node verification
  • Network bandwidth: Reduces data transfer volume

Relationship with Other BIPs

BIP341 (Taproot)

BIP340 is the foundation of Taproot: - Taproot uses Schnorr signatures as witness signatures - Key path spending uses BIP340 signatures - Achieves script privacy and efficiency improvements

BIP342 (Tapscript)

Signature verification in Tapscript uses BIP340: - OP_CHECKSIG and OP_CHECKSIGVERIFY support Schnorr - Batch verification optimizes script execution - New opcodes leverage Schnorr properties

BIP32 (HD Wallets)

Compatible with existing hierarchical deterministic wallets: - Can use the same key derivation paths - BIP86 defines the standard path for Taproot - Backward compatible, no need to change wallet architecture

Security Considerations

1. Random Number Generation

The random number k in the signing process must: - Use a cryptographically secure random number generator - Use a different k for each signature - Never be reused, otherwise the private key can be derived

BIP340 recommends using deterministic random numbers (RFC 6979): - Derives k from the private key and message - Avoids the risks of hardware random number generators - Ensures reproducibility and security

2. Key Aggregation Attacks

Multi-party key aggregation must guard against rogue key attacks: - Use secure protocols like MuSig2 - Each participant must prove private key ownership - Avoid simple public key addition

3. Side-Channel Attacks

Implementation considerations: - Use constant-time algorithms - Prevent timing analysis attacks - Protect the random number generation process

4. Message Hashing

BIP340 uses SHA256 as a tagged hash: - Prevents cross-protocol attacks - Uses domain separation techniques - Ensures signatures are only valid in the Bitcoin context

Practical Applications

Taproot Addresses

Taproot addresses (bech32m format, starting with bc1p) use BIP340 signatures: 

bc1p... -> Taproot output
         |-- Key path spending uses Schnorr signature

Multisignature

Multisig using the MuSig2 protocol: - 2-of-2, 3-of-3 multisig requires only one signature - On-chain, single-sig and multisig are indistinguishable - Significantly saves fees and space

Lightning Network

The Lightning Network uses Schnorr signatures: - Reduces channel opening and closing costs - Improves privacy - Supports more complex payment paths

Atomic Swaps

Cross-chain atomic swaps can use Schnorr: - Adapter Signatures - Implements scriptless conditional payments - Improves efficiency and privacy

Compatibility and Deployment

Soft Fork Activation

BIP340 was activated as part of the Taproot upgrade in November 2021: - Via the Speedy Trial activation mechanism - Backward compatible, old nodes can still validate blocks - New transaction types are transparent to old nodes

Wallet Support

Major wallets gradually support Taproot/Schnorr: - Hardware wallets: Ledger, Trezor, Coldcard - Software wallets: Bitcoin Core, Sparrow, Electrum - Libraries and tools: libsecp256k1, btcd, rust-bitcoin

Ecosystem Adoption

  • Exchanges: Gradually supporting Taproot deposits and withdrawals
  • DeFi protocols: Lightning Network, sidechain integration
  • Enterprise applications: Batch payments, custody services

Comparison with ECDSA

Feature BIP340 Schnorr ECDSA
Signature Size 64 bytes 71-72 bytes
Public Key Size 32 bytes 33 bytes (compressed)
Signature Aggregation Supported Not supported
Batch Verification Supported (2-3x speedup) Not supported
Provable Security Yes No
Multisig Privacy High (aggregated signature) Low (independent signatures)
Linearity Yes No
Standardization Defined by BIP340 SEC1 standard

Future Development

Cross-Input Signature Aggregation

Future potential for cross-input signature aggregation: - All inputs in a transaction share a single signature - Further reduces transaction size - Requires additional protocol design

Threshold Signatures

Schnorr-based threshold signature schemes: - FROST (Flexible Round-Optimized Schnorr Threshold) - Implements M-of-N multisig without revealing the threshold - Improves security for enterprises and DAOs

Privacy Protocols

Schnorr signatures support more advanced privacy techniques: - Ring signatures and blind signatures - Privacy-preserving payment channels - Zero-knowledge proof integration

Summary

BIP340 brought significant technical upgrades to Bitcoin through the introduction of Schnorr signatures:

Core Advantages: - Efficiency: Smaller signatures and public keys, faster verification - Privacy: Signature aggregation makes complex transactions appear simple - Scalability: Reduces block space usage, increases network capacity - Security: Provable security with a stronger theoretical foundation - Flexibility: Supports advanced multisig and smart contracts

Practical Impact: - Lower transaction fees - Increased network throughput - Enhanced user privacy - Support for more complex application scenarios

BIP340, together with BIP341 (Taproot) and BIP342 (Tapscript), forms one of Bitcoin's most important upgrades, laying a solid foundation for Bitcoin's future development. This is not only a technical advancement but also a demonstration of the Bitcoin community's commitment to continuous innovation and protocol improvement while maintaining decentralization and security.