Key Takeaways
Schnorr signatures are a cryptographic scheme that became part of Bitcoin when the Taproot upgrade activated in November 2021.
They improve on the earlier ECDSA algorithm by offering stronger security proofs and a property called linearity, which enables signature aggregation for multisig transactions.
Signature aggregation lets multiple signers combine their signatures into one, reducing transaction size and improving privacy on the Bitcoin network.
MuSig2 (BIP327) is the current standard for Schnorr-based multisignature schemes, using two signing rounds instead of three.
Taproot, which uses Schnorr signatures, also enables technologies like the Lightning Network to benefit from improved privacy and efficiency.
Introduction
Bitcoin enforces ownership rights with cryptographic digital signatures. For most of its history, Bitcoin used the Elliptic Curve Digital Signature Algorithm (ECDSA) for this purpose. ECDSA lets you take a private key and derive a public key from it, with a one-way relationship that makes it easy to prove ownership without revealing the secret.
In November 2021, Bitcoin's Taproot upgrade introduced a second signature scheme: Schnorr signatures. Defined in BIP340, Schnorr signatures bring privacy and scalability improvements that ECDSA cannot easily provide. This article explains how Schnorr signatures work, what makes them useful, and how they interact with other Bitcoin upgrades.
What Are Digital Signatures?
A digital signature proves that a message was created by a specific private key holder, without revealing the private key itself. In Bitcoin, you sign a transaction with your private key to authorize it. Nodes on the network verify the signature using your public key. If the signature doesn't match, the transaction is rejected.
This mechanism is what allows Bitcoin to be trustless. You don't need to trust a bank or intermediary to confirm you own your coins. The cryptographic signature does that job.
Understanding public key cryptography can help you grasp why this works. The key insight is that it's computationally infeasible to reverse the math, you can't derive a private key from a public key, even with significant computing power.
What Are Schnorr Signatures?
Schnorr signatures are a digital signature scheme invented by Claus P. Schnorr in the 1980s. They actually predate ECDSA, but Schnorr's patent on the scheme kept it from being used in open-source projects for years. When Bitcoin launched in 2009, Satoshi Nakamoto chose ECDSA instead, partly because it was already widely standardized and free to use.
The Schnorr patent expired in 2008, shortly before Bitcoin's release. Developers recognized the scheme's advantages early, but integrating it into Bitcoin required careful specification work and broad community agreement. That process eventually led to BIP340, which defined a version of Schnorr signatures tailored for Bitcoin.
Why Are Schnorr Signatures Useful?
Schnorr signatures have two key advantages over ECDSA.
First, they are more provably secure. The security of Schnorr signatures rests on cleaner mathematical assumptions, making them easier to formally verify. ECDSA is considered secure in practice, but its security proof is less straightforward.
Second, Schnorr signatures have a property called linearity. This means you can combine multiple Schnorr signatures mathematically. ECDSA does not support this, which has practical consequences for multisig transactions and privacy.
Signature Aggregation and Multisig
One of the most significant uses of Schnorr's linearity is signature aggregation. In a standard Bitcoin multisig wallet setup, each signer publishes their own public key and signature on-chain. A 3-of-5 multisig transaction, for example, must include three separate signatures and five public keys. This takes up considerable space and reveals the multisig structure to anyone viewing the blockchain.
With Schnorr-based aggregation, participants can combine their individual signatures into a single "aggregate" signature. From the outside, a multisig transaction looks identical to a single-signature transaction. This is a major privacy improvement: observers can't tell how many people authorized the transaction.
Signature aggregation also reduces transaction size, which can lower fees since Bitcoin transaction fees are partly based on data size.
MuSig2 and BIP327
The standard protocol for Schnorr-based multisignature schemes on Bitcoin is MuSig2, specified in BIP327. MuSig2 is an improvement on the original MuSig protocol. The earlier version required three rounds of communication between signers, which was impractical for many use cases. MuSig2 reduces this to two rounds, making it more suitable for real-world multisig setups including hardware wallets.
MuSig2 supports key aggregation: multiple public keys are combined into a single aggregate public key before any signing occurs. When the resulting signature is verified, it's indistinguishable from a regular single-key signature on the blockchain.
Taproot and Schnorr Signatures
Schnorr signatures are the cryptographic foundation of Taproot, the upgrade that activated on Bitcoin at block 709,632 on November 14, 2021. Taproot is actually a bundle of three BIPs: BIP340 (Schnorr signatures), BIP341 (Taproot itself), and BIP342 (Tapscript, the updated scripting language).
Together, these changes allow Bitcoin transactions to become more private and flexible. Taproot enables a technique called MAST (Merklized Abstract Syntax Trees), which lets complex spending conditions, like multisig or time-locked scripts, be hidden unless they're actually used. When Taproot conditions are satisfied by a single key, the transaction looks like any other simple payment.
Taproot was activated via a soft fork, meaning it was backward compatible. Nodes that did not upgrade could still validate the blockchain; they just wouldn't enforce the new Taproot rules. Over time, adoption of Taproot outputs has grown steadily.
Further Applications
Schnorr signatures enable improvements beyond multisig. Technologies that rely on off-chain protocols, such as the Lightning Network, can benefit from Schnorr's properties. The Lightning Network uses payment channels that are opened and closed on-chain, and Schnorr signatures can make those channel transactions more private and efficient.
Schnorr signatures are also a building block for cross-chain atomic swaps. In payment channels and atomic swap constructions, the ability to aggregate signatures or prove knowledge of a secret more efficiently opens up new options for trustless exchange.
These applications are still maturing. Taproot was only activated in late 2021, and many wallets and services are still adding full Taproot and MuSig2 support. The long-term impact on Bitcoin's privacy and scalability is expected to be substantial.
FAQ
Are Schnorr signatures already live on Bitcoin?
Yes. Schnorr signatures were activated as part of the Taproot upgrade at block 709,632 on November 14, 2021. They are available to use today, though not all wallets and services have implemented full support yet.
How are Schnorr signatures different from ECDSA?
Both are digital signature schemes used to authorize Bitcoin transactions. Schnorr signatures are simpler, have cleaner security proofs, and support linearity, which enables signature aggregation. ECDSA does not natively support aggregation. In practice, Schnorr enables more efficient and private multisig transactions.
What is signature aggregation?
Signature aggregation is the ability to combine multiple individual signatures into one. With Schnorr's linearity property, multiple signers in a multisig transaction can produce a single aggregate signature. This signature is the same size as a regular single-user signature, saving block space and hiding the multisig structure from outside observers.
What is MuSig2?
MuSig2 is the current Bitcoin standard (BIP327) for Schnorr-based multisignature schemes. It allows multiple parties to jointly create a single Schnorr signature using two rounds of communication, making it practical for hardware wallets and other setups where interactive signing is acceptable.
Closing Thoughts
Schnorr signatures have moved from a long-discussed proposal to a live part of Bitcoin. The Taproot upgrade made them available in November 2021, and their effects are now playing out gradually as wallets and protocols adopt the new capabilities.
Further Reading
Disclaimer: This content is presented to you on an "as is" basis for general information and or educational purposes only, without representation or warranty of any kind. It should not be construed as financial, legal or other professional advice, nor is it intended to recommend the purchase of any specific product or service. You should seek your own advice from appropriate professional advisors. Where the content is contributed by a third party contributor, please note that those views expressed belong to the third party contributor, and do not necessarily reflect those of Binance Academy. Digital asset prices can be volatile. The value of your investment may go down or up and you may not get back the amount invested. You are solely responsible for your investment decisions and Binance Academy is not liable for any losses you may incur. For more information, see our Terms of Use, Risk Warning, and Binance Academy Terms.